Certificate 101 Woes
schnoodle 060001X0JY Visits (9743)
Digital certificates are key to AS2 communication for signing and encrypting the data at rest (that is the data that's received). They're also used in data "in flight" - that is the data as it's in transit over the internet - using SFTP, FTPS or HTTPS (secured forms of communication). Digital certificates are not unique to IBM Sterling B2B Integrator or IBM in general but we handle a large volume of PMRs due to a lack of understanding of digital certificates. Despite blogging on this topic several times and ample tutorials widely available on the internet, confusion about certificates persists. This blog posting covers some of my most recent customer discussions with certificates.
Digital certificates come in two forms: self-signed and those issued from a Certificate of Authority (CA). The IBM Sterling B2B Integrator allows you to create a self-signed certificate but some trading partners require a CA certificate.
For a CA certificate you must create a CSR, submit it to your chosen CA and pay for them to independently create your unique certificate (IBM is not a CA so we do not issue certificates nor do we know how much they cost). A CA certificate comes as a chained certificate
Sometimes the chain may contain more than three certificates in the chain. This example shown above has the root (1), the intermediate certificate (2) and the public or leaf certificate (3)
Certificates themselves often come in various file formats:
Converting a P7B certificate to a CER
xpand the folder containing the certificate then on the right-hand side highlight and double-click the certificate as shown:
The certificate opens in a new screen, click on the Certificate Path and then highlight the certificate (here's we're highlighting the intermediate certificate)
Once the certificate is highlighted, click on the Details tab, then select "Copy to File" and "Next"
Select the "Base-64 encoded X.509 (.CER)" radio button, then click Next>
Choose a location and filename for the certificate, then click Next>
Then click OK.
You will need to do this for each
Other Certificate Issues
Similar to the format in which your trading partner provide their certificate - resulting in the need for you to convert them, sometimes they fail to provide a complete chain. In the previous screen shots, the customer received three files from their trading partner. One named root and two named intermediate. The two intermediate files both contained the same intermediate certificate. Missing was the leaf or public certificate. This is an incomplete certificate chain. IBM cannot resolve this issue, you will need to contact your trading partner to obtain a complete certificate.
Other times, a partner may provide a certificate that's invalid or not trusted.
Capturing SSL Certificates
The SI product also provides a means for capturing the public SSL certificate
This tool can connect to and retrieve a certificate from either an FTPS or HTTPS Server.
Handshake Failures are another issue that is not a software defect. To troubleshoot this issue this blog provides excellent steps that you can follow to resolve this matter:
IBM cannot resolve a non-trusted certificate or invalid certificate. IBM is not responsible for converting certificates or assisting with saving off parts of a certificate chain as these are skills you should possess when working with enterprise commerce software. Hopefully these blog postings assist you with these endeavors. If you do open a PMR, please remember, any AS2 software, any SSL secured protocol - requires a digital certificate; this is not something unique to or invented by IBM and we're helping you with something outside of our product.