Configuring BizTalk 2006 R2 for AS2: Part 1 Generating Certificates

Scott Banwart

2008-06-04

BizTalk

as2, biztalk, certificates, edi, encryption, openssl, security

Before we can get started with setting up BizTalk for AS2 communication,
we need to generate our security certificates. Certificates in AS2 are
used to encrypt the EDI data being transmitted over the internet, and to
sign the AS2 message to prevent tampering. There are two primary ways to
self-generate your own certificates. The first is to install Microsoft
Certificate Services and setup a local certificate authority.
MCS is
available on the Windows 2003 or Windows 2008 installation media.
Setting up and using MCS requires a fair amount of work, and I am not
going to cover it in this series. Instead we will be using the open
source OpenSSL cryptography tools to generate our certificates.

I used the OpenSSL tools that shipped with Fedora 8 to generate these
certificates. OpenSSL is also included as part of the Cygwin tools
for Windows. Generating certificates can be done with three simple
commands:

First we need to create our public/private key pair.

>openssl req -x509 -nodes -days 1825 -newkey rsa:1024 -keyout host.pem -out host.pem

Next we need to extract the private key in PKCS#12 format.

>openssl pkcs12 -export -out host.pfx -in host.pem -name "My Certificate"

Finally we need to extract the public key in DER format.

>openssl x509 -outform der -in ./host.pem >> host.cer

(Try openssl x509 -outform der -in ./host.pem -out host.cer if you are running these commands from a Windows shell)`

After executing these commands you should have three files. The host.pem
file contains both the public and private key parts. This file can be
used to regenerate the keys if needed, and should be backed up in a
secure location. The host.pfx file contains the private key in a format
that is suitable for importing into the Windows certificate store. The
host.cer file contains the public key in a format that most AS2 software
packages understand. The public key will be given to your trading
partners, so you will want to keep it in a location where it can be
easily accessed. It is also worth noting that this certificate will be
valid for five years after the creation date. If you need to increase or
decrease the time limit, simply adjust the number after the -days option
in the first OpenSSL command.

There is also the option of purchasing a certificate from a commercial
CA such as Verisign
or thawte. As this can be expensive, I do not recommend purchasing a
certificate unless you have one or more trading partners that require
it.

Next time we will take a look at importing the certificates into the
Windows certificate store.

Update: Added a second version of the third OpenSSL command to properly
output the public key when using Windows.