How to Install Certificates for BizTalk Server
To help secure data transfer on BizTalk Server, you must add the appropriate certificate to the appropriate certificate store, and associate the certificates with the appropriate BizTalk artifacts. This topic describes how to display the Certificates Management Console interface for the Local Computer and Current User certificate stores, and how to install the appropriate certificate in the appropriate store.
The certificates shown in the following table are used to help sign, verify the signature for, encrypt, and decrypt messages.
| Certificate Usage | Certificate Type | Certificate Store |
|---|---|---|
| Signature (outbound) | Own private key (.pfx) | Current User\ Personal store of each BizTalk server that hosts a MIME/SMIME encoder pipeline as each host instance service account |
| Signature verification (inbound) | Trading partner's public key (.cer) | Local computer\Other People store of each BizTalk server that hosts a MIME/SMIME decoder pipeline as each host instance service account |
| Encryption (outbound) | Trading partner's public key (.cer) | Local computer\Other People store of each BizTalk server that hosts a MIME/SMIME encoder pipeline |
| Decryption (inbound) | Own private key (.pfx) | Current User\Personal store of each BizTalk server that hosts a MIME/SMIME decoder pipeline as each host instance service account |
Prerequisites
To perform the procedures in this topic you must be logged on as a member of the BizTalk Server Administrators group.
To display the Certificates Management Console
Click Start, click Run, type MMC, and click OK to open the Microsoft Management Console.
Click the File menu, and then click Add or Remove Snap-in to display the Add or Remove Snap-in dialog box.
Click the Add button to display the Add Standalone Snap-in dialog box.
Select Certificates from the list of snap-ins, and then click Add.
Select Computer account, click Next, and then click Finish. This will add the Certificates Management Console interface for Local Computer.
Ensure that Certificates is still selected from the list of snap-ins, and then click Add again.
Select My user account, and then click Finish. This will add the Certificates Management Console interface for Current User.
Note
This displays the Certificates Management Console for the account that you are currently logged on as. If you need to import certificates into the Personal store for a service account then you should log on with the service account credentials first.
Click the Close button on the Standalone Snap-in dialog box.
Click the OK button on the Add or Remove Snap-in dialog box.
To install a certificate for receiving encrypted messages
Request a private-public key pair for digital signatures from the certification authority (CA) for BizTalk Server to use.
Send to the partner the public key for encryption.
In BizTalk Server, log on as the service account for the host instance running the handler that will receive messages from the partner. Install the BizTalk Server private key certificate for decrypting messages in the personal store for the service account.
Note
For more information about the procedure used to install certificates for encryption, see How to Install the Certificates for Encrypted Messages (https://go.microsoft.com/fwlink/?LinkId=155156) in BizTalk Server Help. For more information about the tool used to import a certificate into the certificate store, see Certificate Wizard Utility (https://go.microsoft.com/fwlink/?LinkId=155157) in BizTalk Server Help.
Have the partner install the BizTalk Server public key certificate for encrypting messages in the appropriate store. If the partner is using Windows 2000 Server, Windows Server 2003, or Windows Server 2008, they should install the public key in the Other People store.
To install a certificate for sending encrypted messages
Have the partner request a private-public key pair for encryption from the certification authority (CA).
Have the partner send you its public key for encrypting messages to be sent to the partner.
Have the partner install the private key certificate for decrypting messages in the appropriate store. If the partner is using Windows 2000 Server, Windows Server 2003, or Windows Server 2008, they should install the private key in the personal certificate store.
Note
For more information about the procedure used to install certificates for encryption, see How to Install the Certificates for Encrypted Messages (https://go.microsoft.com/fwlink/?LinkId=155156) in BizTalk Server Help. For more information about the tool used to import a certificate into the certificate store, see Certificate Wizard Utility (https://go.microsoft.com/fwlink/?LinkId=155157) in BizTalk Server Help.
In BizTalk Server, log on to the server that has a host instance running a handler that will send messages to the partner. Install the partner's public key certificate for encrypting messages sent to the partner in the Other People store.
To install a certificate for receiving signed messages
Have the partner request a private-public key pair for digital signatures from the certification authority (CA).
Have the partner send you its public key for digital signatures.
Have the partner install its private key certificate for signing messages in the appropriate store. If they are using Windows 2000 Server, Windows Server 2003, or Windows Server 2008, have them install the private key in the personal store for the account that will sign messages sent to BizTalk Server.
Note
For more information about the procedure used to install certificates for encryption, see How to Install the Certificates for Encrypted Messages (https://go.microsoft.com/fwlink/?LinkId=155156) in BizTalk Server Help. For more information about the tool used to import a certificate into the certificate store, see Certificate Wizard Utility (https://go.microsoft.com/fwlink/?LinkId=155156) in BizTalk Server Help.
In BizTalk Server, log on to the server that has a host instance running a handler that will receive messages from the partner. Install the partner's public key certificate to verify their signature in the Other People store.
To install a certificate for sending signed messages
Request a private-public key pair for digital signatures from the certification authority (CA) for BizTalk Server to use.
Send to the partner the public key for digital signatures.
In BizTalk Server, log on as the service account for the host instance running the handler that will send messages to the partner. Install the BizTalk Server private key certificate for signing messages in the personal store for the service account.
Note
For more information about the procedure used to install certificates for encryption, see How to Install the Certificates for Encrypted Messages (https://go.microsoft.com/fwlink/?LinkId=155156) in BizTalk Server Help. For more information about the tool used to import a certificate into the certificate store, see Certificate Wizard Utility (https://go.microsoft.com/fwlink/?LinkId=155157) in BizTalk Server Help.
Have the partner install the BizTalk Server public key certificate for verifying its digital signature in the appropriate store. If the partner is using Windows 2000 Server, Windows Server 2003, or Windows Server 2008, they should install the public key in the Other People store.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for