MOVEit Central uses client certificates for FTP/S and MOVEit DMZ authentication, S/MIME signing/encryption and AS1/AS2/AS3 authentication/signing/encryption. This section discusses issues related to obtaining and installing certificates, prior to using them in MOVEit Central.
An X.509 digital certificate is a document that verifies the identity of the holder of the certificate. Digital certificates are often issued by and vouched for by Certification Authorities (CAs), but may also be "self-signed". Every certificate contains two keys used by public/private key cryptography.
A certificate used for client authentication conceptually consists of three components:
To use client certificate with MOVEit Central, you must:
These steps are covered in more detail below.
Let's say you ask the administrator of an FTP server for a certificate. This certificate must be registered with the FTP server; presumably, the administrator will have done this by the time the certificate is delivered to you. The certificate will likely be delivered to you either in the form of two ASCII files with extensions .crt and .key (or perhaps .cer and .key), or one binary file with an extension .p12 (or perhaps .pfx). Place these file(s) on the computer running MOVEit Central. If you are using a network file transfer mechanism to transmit the certificate file(s), be sure to choose the proper ASCII vs. binary transfer method.
Regardless of the file type, there will also be a password, which you must know before you can use the certificate.
Microsoft software imports client certificates from .p12 (also known as .pfx) files. If you received .crt and .key files instead of a .p12 file, you must convert them to .p12 format. You can do this with the free program OpenSSL.exe from the OpenSSL Project.
Suppose that you received the files fred.crt and fred.key, and wish to convert them to a single fred.p12 file. You would use a command like:
openssl pkcs12 -inkey fred.key -in fred.crt -export -out fred.p12
This command prompts for the password to the fred.key file before writing the fred.p12 file.
On a Windows system, certificates are registered with the operating system, usually in one of two locations: the Local Machine store, or the Current User store. (This store is also known as the "Personal" or "My" store.) The Local Machine store contains certificates that may be accessed by anyone on the local computer. Only administrators may add or modify certificates in this store. The Current User store contains certificates that may be accessed only by the currently signed on user. The current user has full access to the store and may add or modify certificates in the store. MOVEit Central accesses the Current User store when looking for certificates, and has the ability to install (or import) a certificate into this store.
To do so, first log on to the Central server using the Admin program. Once logged on, select Options | Cert Key Managers | SSL Client Certificates. Click the Add button to add a new Certificate. Browse to the certificate file and select it. Enter the password protecting the certificate when prompted. The certificate data will be sent to the Central server, where it will be added to the Current User certificate store of the user the Central server is currently running under.
In MOVEit Central Admin, edit the properties of the certificate-related host, or the properties of any sources or destinations that use that host, and select the newly-installed client certificate.