AS1, AS2, AS3 - Certificates (Enterprise only)

As covered in the Overview documentation, the AS protocols depend heavily on digital certificates to sign and encrypt files. Digital certificates are also known as "X.509 certificates", "SSL certificates", "web certificates" and "client certificates" in various contexts, but all of these are just terms for digital certificates.

What Are "Certificates"?

All digital certificates are made up a public key, a private key and some additional information like "common name" ("CN"). They may be distributed with or without their private key: as the name suggests, in most situations you should NOT distribute certs containing your private key.

Many digital certificates are "signed" by other "certificate authority" ("CA") certificates. This allows people and computers that trust the certificate authorities to trust, use and allow certificates signed by the certificate authorities.

More information can be found in the "Configuring Tasks - Keys and Certs - SSL Client Certificates" documentation.

Where Do You Get a Certificate?

Certificates without private keys will generally be delivered to you by your trading partners. These certificates need only to be imported into MOVEit Central (through the "SSL Certificates" dialog) to be used as "Partner" certificates in AS Hosts.

There are several ways to obtain a certificate with a private key to be used as "My Organization" certificates in AS Hosts:

• Purchase a commercial "client certificate" from Thawte, Verisign or one of the many other commercial CA vendors. If there is any chance that your AS partners will be requiring trusted CAs as well as specific certificates in AS transactions, this option may be the safest route. (Sometimes these certificates are also known as "email certificates" because they may also be used with SMIME-encrypted email.)
• Get a new certificate from your corporate CA. If your company is already issuing client certificates and acting as its own CA, your certificate group should be able to provide you with a certificate and instructions on how to use it.
• Obtain a certificate (with private key) from your partner. Some partners will simply deliver a *.pfx (or other format) certificate-with-private-key file before you start trading. In this case you will need to import this certificate (with the proper password) through MOVEit Central's "SSL Certificates" dialog.
• Create your own certificate.

In any case, you can import a certificate, or create a new one, using MOVEit Central's Cert/Key Manager.

Once you have imported your own certificate with private key (MOVEit Central calls these "My Certs" or "Private Certs"), the good news is that you can usually use the same cert to sign and encrypt traffic for multiple partners. In other words, you will generally only have one or a few certs with private keys, no matter how many partner certs (without private keys) you may collect.

Where Might You Configure AS Certificates in MOVEit Central?

The two most common uses of certificates in AS transfers are to sign/verify messages and encrypt/decrypt messages. MOVEit Central requires these two different certificates for any AS transport: one is defined in the "Partner - Certificate" section of each AS host and the other is defined in the "My Organization - Certificate" section of each AS host. (See "AS1, AS2 or AS3 Host" documentation for more information.)

However, there may be as many as 8 different certificates (plus any number of CA certificates) involved in any AS2 transfer. The following list breaks down the possible certificate uses and where they are configured in MOVEit Central. Certificate uses #1-5 draw on certificates from the "SSL Certificates" dialog. The "require partner to use a client cert to authenticate to AS server" (#6) and the two server certificate uses (#7-8) involve importing and configuring certificates through other means.

1. Cert (w/ private key) you use to sign messages for your partner and your partner normally uses to encrypt files for you. (REQUIRED) - This is configured on the main page of your AS Host definition in the "My Organization" pane.
2. Cert (w/ private key) you use to decrypt messages and MDNs from your partner - Normally this is the same certificate used to sign messages for your partner (i.e., #1), but an alternate certificate can be used for this purpose. To define an alternate "decryption" certificate, see the "SSL Certs" tab on your AS Host's "Advanced Options" dialog.
3. Partner's cert (no private key) you use to encrypt messages for your partner and your partner will use to sign his/her messages (REQUIRED) - This is configured on the main page of your AS Host definition in the "Partner" pane.
4. Partner's cert (no private key) your partner will use to sign MDNs - Normally this is the same cert you use to encrypt messages for your partner, but an alternate certificate can be used for this purpose. To define an alternate "signature verification" certificate, use the related option on AS destinations. (This is a task-level, not a host-level option.)
5. Optional SSL client cert (w/ private key) you use to authenticate to your partners AS server - This is an optional authentication credential you may need to provide before your partner's AS server will permit you to post a message or MDN. To designate this kind of certificate, use the "SSL Client Cert" option in the "Partner" pane on the main page of your AS Host definition.
6. Optional SSL client cert (no private key) you require your partners to provide to your AS server - This is an optional authentication credential your partner may need to provide before your partner will be permitted to post a message or MDN to your AS server. To set this up on your MOVEit DMZ server when acting as an AS2 server, you may need to set up an additional IIS site and enable IIS certificate mapping after requiring certificates through IIS. (MOVEit DMZ's AS2 facility does not currently allow you to require client certificates through the software.) To set this up on your MOVEit DMZ server when acting as an AS3 server, simply perform the same actions as you would to require client certificates on MOVEit DMZ's FTP interface.
7. Optional (but common) SSL server cert (w/ private key) you use to provide SSL transport security on your AS server - All SSL-protected servers require a digital certificate, and SSL-protected AS servers protected by SSL are no exception. Although this use of digital certificates is technically optional under the AS protocol standards, SSL server certificates are commonly found protecting AS2 and AS3 servers, including MOVEit DMZ servers (which act as your AS2 servers and can also be AS3 servers). If you are running a MOVEit DMZ server, an SSL server certificate will automatically have been set up for you during installation, and existing procedures to renew/replace your SSL server certificates through IIS and/or MOVEit DMZ FTP are all that are required.
8. Optional (but common) SSL server cert (w/ private key) your partner uses to provide SSL transport security on their AS server - All SSL-protected servers require a digital certificate, and AS servers protected by SSL are no exception. Although this certificate is optional, it is commonly found protecting AS2 and AS3 servers. If your partner's server SSL cert is not signed by a trusted CA, you may use the "Ignore Cert Errors" option to avoid the need to import your partner's SSL server certificate.