The two most common uses of certificates in AS transfers are to sign/verify messages and encrypt/decrypt messages. MOVEit Automation requires these two different certificates for any AS transport: one is defined in the Partner Organization section of each AS host and the other is defined in the My Organization section of each AS host. For more information, see General properties for AS1, AS2, and AS3 hosts
However, there may be as many as 8 different certificates (plus any number of CA certificates) involved in any AS2 transfer. The following list describes possible certificate uses and where they are configured in MOVEit Automation. Certificate uses #1-5 use the Create SSL Certificate feature. Items #6, 7, and 8 require importing and configuring certificates through other means.
Cert (w/ private key) you use to sign messages for your partner and your partner normally uses to encrypt files for you. (REQUIRED) - This is configured on the main page of your AS Host definition in the "My Organization" pane.
Cert (w/ private key) you use to decrypt messages and MDNs from your partner - Normally this is the same certificate used to sign messages for your partner (see item #1), but an alternate certificate can be used for this purpose. To define an alternate decryption certificate, see the ASx Host's Additional Properties. (AS1, AS2, AS3)
Partner's cert (no private key) you use to encrypt messages for your partner and your partner will use to sign his/her messages (REQUIRED) - This is configured on the main page of your AS Host definition in the "Partner" pane.
Partner's cert (no private key) your partner will use to sign MDNs - Normally this is the same cert you use to encrypt messages for your partner, but an alternate certificate can be used for this purpose. To define an alternate signature verification certificate, use the related option on AS destinations. (This is a task-level, not a host-level option.)
Optional SSL client cert (w/ private key) you use to authenticate to your partners AS server - This is an optional authentication credential you may need to provide before your partner's AS server will permit you to post a message or MDN. To designate this kind of certificate, use the SSL Client Cert option in the Partner pane on the main page of your AS Host definition.
Optional SSL client cert (no private key) you require your partners to provide to your AS server - This is an optional authentication credential your partner may need to provide before your partner will be permitted to post a message or MDN to your AS server. To set this up on your MOVEit Transfer server when acting as an AS2 server, you may need to set up an additional IIS site and enable IIS certificate mapping after requiring certificates through IIS. (The MOVEit Transfer AS2 facility does not currently allow you to require client certificates through the software.) To set this up on your MOVEit Transfer server when acting as an AS3 server, perform the same actions as you would to require client certificates on the MOVEit Transfer FTP interface.
Optional SSL server cert (w/ private key) you use to provide SSL transport security on your AS server - All SSL-protected servers require a digital certificate, and SSL-protected AS servers protected by SSL are no exception. Although this use of digital certificates is technically optional under the AS protocol standards, SSL server certificates are commonly found protecting AS2 and AS3 servers, including MOVEit Transfer servers (which act as your AS2 servers and can also be AS3 servers). If you are running a MOVEit Transfer server, an SSL server certificate will automatically have been set up for you during installation, and existing procedures to renew/replace your SSL server certificates through IIS and/or MOVEit Transfer FTP are all that are required.
Optional SSL server cert (w/ private key) your partner uses to provide SSL transport security on their AS server - All SSL-protected servers require a digital certificate, and AS servers protected by SSL are no exception. Although this certificate is optional, it is commonly found protecting AS2 and AS3 servers. If your partner's server SSL cert is not signed by a trusted CA, you may use the Ignore Cert Errors option to avoid the need to import your partner's SSL server certificate.