Best Practices for Managing Certificates
This section provides best practices for managing certificates in your BizTalk Server environment.
Do a Threat Model Analysis of your environment
Do a Threat Model Analysis (TMA) of your environment to determine whether signing or encryption certificates will help you mitigate security threats.
Create a plan for public key certificates with partners
Create a plan for sending and receiving public key certificates with partners. If you are not using signing certificates for party resolution, the public certificate can be attached to the message, in which case you do not need a copy of the certificate in your system beforehand.
Download the certificate revocation list at set intervals
Download the certificate revocation list (CRL) from your certification authority (CA) at set intervals. We recommend doing this once a week. The CRLs are downloaded automatically if there is a CA for the domain in which the BizTalk servers are joined.
Establish guidelines with partners for submitting public keys
As part of your Service Level Agreement (SLA) with your partner, establish guidelines for submitting public keys, notifying you when their certificates are about to expire, and notifying you when they revoke a certificate.
Verify signing certificates
Make sure you verify the signing certificates against the certificate revocation list. For more information about how to verify the signing certificates, see How to Configure the MIME/SMIME Decoder Pipeline Component.
Avoid denial of service attacks for digital signatures
Determine what you want to do with messages when BizTalk Server cannot validate the digital signature. Setting the Authentication property on the receive port will help prevent denial of service attacks.
Note The Authentication - Drop messages and Authentication - Keep messages flags on the receive port require that the Party Resolution pipeline component be configured correctly, and that the parties are defined in BizTalk Server. For more information about configuring the Party Resolution pipeline component, see Party Resolution Pipeline Component.
Create separate receive locations for encrypted and unencrypted messages
If you plan to receive MIME-encrypted messages from some partners and unencrypted messages from other partners, create separate receive locations in different hosts for encrypted and unencrypted messages. When you expect only MIME-encrypted messages, configure the Allow Non MIME Message option in the Decode MIME/SMIME pipeline component to No.
Manage certificates with partners
Make certificate management part of your partner management practices. When you add or remove a party from the BizTalk Server environment, we recommend that you add or remove the certificates associated with that partner.
Remove certificates before removing a host instance
Before removing a host instance from a BizTalk server, remove the certificates in the personal store of the account under which the host instance is running.
ConceptsBest Practices for Managing Windows Groups and User Accounts
Other ResourcesManaging BizTalk Server Security