Certificates
The following table describes the AS2 certificate needs:
|
Certificate Usage |
Certificate Type |
Pipeline Component |
User Context |
Certificate Store |
Where Defined |
|
Signature (outbound) |
Own private key (.pfx) |
MIME/SMIME encoder |
Account used by the host instance associated with the send handler. |
Current User |
Certificate option in the BizTalk Group Properties. This is the default signing certificate used when sending signed documents.
Certificate option in the Party Properties. This is the signing certificate used for when sending documents for a specific party.
EdiIntAS.SignatureCertificate context property. This contains the thumbprint of the certificate that the pipeline will use to sign the document. |
|
Signature verification (inbound) |
Trading partner’s public key (.cer) |
MIME/SMIME decoder |
Account used by the host instance associated with the receive handler. |
Local computerOther People store of each BizTalk Server that hosts a MIME/SMIME decoder pipeline as each host instance service account |
Certificate option in the Party Properties dialog box.
Note: The certificate used to verify a signature for a party must be unique from the certificates used to verify signatures for other parties. So, every party gets its own certificate. |
|
Encryption (outbound) |
Trading partner’s public key (.cer) |
MIME/SMIME decoder |
Account used by the host instance associated with the send handler. |
Local computerOther People store of each BizTalk Server that hosts a MIME/SMIME encoder pipeline |
Certificate option in the Send Port Properties. |
|
Decryption (inbound) |
Own private key (.pfx) |
MIME/SMIME decoder |
Account used by the host instance associated with the receive handler. |
Current UserPersonal store of each BizTalk Server that hosts a MIME/SMIME decoder pipeline as each host instance service account |
The AS2 Decoder will determine the certificate based upon certificate information in the message.
For the BizTalk MIME Decoder, the certificate must be in the Certificate option in the properties of the host used for receiving the message. This is not necessary for the AS2 Decoder. |
This chart is also available at http://msdn.microsoft.com/en-us/library/bb728096.aspx.
There are four places to install certificates: BizTalk Group properties, Party properties, Send Port properties and HOST properties.
Certificates used for AS2 transport must have the attributes required for their intended use. For signing and signature verification, the Key Usage attribute of the certificate must be Digital Signature. For encryption and decryption, the Key Usage attribute of the certificate must be Data Encipherment or Key Encipherment. You can verify the Key Usage attribute by double-clicking the certificate, clicking the Details tab in the Certificate dialog box, and checking the Key Usage field.
Group Hub and HOST Certificate Import Instructions
The certificate with the private key must be imported to the BizTalk service account’s Personal store. There are 3 options to do this:
Option 1: Login to the BizTalk server as the BizTalk service account.
Option 2: Open the MMC as the BizTalk service account using the RunAs feature: runas /user:BizTalkServiceAccount mmc.exe.
Option 1 and Option 2 steps:
1. Open the MMC on the BizTalk server and add the Certificate snap-in for My User Account.
2. Select Personal, right-click, select All Tasks and then select Import.
3. This opens the Certificate Import Wizard. Select the following:
a) Click Next.
b) Browse to the .pfx file and click Open. Click Next.
c) If you specified a password on Windows 2003, enter it. If not, leave it blank. On Windows 2008, enter the password. Check Mark this key as exportable and click Next.
d) Click Next to import into the Personal store.
e) Click Finish.
4. In BizTalk Administration, open the BizTalk Group properties. Click Certificate and then Browse to your newly-imported certificate. For the BizTalk HOST, open the HOST properties, click Certificates and then Browse to your newly-imported certificate.
Option 3: Use the CertWizard.exe SDK Utility. This option ensures that the certificate is correct imported into the MMC and the BizTalk Group properties. Steps:
1. Build the CertWizard.csproj project in Program Files (x86)Microsoft BizTalk Server 2009SDKUtilitiesCertificate Wizard to create CertWizard.exe in the binDebug directory.
2. Open a command window and go to the Program Files (x86)Microsoft BizTalk Server 2009SDKUtilitiesCertificate WizardbinDebug directory.
3. Type the following and press Enter. CertWizard will find the BizTalk service account and ask you for the password for every HOST instance.
certwizard /privatekey Cert.pfx /Filepassword password /Usage both /Exportable true
To confirm the certificate has been successfully imported in the BizTalk Group properties, select the Certificate option. You should see a Thumbprint with no Common Name. The Common Name is not needed by BizTalk.
To confirm the certificate has been successfully imported in the Personal store of the BizTalk service account, use the RunAs feature to open the MMC: runas /user:BizTalkUserAccount mmc.exe.
BizTalk 2009 Help provides more info on the CertWizard utility.
Party and Send Port Certificate Import Instructions
You can trump the certificate at the BizTalk Group level by specifying a certificate in the Party and Send Port properties. You will do this if a partner sends you a certificate or you are sending a partner a certificate. A certificate can only be used by one party. The Party and Send Port certificate must be imported to the Other People store; which can be read by all users. Import steps:
1. Open the MMC on the BizTalk server and add the Certificate snap-in for the Computer Account.
2. Select Other People, right-click, select All Tasks and then select Import.
3. This launches the Certificate Import Wizard. Select the following:
a) Browse to the CertificateName.pfx (private key) or CertificateName.cer (public) file.
b) If you specified a password on Windows 2003, enter it. If not, leave it blank. On Windows 2008, enter the password. Check Mark this key as exportable and click Next.
c) Click Next to import into the Other People store.
d) Click Finish.
4. In BizTalk Administration, open the Party and/or Send Port properties. Click Certificate and click Browse. You should now see the imported certificate.
Scenario A
You are receiving messages from a partner that encrypts data using a certificate. To decrypt the message, you must install the certificate on the BizTalk server.
Solution
The partner must send you the certificate with the public key (CertName.cer). Once received, import the CertName.cer file using the Certificates snap-in in the Other People store. Then, modify the Party properties to use this certificate.
Scenario B
You are sending signed messages to a partner. Your messages are encrypted using a certificate purchased from a 3rd party.
Solution
You will have the certificate with the private key (CertName.pfx) installed on your BizTalk server. You must send the certificate with the public key (CertName.cer) to your partner. Once received, your partner will import the CertName.cer file on their BizTalk server.