How to install the Certificates for Digital Signatures

The following procedure lists the high-level steps that you have to follow to install the certificates for receiving and sending signed messages.

  • To install the certificates in the certificates store to receive signed messages

  • To install the signing certificates for sending signed messages in the certificates store

  • To configure the BizTalk Group for sending signed messages

Note

You can use one certificate for both signing and decryption operations, or you can use one certificate for each function.

Important

You can only specify one signing certificate with which BizTalk Server signs all outbound messages. In other words, you cannot use different signing certificates depending on who you are sending the message to.

To install the certificates in the certificates store to receive signed messages

  1. Partner A requests a private-public key pair for digital signatures from the certification authority (CA).

  2. Partner A sends you its public key for digital signatures.

  3. In BizTalk Server, log on to the server that has a host instance running a handler that will receive messages from Partner A. Install the Partner A public key certificate to verify their signature in the Other People store. The following figure shows the certificate store where you install the certificate.

    Certificates required to receive secure messages

  4. In Partner A, install the Partner A private key certificate for signing messages in the appropriate store. (If Partner A is using Windows 2000 Server, Windows Server 2003, or Windows Server 2008 SP2, install the private key in the personal store for the account that will sign messages sent to BizTalk Server.)

To install the signing certificates for sending signed messages in the certificates store

  1. An administrator in your organization requests a private-public key pair for digital signatures from the CA for BizTalk Server to use.

  2. The administrator sends Partner A (and all other partners) the public key for digital signatures.

  3. In BizTalk Server, log on as service account for the host instance running the handler that will send messages to Partner A. Install the BizTalk Server private key certificate for signing messages in the personal store for the service account. The following figure shows the certificate store where you install the certificate.

    Certificates required to send secure messages

  4. In Partner A, install the BizTalk Server public key certificate for verifying its digital signature in the appropriate store. (If Partner A is using Windows 2000 Server, Windows Server 2003, or Windows Server 2008 SP2, install the public key in the Other people store.)

To configure the BizTalk Group for sending signed messages

  1. Click Start, point to All Programs, point to Microsoft BizTalk Server 20xx, and then click BizTalk Server Administration.

  2. Right-click BizTalk Group, and then click Properties.

  3. On the Group Properties dialog box, click Certificate, click Browse.

  4. On the Select Certificate dialog box, select the signing certificate that you installed, and then close all of the dialog boxes.

Next Steps

You create a pipeline to receive signed messages in How to Configure BizTalk Server for Receiving Signed Messages.

You create a pipeline to send signed messages in How to Configure BizTalk Server for Sending Signed Messages.

See Also

Certificates that BizTalk Server Uses for Signed Messages
Sending and Receiving Signed Messages