"The Signing Certificate has not been configured" error using certificates with EDI/AS2

Applies to: BizTalk Server Branch 2010BizTalk Server Developer 2010BizTalk Server Enterprise 2010

Source: Microsoft Support

RAPID PUBLISHING


RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

Symptom


When attempting to use a certificate for EDI/AS2 processing, you may get an error similar to the following:

Event ID:      8132

Level:         Error

Description:

A BTS MIME error was encountered when attempting to encode a message.  Error: The Signing Certificate has not been configured for AS2 party.  AS2-From: Value AS2-To: Value

Event ID:      5802

Level:         Error

Description:

There was a failure executing the response(send) pipeline: "Microsoft.BizTalk.EdiInt.DefaultPipelines.AS2Send, Microsoft.BizTalk.Edi.EdiIntPipelines, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" Source: "AS2 encoder" Receive Port: "PortName" URI: "/HwsMessages/BTSHTTPReceive.dll?997" Reason: The Signing Certificate has not been configured for AS2 party.  AS2-From: Value AS2-To: Value

Event ID:      5815

Level:         Error

Description:

A response message sent to adapter "HTTP" on receive port "PortName" with URI "/HwsMessages/BTSHTTPReceive.dll? 997" is suspended.

 Error details: There was a failure executing the response(send) pipeline: "Microsoft.BizTalk.EdiInt.DefaultPipelines.AS2Send, Microsoft.BizTalk.Edi.EdiIntPipelines, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" Source: "AS2 encoder" Receive Port: "PortName" URI: "/HwsMessages/BTSHTTPReceive.dll?997" Reason: The Signing Certificate has not been configured for AS2 party.  AS2-From: Value AS2-To: Value
MessageId:  {D8192426-7521-4BEF-946F-A0E3BDC4B06B} 
InstanceID: {41CADA06-0629-4B3C-847B-26C9F1B2B0D2}

Event Type:        Error

Event ID:              5754

Description:

A message sent to adapter "FILE" on send port "PortName" with URI "c:\temp\%MessageID%.txt" is suspended.

 Error details: There was a failure executing the send pipeline: "Microsoft.BizTalk.EdiInt.DefaultPipelines.AS2Send, Microsoft.BizTalk.Edi.EdiIntPipelines, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" Source: "AS2 encoder" Send Port: "PortName" URI: " c:\temp\%MessageID%.txt" Reason: The Signing Certificate has not been configured for AS2 party.  AS2-From: Value AS2-To: Value
MessageId:  {62DC417E-6D42-4287-9E0C-282CEE358B8E} 
InstanceID: {272B0516-2964-480A-BAE1-091C5135AE62} 

Event Type:        Error

Event ID:              5720

Description:

There was a failure executing the send pipeline: "Microsoft.BizTalk.EdiInt.DefaultPipelines.AS2Send, Microsoft.BizTalk.Edi.EdiIntPipelines, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" Source: "AS2 encoder" Send Port: "PortName" URI: "c:\temp\%MessageID%.txt" Reason: The Signing Certificate has not been configured for AS2 party.  AS2-From: Value AS2-To: Value

Cause


This can occur for the following reasons:
  • The certificate is not installed into the BizTalk host account’s personal store.
  • The certificate is not configured correctly in BizTalk Administration.
  • The BizTalk host account’s user profile is not loaded.
  • The BizTalk Group has been renamed in BizTalk Administration.

Resolution


Install the certificate into the Personal Store

There are three ways that a certificate can be installed into the BizTalk HOST account’s Personal store.  Use one of the following options:

Option 1

Log in to the BizTalk server as the BizTalk service account. Then, open the MMC, add the Certificates snap-in and import the certificate into the Certificate – Current User Personal store. This is probably the best option if you will be configuring a certificate for Signing, Encryption or Decryption in BizTalk Administration.

Note The MMC Certificates Snap-In Import Steps section below provides more specific steps.

Option 2

Open the MMC as the BizTalk service account using the RunAs feature. Steps:


1. Open a command window. 
2. Type: runas /user:BizTalkServiceAccount mmc
3. Hit Enter. 
4. Enter the password when prompted. 

Once in the MMC, add the Certificates snap-in and import the certificate into the Certificates – Current User Personal store. The MMC Certificates Snap-In Import Steps section below provides more specific steps. 

Option 3

The Certificate Wizard SDK Utility can be used to import the certificate into the BizTalk host account’s Personal store and configure the certificate in the BizTalk Group properties correctly.

For more information on Certificate Wizard SDK Utility, visit the following MSDN site:

http://msdn.microsoft.com/en-us/library/bb727929.aspx

Configure the certificate in BizTalk Administration

There are four places to configure certificates in BizTalk Administration:


·         BizTalk Group properties
·         Party properties

·         Send Port properties

·         Host properties

The appropriate certificate must be added to the appropriate certificate store and associated with the appropriate BizTalk artifact. The MSDN link below should be used to determine the following:


·         Which store the certificate should be imported

·         If a private certificate (.pfx) or a public certificate (.cer) is needed

·         Where in BizTalk Administration a certificate should be configured


Configuring Certificates for AS2

http://msdn.microsoft.com/en-us/library/bb728096.aspx

Load the BizTalk user profile

The Personal certificate store will be available for message processing only if the BizTalk host account’s user profile is loaded. For the in-process host instance, the user profile is loaded by default. For the isolated host instance, the user profile is not loaded by default.

There are two options to work-around this behavior:


1. Use the same account for the in-process host instance and the isolated host instance. 
2. Create an application to load the user profile for the isolated host. 

For information on the LoadUserProfile Function, visit the following MSDN site:
http://msdn.microsoft.com/en-us/library/bb762281(VS.85).aspx

Rename the BizTalk group back to the default

To work around this behavior, rename the BizTalk group back to the default value of BizTalk Group. To do this, follow these steps: 

1. Open BizTalk Administration.
2. Select the BizTalk group.
3. Right-click the BizTalk group and select Properties.
4. In General, change the Name property to BizTalk Group.
5. Cick OK.

More Information


Certificates used for the AS2 transport must have the attributes required for their intended use. For signing and signature verification, the Key Usage attribute of the certificate must be Digital Signature. For encryption and decryption, the Key Usage attribute of the certificate must be Data Encipherment or Key Encipherment. You can verify the Key Usage attribute by double-clicking the certificate, clicking the Details tab in the Certificate dialog box, and checking the Key Usage field. 

MMC Certificates Snap-In Import Steps 

1. In the MMC, go to the File menu and select Add/Remove Snap-in.

2. Add the Certificates snap-in and select My user account if prompted. Click OK.
3. Expand Certificates – Current User, right-click Personal, select All Tasks and then select Import.  

4. This opens the Certificate Import Wizard. Follow these steps:  


a) Click Next.

b) Browse to the .pfx file and click Open. Click Next.

c) If the certificate has a password, enter it. You can also check Mark this key as exportable if you want to back-up the certificate. Click Next

d) Confirm Personal is listed in Certificate store. Click Next

e) Click Finish. The certificate should now be listed. 



DISCLAIMER


MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.


TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.