Few years back I have just done connecting my BizTalk 2006R2 to SAP XI which require HTTPS protocol to transmit the message. It was exciting and confusing at the first time and finally the mission was successfully and it was not that complicated at all. I was really starting from the scratch to understand the certificates and SSL works with BizTalk and it is good to know the fundamental knowledge around the certificates and certificates store and how does it relate with BizTalk.
Fundamental Knowledge About Certificate Store.
The certificate store is the place to manage and to configure the certificate. The certif
icate store is snap-in console which you can use Mi
crosoft Management Console to open certificate store.From window start--> Run, you can type MMC
 |
| Calling MMC |
You will see following screen:
 |
| MMC window |
You open File-->Add/Remove Snap-in…
 |
| Add Snap-in |
Click add button and find certificates like following screen:
 |
| Certificates Snap-in |
Click Add button and you will choose the option like following:
 |
| Certificates manage selection |
Most of the case, the first option that I go with is the Computer account and click next button. In next screen I select Local computer to manage local computer certificates.
 |
| Select Computer to Manage |
You need to redo this step for the
“My user account”. You will see following screen after done added the two options:
 |
| Selected Certificate Snap-ins |
Just click "OK" button and you will have following screen:
 |
| Certificate Console Folders |
They are many group folders in the console screen and each of them represent their purpose or belonging to. I will explain few folders that are mostly I used in my project.
Personal folder
If you have certificate file with private key inside, then you will need to register your certificate in here. The usage for personal folder normally for two reasons:
- Storing your IIS web SSL Server certificate (encryption/decryption)
- Storing your Client authentication certificate.
(Please note, in real case one certificate files can have multiple purposes, my opinion having separate file for each purposes is just adding your maintenance task). If you need to setup web site with HTTPS protocols, you normally create a request certificate in IIS website for server certificate request. You will send the certificate pending request to CA (certificate authority) for purchasing the server certificate. IIS will register your server certificate inside this
personal folder automatically at
computer level.
Always remember that personal folder is private/personal to the company who purchase the certificates. This is the key information because BizTalk will search into personal folder certificate store belong to BizTalk service account. BizTalk will search and find the certificate based on thumb print ID that you fill in at HTTP adapter. Thus you need to logon using BizTalk service account and copy down the certificate from Computer level at personal folder. There will be more explanation in next section.
Trusted Root Certificate Authorities Folder
Every certificate (personal certificate or other certificates) always has a path; the path can be one level or sometime multiple levels. The Root CA should be the highest level certificate in the certificate path. The main function of this folder is to register trusted CA certification. The CA certificate is just like any other certificate which normally the characteristic are:
- The “issued by” and “issued to” is the same.
- There is no higher path than its own.
Following picture is the example of trusted Root CA certificate:
 |
| Trusted Root CA |
 |
| Certification Path |
Intermediate Certificate Authorities folder
Similar like root trusted CA; the intermediate CA folder is a place to trust the intermediate level of certificate. If you have certificate that has multiple path, then all the intermediate must registered in here. Below is example of intermediate CA.
 |
| Intermediate CA |
 |
| Intermediate Certificate Path |
Other People Folder
If you intend to access other company secure website and require their public certificate to be passed over to connect securely, then you should do this. According to my experience, to have partner public certificate registered in here is not compulsory in most cases and that is regardless of using browser or send message from BizTalk Server. Like accessing internet banking system, you will never need to register the banking public certificates but their root CA or intermediate CA. The root CA and intermediate CA is auto downloaded and registered in your computer certificate store automatically and transparently. However if your server host in secured area and has firewall, then you should manually register the root CA and intermediate CA. Simple just extract from your own local computer certificate store or ask your business partner to send them to you.
How to configure the certificate effectively
There are two ways to install the certificate:
- Double click the certificate and follow the wizard certificate installation. If you do this, the certificate will be registered at current user. My suggestion is not doing this method as you are configuring for BizTalk application and IIS. You will need to copy the certificate from your current user to My Computer level and this is sometime you overlook the certificate and cause unnecessary manual checking.
- Imports from Certificate store folder at Computer level. If you do this, the certificate store will automatically copy the certificate into the rest user account certificate store. Especially the Root Trusted CA, intermediate CA certificate store, other peoples and revocation certificate list. This behavior is different for installing the personal certificate that has private key, you will need to install this certificate into intended user account or at computer level certificate store manually.
Fundamental Knowledge Around Certificate File
There some extension filename for certificate as follow:
- <certfilename>.pfx and <certfilename>.p12 This type certificate is having private key and normally the owner if this certificate will keep this file carefully. This certificate would be then can be used as server HTTPS encryption and/or for client authentication. With private key, you should register this certificate into your personal folder certificate store.
- <certfilename>.cer This type certificate is public /server certificate or root CA certificate. It has only public key and can’t be stored in personal folder of certificate store.
- <Certfilename>.crl This type certificate is the revocation list certificate. Some certificate which has CRL distribution property in it will require revocation list to be registered in certificate store.
There are some important properties in certificate file. In general and details tabs of certificate properties, you can find below information:
- Whether the certificate contain private key
- Issued by property which tells you the who issue the certificate (normally it is refer to root CA or intermediate CA certificate)
- The valid period of this certificate.
Issued to property which tells you this certificate is bind to this name. It is where you defining the URL of your website/web service or connecting to your business partner website URL. This information is related with the CN (common name) that you register to your CA which has to be unique and never been registered by other organization/ company.
 |
| Issued To property |
- Subject property, in here you will see the CN (common name), OU (Organization unit), O (organization) and C (country). The CN is the name would bind certificate and determine the URL how to connect to business partner URL or define your web server URL. CN name able to secure the public IP or the FQDN (Full Qualified Domain Name). Example: If CN is 10.30.16.236 then the URL should be: https://10.30.16.236/<virtualfolder>/<asppage.aspx>. If he CN is FQDN like: integration.com.sg then the URL should be: https://integration.com.sg/<virtualfolder>/<asppage.aspx>.
 |
| Subject property |
- "CRL Distribution Points" properties. This property can’t be ignored easily as it is define the revocation checking against your certificate in your computer. Most of case live production server can’t access to the URL define in this properties due security rule or firewall; hence you can download the revocation certificate list using browser by pasting the URL. If you find the CRL distribution points property at your private certificate or public certificate, then you will need to registered your for CRL at the higher level. Most of the case you will have intermediate CA which tied with your revocation list certificate, thus register your CRL at intermediate Certification Authority folder. The Intermediate CA certificate could also define its own “CRL Distribution Points”, thus you will register the CRL cert at the Root Certification Authority folder, however according to my testing, you might not necessary to install the CRL belong to intermediate CA cert.
 |
| CRL Distribution Points Property |
- "Enchanced key Usage" property. This property will define the function of this certificate. My recent project requires two functions that SSL has to perform, which is to authenticate the server and the client.
 |
| Enhanced Key Usage Property |
- “Thumbprint” property. The use of this property is when you want BizTalk application to send the client certificate by providing the thumbprint id at HTTP send port adapter. When you enter the thumbprint id at BizTalk HTTP adapter, the space in between is not required.
 |
| Thumbprint property |
Closing Up and Next
That was all my first discovery about the certificate and I do believe it is good enough to jump into the BizTalk portion to glue them and make it work. The next article I will share with you the BizTalk configuration at the HTTP adapter using HTTPS with Server certificate and client authentication.
Great information thanks for sharing
ReplyDeletebiztalk online training india