Certificate 101 Woes

Body

Digital certificates are key to AS2 communication for signing and encrypting the data at rest (that is the data that's received). They're also used in data "in flight" - that is the data as it's in transit over the internet - using  SFTP, FTPS or HTTPS (secured forms of communication). Digital certificates are not unique to IBM Sterling B2B Integrator or IBM in general but we handle a large volume of PMRs due to a lack of understanding of digital certificates. Despite blogging on this topic several times and ample tutorials widely available on the internet,  confusion about certificates persists. This blog posting covers some of my most recent customer discussions with certificates.

Digital certificates come in two forms: self-signed and those issued from a Certificate of Authority (CA). The IBM Sterling B2B Integrator allows you to create a self-signed certificate but some trading partners require a CA certificate.

For a CA certificate you must create a CSR, submit it to your chosen CA and pay for them to independently create your unique certificate (IBM is not a CA so we do not issue certificates nor do we know how much they cost). A CA certificate comes as a chained certificate

Sometimes the chain may contain more than three certificates in the chain. This example shown above has the root (1), the intermediate certificate (2) and the public or leaf certificate (3)

Certificates themselves often come in various file formats: 

• *.pem, *.crt, *.ca-bundle, *.cer,  *.der, *.p7b, *.p7s files contain one or more X.509 digital certificate files that use base64 (ASCII) encoding
• You may also encounter *.pfx files. This is an archive file format for storing several cryptographic objects in a single file

You can read more details on certificates types here: https://myonlineusb.wordpress.com/2011/06/19/what-are-the-differences-between-pem-der-p7bpkcs7-pfxpkcs12-certificates/

Sometimes you will have to convert a certificate between one format to another in order to check it into IBM Sterling B2B Integrator. For example, a p7b may need to be converted to a cer which can be done by viewing it and saving off the certificates in the chain.

Converting a P7B certificate to a CER

A p7b can be converted on a Windows system by double clicking on the *.p7b certificate.On the left-side of the screen, expand the folder containing the certificate then on the right-hand side highlight and double-click the certificate as shown: 

The certificate opens in a new screen, click on the Certificate Path and then highlight the certificate (here's we're highlighting the intermediate certificate)

Once the certificate is highlighted, click on the Details tab, then select "Copy to File" and "Next"

Select the "Base-64 encoded X.509 (.CER)" radio button, then click Next> 

Choose a location and filename for the certificate, then click Next>

Click Finish.

Then click OK. 

You will need to do this for each certificate in the chain. Then you will be able to check in the certificates to IBM Sterling B2B Integrator.

Other Certificate Issues

Similar to the format in which your trading partner provide their certificate - resulting in the need for you to convert them, sometimes they fail to provide a complete chain. In the previous screen shots, the customer received three files from their trading partner. One named root and two named intermediate. The two intermediate files both contained the same intermediate certificate. Missing was the leaf or public certificate. This is an incomplete certificate chain. IBM cannot resolve this issue, you will need to contact your trading partner to obtain a complete certificate.

Other times, a partner may provide a certificate that's invalid or not trusted.

Capturing SSL Certificates

The SI product also provides a means for capturing the public SSL certificate

This tool can connect to and retrieve a certificate from either an FTPS or HTTPS Server. 

Handshake Failures

Handshake Failures are another issue that is not a software defect. To troubleshoot this issue this blog provides excellent steps that you can follow to resolve this matter:

/support/pages/node/1121169

Conclusion

IBM cannot resolve a non-trusted certificate or invalid certificate. IBM is not responsible for converting certificates or assisting with saving off parts of a certificate chain as these are skills you should possess when working with enterprise commerce software. Hopefully these blog postings assist you with these endeavors. If you do open a PMR, please  remember, any AS2 software, any SSL secured protocol - requires a digital certificate; this is not something unique to or invented by IBM and we're helping you with something outside of our product.