views:

260

answers:

1

I need to create an AS2 connection in BizTalk Server 2006 R2 to communicate with a business partner. I've worked with BizTalk AS2 config before and the BizTalk docs have pretty good walkthroughs about how to configure everything, but they don't talk about how to get/generate a certificate, and I don't have much experience there.

What is the best way to generate a key pair? My basic understanding of the process is that you generate the public and private keys (.pfx file?), install them, export the public key certificate (.cer?) and send it to the partner. The certificate won't be used for HTTPS, only for the AS2 connection, and the partner has stated that it can be self signed (doesn't need a trusted CA?). We trade public key certificates directly with the partner in a secure fashion in the form of .cer files. Is MakeCert an appropriate tool here?

I believe we need to use the same key for both encryption and signing, so according to the docs, the Key Usage attribute of the certificate must include Digital Signature and either Data Encipherment or Key Encipherment.

Thanks!

+1  A: 

You can certainly use MakeCert generated self sign keys for AS2 security and signing. Depending on the flavour of AS2 being implemented (there are 12 all up) you do not need to do both encryption and signing but the standard usage of AS2 is signed and encrypted communication with or without MDNs and for that you would generally use a single certificate.

As you say, there is a wealth of information on AS2 in the BizTalk docs and in the SDK. I thought it worth pointing out this MSDN page http://msdn.microsoft.com/en-us/library/bb728096(BTS.20).aspx, however, since it covers the installation of the certs in great detail. The configuration is quite particular, if you don't get the right certs in the right stores under the right users and in the right parts of BizTalk (assigned to parties, groups and send ports) then you can run into trouble. I've found it pays to follow the docs exactly in this part of configuration.

One important thing to remember is that your AS2 receive runs under the BizTalk IsolatedHost so the certs for receiving need to be in that store.

I've also found it interesting and helpful (thought not necessary) to read the AS2 RFC.

David Hall