AS2 Encryption and Signing

Topics: General Questions
Jul 12, 2010 at 8:15 PM
Edited Jul 12, 2010 at 8:17 PM

I have to import 3 certificates (cer or p7b files) required for AS2 encryption and signing. How would you suggest including this in my deployment? I presume I can take advantage of the CustomDeployTarget (and probably CustomRedist for inclusion of the cer/p7b files), but what is the best way to go about it? Create a certmgr Exec task?

The target servers are all Windows Server 2008. Currently 32-bit. We may move to R2 (obviously 64-bit) at a later date.

Thanks,

Vercellone

Coordinator
Jul 12, 2010 at 11:00 PM

You can include the cer/p7b files into your MSI with an <AdditionalFiles> ItemGroup.  To install them on the server, yes, you'd probably want to add a new CustomDeployTarget target and the <Exec> task.  CertUtil.exe may be a better choice than CertMgr.exe.  You can use the Condition attribute in many places, so if you wanted the cert install to happen only on a server deploy, you can make your target conditional on that.

Thanks,
Tom

Jul 13, 2010 at 9:27 PM

Requisite certificate files have been included in the msi Release output, and I have the following CustomDeployTarget (names changed to protect the guilty):

<Target Name="CustomDeployTarget" Condition="'$(Configuration)' == 'Server'">
  <!--root certificate authority upon which b2b.companyname.com.cer depends -->
  <Exec Command='certutil.exe -addstore -user Root "$(DeploymentFrameworkRootDir)\..\ca.b2b.companyname.com.cer"'/>
  <!--key for outbound signature and inbound decryption -->
  <Exec Command='certutil.exe -addstore -user My "$(DeploymentFrameworkRootDir)\..\b2b.companyname.com.cer"'/>
  <!--Partner's public key for inbound signature verification and outbound encryption -->
  <Exec Command='certutil.exe -addstore Addressbook "$(DeploymentFrameworkRootDir)\..\PartnerName_ B2Bi_Cert.cer"'/>
</Target>

This all works fine with one minor annoyance. The first certutil.exe command results in an interactive "Security Warning" confirmation dialog which I don't see an easy way around. It is not critical at this time, since I don't require this to deploy unattended at this time.  But, if you know any tricks, please share!

Thanks,

Vercellone

Coordinator
Jul 13, 2010 at 10:14 PM

I haven't tried this myself, but you could try running a PowerShell script with this PS add-in: http://certificatehelper.codeplex.com/.  It shows importing a certificate from a file as an example usage.

Tom