We propose that Business Central should include a centralized and reusable certificate management system, accessible from both standard and custom functionalities (such as SII, PDF signing, external authentication, etc.), based on the principle that the customer owns and is responsible for their data and the apps they install.

Currently, Business Central Cloud imposes restrictions that prevent reusing the same certificate across different contexts. For example:

• The certificate configured for SII cannot be reused to sign PDF documents.
• Certificates stored in Isolated Certificate do not allow access to the private key, not even via the X509Certificate2 codeunit.
• This leads to certificate duplication, which causes:
• Increased complexity for users.
• Risk of errors due to expired or mismanaged certificates.
• Loss of traceability and operational control.

We understand that Microsoft prioritizes security in SaaS environments, but we also believe that:

• Customers should have the option to manage their certificates in a unified way.
• The platform should offer secure but flexible mechanisms to reuse certificates across modules.
• Responsibility for certificate usage should lie with the customer, as it does with their data and installed extensions.

Proposal:

1. Create a central certificate repository accessible from AL, with controlled permissions.
2. Allow certificates configured for SII to be referenced by other functionalities (with explicit customer consent).
3. Expose a standard API to sign documents from Business Central using authorized certificates.
4. Provide auditing and traceability tools to reinforce security without limiting functionality.