Introduction
This article describes a hotfix that enables SHA2 certificate support in Microsoft BizTalk Server.
Summary
After you apply this hotfix, BizTalk Server can consume SHA2-signed certificates together with SHA1-signed certificates (which are already supported). This hotfix supports SHA2-signed certificates based on the following SHA2 digest:
-
SHA256
-
SHA384
-
SHA512
More Information
To roll over the SHA2 certificates in a BizTalk Server environment, follow these steps.Step1: Check the environmentThe first step is to make sure that both Server and Client (Sender or Receiver) will support SHA2-signed certificates before you install the certificates to SHA2-signed certificates. BizTalk Server can safely take part from either side in working with SHA2 certificates.Step2: Roll over the SHA2 certificatesTo install the SHA2-signed certificates, follow the steps that are documented here.Step3: Update the certificates in the BizTalk Server environmentUpdate the certificates wherever you use them in your BizTalk Server environment, such as in a BizTalk Server group or in a send port, party, or adapter configuration.Note You don't have to redeploy the application. However, you must restart BizTalk Server host instances after the certificates are updated in the BizTalk Server environment.
Cumulative update information
The fix to enable SHA2 certificate support is included in the following cumulative update for BizTalk Server:
Additional information
Support for SHA1-based certificatesThere is no change in BizTalk Server support of SHA1-based certificates in this hotfix. The SHA1-based certificates will continue to work. In other words, this hotfix does not force any certificate to be updated.Encryption algorithms supportBizTalk Server supports Data Encryption Algorithms 3 (DES3) and RC2 encryption algorithms. This hotfix continues to support these encryption algorithms with SHA2 certificates.MIC algorithms support for AS2-signed MDNVersion: 0.1 AS2-signed MDN uses the old SHA1 and MD5 algorithms for MIC calculation for outgoing signed MDN.The signed MDN receipt that's generated in the BizTalk system for AS2 supports the SHA2 certificates. There is no change in the following supported MIC algorithm:
-
MD5 : Received-Content-MIC field populated by using the MD5 algorithm.
-
SHA1 (Default) : Received-Content-MIC field populated by using the SHA1 algorithm.
Supported digests method in BizTalk Accelerator RosettanetThis cumulative update continues to support the following digest methods:
-
SHA1
-
MD5
BizTalk Accelerator Rosettanet will not support any new digest method as part of the SHA2 certificate support.SHA2-based SSL certificates rolloverSHA2-signed SSL certificates can replace an existing SHA1 certificates by following the best practices for managing the certificates, as detailed here.The BizTalk adapters that depend on the SSL certificates such as FTPs, HTTPs, POP3 adapters, and WCF adapters can consume the SHA2-signed SSL certificates after you install this hotfix.RoadmapThe road map for BizTalk Server calls for additional support for the following items:
-
Support the Advanced Encryption Standard (AES) exchange system for signature keys in AS2
-
Support for SHA2 based MIC calculation for AS2
-
Support for SHA2 based digest methods in Rosettanet
References
Learn about the service pack and cumulative update list for BizTalk Server.Learn about BizTalk Server hotfixes and cumulative update support.
