Update to add support for SHA2 certificates in BizTalk Server

Introduction
This article describes a hotfix that enables SHA2 certificate support in Microsoft BizTalk Server.
Summary
After you apply this hotfix, BizTalk Server can consume SHA2-signed certificates together with SHA1-signed certificates (which are already supported). This hotfix supports SHA2-signed certificates based on the following SHA2 digest:
  • SHA256
  • SHA384
  • SHA512
More information
To roll over the SHA2 certificates in a BizTalk Server environment, follow these steps.

Step1: Check the environment

The first step is to make sure that both Server and Client (Sender or Receiver) will support SHA2-signed certificates before you install the certificates to SHA2-signed certificates. BizTalk Server can safely take part from either side in working with SHA2 certificates.

Step2: Roll over the SHA2 certificates

To install the SHA2-signed certificates, follow the steps that are documented here.

Step3: Update the certificates in the BizTalk Server environment

Update the certificates wherever you use them in your BizTalk Server environment, such as in a BizTalk Server group or in a send port, party, or adapter configuration.

Note You don't have to redeploy the application. However, you must restart BizTalk Server host instances after the certificates are updated in the BizTalk Server environment.

Cumulative update information

The fix to enable SHA2 certificate support is included in the following cumulative update for BizTalk Server:

Additional information

Support for SHA1-based certificates

There is no change in BizTalk Server support of SHA1-based certificates in this hotfix. The SHA1-based certificates will continue to work. In other words, this hotfix does not force any certificate to be updated.

Encryption algorithms support

BizTalk Server supports Data Encryption Algorithms 3 (DES3) and RC2 encryption algorithms. This hotfix continues to support these encryption algorithms with SHA2 certificates.

MIC algorithms support for AS2-signed MDN

Version: 0.1 AS2-signed MDN uses the old SHA1 and MD5 algorithms for MIC calculation for outgoing signed MDN.

The signed MDN receipt that's generated in the BizTalk system for AS2 supports the SHA2 certificates. There is no change in the following supported MIC algorithm:
  • MD5 : Received-Content-MIC field populated by using the MD5 algorithm.
  • SHA1 (Default) : Received-Content-MIC field populated by using the SHA1 algorithm.

Supported digests method in BizTalk Accelerator Rosettanet

This cumulative update continues to support the following digest methods:
  • SHA1
  • MD5

BizTalk Accelerator Rosettanet will not support any new digest method as part of the SHA2 certificate support.

SHA2-based SSL certificates rollover

SHA2-signed SSL certificates can replace an existing SHA1 certificates by following the best practices for managing the certificates, as detailed here.

The BizTalk adapters that depend on the SSL certificates such as FTPs, HTTPs, POP3 adapters, and WCF adapters can consume the SHA2-signed SSL certificates after you install this hotfix.

Roadmap

The road map for BizTalk Server calls for additional support for the following items:
  • Support the Advanced Encryption Standard (AES) exchange system for signature keys in AS2
  • Support for SHA2 based MIC calculation for AS2
  • Support for SHA2 based digest methods in Rosettanet

Properties

Article ID: 3123748 - Last Review: 04/13/2016 20:47:00 - Revision: 3.0

Microsoft BizTalk Server 2013 R2 Branch, Microsoft BizTalk Server 2013 R2 Developer, Microsoft BizTalk Server 2013 R2 Enterprise, Microsoft BizTalk Server 2013 R2 Standard, Microsoft BizTalk Server Branch 2010, Microsoft BizTalk Server Developer 2010, Microsoft BizTalk Server Enterprise 2010, Microsoft BizTalk Server Standard 2010, Microsoft BizTalk Server 2013 Branch, Microsoft BizTalk Server 2013 Developer, Microsoft BizTalk Server 2013 Enterprise, Microsoft BizTalk Server 2013 Standard

  • kbqfe kbsurveynew kbfix kbexpertiseinter KB3123748
Feedback