Certificate Management
MFT Gateway Certificate Store allows you to review, generate and manage your key pairs and trusted certificates in one place.
1 Certificate Types
MFT Gateway has five main certificate types:
STATION
: key pairs (private and public keys) assignable to trading stationsPARTNER
: certificates (signed public keys) assignable to trading partners for encryption or signature verificationHTTPS
: (SSL/TLS) certificates assigned to trading partners’ secure (https://) URLs, for establishing trust when connecting to send outbound messages/MDNsPARTNER_CHAIN
: chain certificates, usually belonging to certificate authorities (CAs), as supplementary information for building the certification-path trust anchors forPARTNER
certificatesHTTPS_CHAIN
: supplementary CA certificates to provide trust anchors forHTTPS
certificates
HTTPS
and HTTPS_CHAIN
are rarely used; only if your partner has an HTTPS endpoint with a certificate issued by someone other than the common, globally trusted CAs.
2 Certificate List
The list view offers common details and operations for all certificate types:
- Self signed indicates whether the certificate is self-signed or not
- Common Name (CN) field of the certificate identifier (distinguished name, DN)
- Serial Number; unique identifier of the certificate generated by the certificate issuer
- Expire On; expiration date of the certificate
- Type; certificate type (as listed earlier)
- Belongs To; the set of entities (partners, stations) that are currently using the certificate
- Option to Download the certificate as PEM, DER, P7B, CER
- Option to Delete certificate from MFT Gateway certificate store. Before you can delete the certificate safely, you must detach all usages shown under the “Belongs To” column.
For STATION
certificates (which are actually key pairs), there are two additional option to renew the certificate.
- By clicking on the Renew icon from the Certificate list.
This will prompt a pop-up to extend the expiration date of the Station certificate.
- Through an external CA.
Using the Generate CSR (Certificate Signing Request) option, you can download a .csr file and share with your CA in order to get the new certificate issued, and then assign it back to the existing STATION
entry.
3 Certificate Management Operations
3.1 Import Public Certificate to MFT Gateway Trust/HTTPS Store
You can import public certificate to MFT Gateway trust/HTTPS store using the New Certificate button and moving to the Import Public Certificate section. You can use public certificates imported as your trading partner’s encryption, signature verification and HTTPS certificates.
From this section you can upload below mentioned certificate types;
- Encrypt/Sign Certificate
- HTTPS Certificate
- Encrypt/Sign Chain Certificate
- HTTPS Chain Certificate
Note:
- When importing public certificates, only PEM, DER, CER, CRT and P7B formats are supported.
- When importing a public certificate, if a copy of the certificate is already available in the MFT Gateway certificate store, MFT Gateway will consider the second one as a Duplicate and skip importing the certificate again.
- If you see an error like “Trust Anchor Validation Failed” while uploading HTTPS Certificate, it indicates the HTTPS certificate that you are trying to upload is not trusted by MFT Gateway. You need to upload corresponding issuer certificate as an HTTPS Chain Certificate to complete trust anchor before importing certificate.
3.1 Import Public/Private Key Pair From Existing Keystore
You can import public/private key pair from existing keystore to MFT Gateway identity store by uploading the keystore and providing the keystore password. When importing the keystore, use the JKS (Java Keystore) or P12 (PKCS#12) formats. You can use key pairs imported from this section as your station certificates.
Note: .p12 is more standardized and widely supported. Check out this reference for more details on the differences between .jks and .p12.
3.2 Generating a New Key Pair (STATION
Certificate)
You can generate a new self signed certificate and add to MFT Gateway identity store. You can use certificates generated from this section as your station certificates by assigning them later.
The process is similar to generating a new key pair for a new trading station. You would provide:
- a Common Name (CN)
- identification details (organization/unit, address etc.)
- a Key Length for the key being generated
- a Validity period for the certificate (number of years forward); validity (NotBefore) starts from the actual time of generation.
- a Certificate Password for securely storing the generated private key