Configuring Certificates for AS2

To help secure AS2 data transfer using encryption and digital signatures, you must have the appropriate certificates installed, in addition to the appropriate AS2 configuration on BizTalk Server. This topic describes the certificates required, how to configure them, and common issues with them.

Certificates Required for AS2 Transport

To help secure AS2 data transfer, you must add the appropriate certificate to the appropriate certificate store, and associate the certificates with the appropriate BizTalk artifacts. The following certificates are used to help secure AS2 messages:

 

Certificate Usage Certificate Type Pipeline Component User Context Certificate Store Where Defined

Signature (outbound)

Own private key (.pfx)

AS2 encoder

Account used by the host instance associated with the send handler.

Current User\Personal store of each BizTalk Server that hosts an AS2 encoder pipeline as each host instance service account

Certificate page of the Group Properties dialog box. This is the default signing certificate used when sending signed documents.

Signature verification (inbound)

Trading partner's public key (.cer)

AS2 decoder

Account used by the host instance associated with the receive handler.

Local computer\Other People store of each BizTalk Server that hosts an AS2 decoder pipeline as each host instance service account

Certificate page of the Party Properties dialog box

Note: The certificate used to verify a signature for a party must be unique from the certificates used to verify signatures for other parties.

Encryption (outbound)

Trading partner's public key (.cer)

AS2 encoder

Account used by the host instance associated with the send handler.

Local computer\Other People store of each BizTalk Server that hosts an AS2 encoder pipeline

Certificate page of the Send Port Properties dialog box

Decryption (inbound)

Own private key (.pfx)

AS2 decoder

Account used by the host instance associated with the receive handler.

Current User\Personal store of each BizTalk Server that hosts an AS2 decoder pipeline as each host instance service account

The AS2 Decoder will determine the certificate based upon certificate information in the message.

For the BizTalk MIME Decoder, the certificate must be in the Certificate page of the host used for receiving the message. This is not necessary for the AS2 Decoder.

Adding Certificates to the Certificate Stores

For more information, see the "Displaying the Certificates Management Console" section of Installing Certificates for the WCF Adapters, as well as the Certificate Wizard Utility topic.

ImportantImportant
The Personal certificate store will be available for message processing only if the user profile is loaded for the user whose logon credentials are associated with the host instance. The Personal store is used for signing and decryption certificates (the user's own private key). The user profile is loaded by default for the in-process host instance; however, the user profile is not loaded by default for the isolated host instance. You can have an application load the user profile for the isolated host. Alternatively, you can work around this issue by using the same logon for the in-process host instance and the isolated host instance.

Generating Certificates

Certificates can be obtained from a Certificate Authority (CA); however the steps to request a certificate can vary between CAs. Review the information provided on the Certificate Authority’s Web site before submitting any certificate requests.

ImportantImportant
Certificates used for AS2 transport must have the attributes required for their intended use. For signing and signature verification, the Key Usage attribute of the certificate must be Digital Signature. For encryption and decryption, the Key Usage attribute of the certificate must be Data Encipherment or Key Encipherment. You can verify the Key Usage attribute by double-clicking the certificate, clicking the Details tab in the Certificate dialog box, and checking the Key Usage field.

You can also generate certificates in Windows Server 2003 or Windows Server 2008 by using Certificate Services, however your partner may only accept these certificates for test purposes as they are self-signed instead of signed by a public CA. For more information on using Certificate Services to request certificates, see Using Windows Server 2003 Certificate Services Web Pages.

The following are prerequisites for performing the procedure in this topic:

  • You must be logged on as a member of the BizTalk Server Administrators group.

  1. In the BizTalk Server Administration console, right-click the BizTalk Group node, and then click Properties.

  2. In the console tree of the Group Properties dialog box, click Certificate.

  3. In the Certificate pane, click Browse, find the certificate you want to use for signing, and then click OK.

    noteNote
    Instead of entering the common name of the certificate, you can enter just the thumbprint. You can get the thumbprint by double-clicking the certificate in the certificate store in MMC or in the file system, clicking the Details tab, clicking the Thumbprint field, and copying the thumbprint.

  4. Click OK.

  1. In the BizTalk Server Administration console, open the BizTalk Group node, and then open the Parties node.

  2. Right-click the party that you will be receiving signed messages from, and then click Properties.

  3. In the console tree, click Certificate.

  4. In the Certificate pane, click Browse, find the certificate you want to use for verifying the digital signature, and then click OK.

    noteNote
    Instead of entering the common name of the certificate, you can enter just the thumbprint. You can get the thumbprint by double-clicking the certificate in the certificate store in MMC or in the file system, clicking the Details tab, clicking the Thumbprint field, and copying the thumbprint.

  5. Click OK.

  1. In the BizTalk Server Administration console, open the BizTalk Group node, open the Applications node, and open the node of the application that contains the send port that you will be sending the encrypted message on.

  2. Open the Send Ports node, right-click the send port, and then click Properties.

  3. In the console tree, click Certificate.

  4. In the Certificate pane, click Browse, find the certificate that you want to use for encryption, and then click OK.

    noteNote
    Instead of entering the common name of the certificate, you can enter just the thumbprint. You can get the thumbprint by double-clicking the certificate in the certificate store in MMC or in the file system, clicking the Details tab, clicking the Thumbprint field, and copying the thumbprint.

  5. Click OK.

  © 2009 Microsoft Corporation. All rights reserved.
Show: