Before we can get started with setting up BizTalk for AS2 communication, we need to generate our security certificates. Certificates in AS2 are used to encrypt the EDI data being transmitted over the internet, and to sign the AS2 message to prevent tampering. There are two primary ways to self-generate your own certificates. The first is to install Microsoft Certificate Services and setup a local certificate authority. MCS is available on the Windows 2003 or Windows 2008 installation media. Setting up and using MCS requires a fair amount of work, and I am not going to cover it in this series. Instead we will be using the open source OpenSSL cryptography tools to generate our certificates.
I used the OpenSSL tools that shipped with Fedora 8 to generate these certifcates. OpenSSL is also included as part of the Cygwin tools for Windows. Generating certificates can be done with three simple commands:
First we need to create our public/private key pair.
openssl req -x509 -nodes -days 1825 -newkey rsa:1024 -keyout host.pem -out host.pem
Next we need to extract the private key in PKCS#12 format.
openssl pkcs12 -export -out host.pfx -in host.pem -name “My Certificate”
Finally we need to extract the public key in DER format.
openssl x509 -outform der -in ./host.pem >> host.cer
(Try openssl x509 -outform der -in ./host.pem -out host.cer if you are running these commands from a Windows shell)
After executing these commands you should have three files. The host.pem file contains both the public and private key parts. This file can be used to regenerate the keys if needed, and should be backed up in a secure location. The host.pfx file contains the private key in a format that is suitable for importing into the Windows certificate store. The host.cer file contains the public key in a format that most AS2 software packages understand. The public key will be given to your trading partners, so you will want to keep it in a location where it can be easily accessed. It is also worth noting that this certificate will be valid for five years after the creation date. If you need to increase or decrease the time limit, simply adjust the number after the -days option in the first OpenSSL command.
There is also the option of purchasing a certificate from a commercial CA such as Verisign or thawte. As this can be expensive, I do not recommend purchasing a certificate unless you have one or more trading partners that require it.
Next time we will take a look at importing the certificates into the Windows certificate store.
Update: Added a second version of the third OpenSSL command to properly output the public key when using Windows.
This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
[...] time around we will take a look at installing certificates that we created in Part 1. We will start by opening the Microsoft Management Console. Make sure that you are logged in using [...]
Hi,
this worked for me, but only after changing the third command by adding a -out param :
openssl x509 -outform der -in ./host.pem -out hostpublic.cer
Out of curiosity, are you running the OpenSSL commands on Windows or on Linux? The original version works fine on a Linux box, but I’m not sure if the Windows shell understands the append “>>” operator. At any rate, I’m adding your version to the article. Thanks for the comment.
[...] Part 0: Introduction Part1: Generating Certificates Part2: Installing Certificates Part 3: Configuring IIS to Receive Transactions [...]