none
Unable to browse public certificate for specific public key certificate RRS feed

  • Question

  • Hi all,

    Using BizTalk 2010 on Windows 2008 R2, we have an issue with installing a public key

    certificate for a business partner. The partner provided us with a certificate usage for "All issuance policies" ánd "All application policies". Therefore, we imported this certificate as wel in the Local Computer\Other People as in the Local Computer\Trusted Root Certification Authorities certificate store.

    When i try to assign the certificate for signing at the Certificate tab of the Party properties, it does not show up in the list after clicking the Browse button. Basically I've tried everything suggested in http://social.msdn.microsoft.com/Forums/en-US/biztalkediandas2/thread/a8decb3b-73aa-4764-97d5-749f5e45a006 unfortunately without result.

    For another business partner who provided us with a selfsigned certificate ánd a root CA certificate we successfully configured and tested AS2 messaging.

    Any ideas on this issue, or can someone confirm there is an issue with installing the same certificate as CA ánd public key in BTS2010?

    many thanks,
    regards, Erik

    Friday, July 8, 2011 8:28 AM

Answers

  • You might want to make sure the certificate you are trying to use has the proper "Key Usage".  I has a simular issue with a partners test cert working fine but their production cert would not show up as selectable in BizTalk.  After some investigation I found that the "Key Usages" were different.

    This link was in my notes:

    http://msdn.microsoft.com/en-us/library/bb728096(BTS.20).aspx

    Hope this helps.

    • Marked as answer by Erik2000 Friday, August 5, 2011 11:17 AM
    Monday, August 1, 2011 4:48 PM

All replies

  • Typically you would not install a public cert for a partner into the root CA store. Only root CA certs like for Verisign or a self-signed root cert should go in the root CA store.

    If you open mmc, add the certificates snap-in for local computer, you can copy a certificate from the Personal store to the CA store, there is no problem with doing this except it is unneccessary. The certificates selector dialog does not build the list of selectable certificates based on combining root CA certs with Local Computer because typically you would not copy a cert to root CA for the partner.

    So it sounds like your real problem is why the certificate does not show in the dialog box. Do the certificates shown match up with what you see in the certificates snap-in? When running the BizTalk admin console, are you running as the BizTalk administrator?

    I would also try restarting the admin console after putting the certificate in the Local Computer\Personal store, I am not sure if the console auto refreshes.

    Thanks, 


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Sunday, July 10, 2011 2:49 AM
    Moderator
  • Hi Ben,

    thanks for your response, sorry but due to absence i could not respond earlier.

    Indeed the problem is: why does this (self signed) certificate does NOT show up in the dialog box? This businesspartner ONLY gave me this certificate with "All issuance policies" ánd "All application policies". Since it is selfsigned I would have expected the partner to provide me with a Root certificate. However the partner indicated this one certificate suffices for other partners they communicate with.

    In the certificates snapin in the Local Computer\Other People store i have installed this certificate. This store also lists a certificate for another business partner fow which i can browse and select the certificate in the adminconsole. AS2 messaging works fine for this businesspartner. The only difference is that i DO have a Root certificate for this partner installed in the Local Computer\Trusted Root Certification Authorities certificate store.

    What are the requirements for the certificate to show up and/or what am i missing her? What are the rules behind this dialog showing and not showing certificates?

    Ok, i refreshed and restarted the admin console many times, without results.

    Thanks in advance,
    Erik

    Monday, August 1, 2011 2:40 PM
  • You might want to make sure the certificate you are trying to use has the proper "Key Usage".  I has a simular issue with a partners test cert working fine but their production cert would not show up as selectable in BizTalk.  After some investigation I found that the "Key Usages" were different.

    This link was in my notes:

    http://msdn.microsoft.com/en-us/library/bb728096(BTS.20).aspx

    Hope this helps.

    • Marked as answer by Erik2000 Friday, August 5, 2011 11:17 AM
    Monday, August 1, 2011 4:48 PM
  • Here is the chart of certificates and stores: http://msdn.microsoft.com/en-us/library/ee290738(BTS.10).aspx. Just make sure for your purpose it is the right one.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Tuesday, August 2, 2011 7:43 PM
    Moderator
  • ParahT,

     

    thanks, we requested a partner to add the Key Usages. Afterwards I could select the certificate in the Admin Console

     

    Regards, erik

    Friday, August 5, 2011 11:23 AM
  • Erik,

     

    I am glad it worked for you.

    Tom

    Wednesday, August 10, 2011 6:39 PM