BizTalk Server depends mainly on security provided by certificates and uses them for encryption, decryption, signing and verifying digital signatures. By making use of certificates BizTalk Server can:
The underlying methodology of digital certificates is called Public Key Infrastructure (PKI). Here a user has a key pair consisting of a public and a private key. Any encryption performed with a private key can be decrypted with the corresponding public key, and vice versa. As the terms imply the private key remains under the sole control of the user and the public key is made publicly available. For the public to know who is the owner of a certain public key, the data that identifies the owner is added to that key. The combination of that data and the public key is referred to as a digital certificate.
Digital certificates are stored in certificate stores. A certificate store often has numerous certificates, possibly issued by a number of different certification authorities.
There are two locations (stores) that BizTalk uses:
Through the Other People store BizTalk retrieves the public key certificates needed to encrypt outgoing messages and to verify the digital signatures on incoming messages. All users can read and use the certificates in this store. The following figure shows the Other People certificate store that BizTalk Server uses for public key certificates.
Figure 1. Certificate store local computer (click picture to enlarge).
BizTalk uses the Personal certificate store to create an association to a private key needed to decrypt incoming messages and sign outbound messages. The personal certificate store of the host instance is used to access the private key associated with that service account. Every Windows account enabled to log on interactively on a computer has a personal certificate store that only that account can access. When a running host instance needs to decrypt incoming or sign outbound messages it requires a private key. The certificate that corresponds to that private key must be stored in the Personal certificate store for the service account that runs that host instance. The following figure shows the Personal certificate store that BizTalk Server uses for certificates that have an associated private key.
Figure 2. Personal Certificate store (click picture to enlarge).
To import certificates you can use Microsoft Management Console (MMC), or command line tool CertWizard.
Through mmc you have to perform the following steps:
a) Type mmc at command line. b) Console will appear and you can select File. c) Navigate to Add/Remove Snap-in…. d) In Add- or Remove Snap-ins select Certificates and click Add.
Figure 3. Add or Remove Snap-ins dialog enabling you to add a snap-in.
e) A Certificates Snap-in dialog screen will appear with three options how snap-in should manage the certificates: My user account Service account Computer account
f) Select one of the options and click Finish. (note: I normally choose “Computer account”) g) You can repeat steps e to f if you need to manage more than one certificate store. In “Select computer” window, select the option “Local computer: (the computer this console is running on)” and click Finish. h) Once you have the desired Snap-ins click Ok. i) You are now able to import certificates in key store you require by right clicking a store and select All Tasks --> Import … You will be guided by Certificate Import Wizard. j) When Wizard fires up you see welcome screen indicating you can copy a certificate or revocation list to a certificate store. Click Next. k) Specify the file to import using browse button and navigate to location of the file. Click Next. l) In certificate store screen you have to indicate where certificates needs to be placed. m) You can either let the Wizard automatically select the store based on the type of certificate or manually place it in a store. In that case the certificate store where you have started the Wizard is selected (i.e. Personal). You can use the Browse button to select another store. Click Next. n) You will see a summary of where the certificate will be placed. Click Finish.
With the CertWizard command line utility you can import a certificate from a .pfx or .cer file into a private or public store for use with Microsoft BizTalk Server. A .pfx file contains both a private key and certificate while a .cer file only holds the certificate. This utility first has to build in Visual Studio before you can use it. The source code for CertWizard can be found in the C:\Program Files\Microsoft BizTalk Server <version>\SDK\Utilities\Certificate Wizard folder or BTARN SDK folder using the MS-DOS CD command, for example, type cd C:\Program Files\Microsoft BizTalk <version> Accelerator for RosettaNet\SDK. In a 64-bit version of the operating system and BizTalk Server 20xx, it will be in the C:\Program Files (x86)\Microsoft BizTalk Server <version>\SDK\Utilities\Certificate Wizard folder. To use the CertWizard utility, open the solution in Visual Studio <version> and build it or st the command prompt, type CertWizard /?. Now perform following steps to import a certificate:
a) Open a command prompt and navigate to the folder where CertWizard resides (i.e. C:\Program Files\Microsoft BizTalk Server <version>\SDK\Utilities\Certificate Wizard\bin\Debug or C:\Program Files\Microsoft BizTalk <version> Accelerator for RosettaNet\SDK). b) Syntax for importing a private key is as follows:
CertWizard /Privatekey <filename>.pfx [/Filepassword <filepassword>] [/Useridentity <useridentity>] [/Password <password>] [/Thumbprint <thumbprint>] [/Usage sign|decrypt|both|none] [/Exportable
true
|
false
]
Figure 4. Screenshot of CertWizard capabilities.
c) You can also use CertWizard to import a rootkey by using the following command:
CertWizard /Rootkey filename.cer
In general you need a good understanding on how to manage digital certificates used with BizTalk Server. Installation of certificates is one thing, but you also need to know in which folder to install certificates.
For a checklist of steps to install the certificates see:
Beside the checklist you can review these resources on MSDN:
BizTalk Server uses two types of certificate stores; the Other People certificate store for public key certificates, and the Personal certificate store of each host instance service account for certificates with associated private keys:
See the following TechNet Wiki concerning usage of certificates for signing and encryption:
Steef-Jan Wiggers edited Revision 21. Comment: Added text to image
Steef-Jan Wiggers edited Revision 20. Comment: formatting
Steef-Jan Wiggers edited Revision 19. Comment: Added text to image, formatting
Steef-Jan Wiggers edited Revision 18. Comment: Removed duplicate heading
Steef-Jan Wiggers edited Revision 17. Comment: Added text to picture
Steef-Jan Wiggers edited Revision 16. Comment: Added text to image
Sandro Pereira edited Revision 11. Comment: minor edit on links
Sandro Pereira edited Revision 9. Comment: Fixing picture format to center, text format (Bullet) and code format
Steef-Jan Wiggers edited Revision 8. Comment: Minor edits
Steef-Jan Wiggers edited Revision 7. Comment: Minor edits
Steef-Jan Wiggers edited Original. Comment: Added topics and text
Steef-Jan Wiggers edited Revision 1. Comment: Added text
Steef-Jan Wiggers edited Revision 2. Comment: Added topic and text
Steef-Jan Wiggers edited Revision 3. Comment: Added picture
Steef-Jan Wiggers edited Revision 4. Comment: Added resource link
Steef-Jan Wiggers edited Revision 5. Comment: Added resource links
Steef-Jan Wiggers edited Revision 6. Comment: Added resource links
Great article!