Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Introduction

This article describes a hotfix that enables SHA2 certificate support in Microsoft BizTalk Server.

Summary

After you apply this hotfix, BizTalk Server can consume SHA2-signed certificates together with SHA1-signed certificates (which are already supported). This hotfix supports SHA2-signed certificates based on the following SHA2 digest:

  • SHA256

  • SHA384

  • SHA512

More Information

To roll over the SHA2 certificates in a BizTalk Server environment, follow these steps.

Step1: Check the environment

The first step is to make sure that both Server and Client (Sender or Receiver) will support SHA2-signed certificates before you install the certificates to SHA2-signed certificates. BizTalk Server can safely take part from either side in working with SHA2 certificates.

Step2: Roll over the SHA2 certificates

To install the SHA2-signed certificates, follow the steps that are documented here.

Step3: Update the certificates in the BizTalk Server environment

Update the certificates wherever you use them in your BizTalk Server environment, such as in a BizTalk Server group or in a send port, party, or adapter configuration.

Note You don't have to redeploy the application. However, you must restart BizTalk Server host instances after the certificates are updated in the BizTalk Server environment.

Cumulative update information

The fix to enable SHA2 certificate support is included in the following cumulative update for BizTalk Server:

Additional information

Support for SHA1-based certificates

There is no change in BizTalk Server support of SHA1-based certificates in this hotfix. The SHA1-based certificates will continue to work. In other words, this hotfix does not force any certificate to be updated.

Encryption algorithms support

BizTalk Server supports Data Encryption Algorithms 3 (DES3) and RC2 encryption algorithms. This hotfix continues to support these encryption algorithms with SHA2 certificates.

MIC algorithms support for AS2-signed MDN

Version: 0.1 AS2-signed MDN uses the old SHA1 and MD5 algorithms for MIC calculation for outgoing signed MDN.

The signed MDN receipt that's generated in the BizTalk system for AS2 supports the SHA2 certificates. There is no change in the following supported MIC algorithm:

  • MD5 : Received-Content-MIC field populated by using the MD5 algorithm.

  • SHA1 (Default) : Received-Content-MIC field populated by using the SHA1 algorithm.


Supported digests method in BizTalk Accelerator Rosettanet

This cumulative update continues to support the following digest methods:

  • SHA1

  • MD5


BizTalk Accelerator Rosettanet will not support any new digest method as part of the SHA2 certificate support.

SHA2-based SSL certificates rollover

SHA2-signed SSL certificates can replace an existing SHA1 certificates by following the best practices for managing the certificates, as detailed here.

The BizTalk adapters that depend on the SSL certificates such as FTPs, HTTPs, POP3 adapters, and WCF adapters can consume the SHA2-signed SSL certificates after you install this hotfix.

Roadmap

The road map for BizTalk Server calls for additional support for the following items:

  • Support the Advanced Encryption Standard (AES) exchange system for signature keys in AS2

  • Support for SHA2 based MIC calculation for AS2

  • Support for SHA2 based digest methods in Rosettanet


References

Learn about the service pack and cumulative update list for BizTalk Server.

Learn about BizTalk Server hotfixes and cumulative update support.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×