Certificate Management | Aayu Technologies
Link Search Menu Expand Document

Certificate Management

MFT Gateway Certificate Store allows you to review, generate and manage your key pairs and trusted certificates in one place.

1 Certificate Types

MFT Gateway has five main certificate types:

  • STATION: key pairs (private and public keys) assignable to trading stations
  • PARTNER: certificates (signed public keys) assignable to trading partners for encryption or signature verification
  • HTTPS: (SSL/TLS) certificates assigned to trading partners’ secure (https://) URLs, for establishing trust when connecting to send outbound messages/MDNs
  • PARTNER_CHAIN: chain certificates, usually belonging to certificate authorities (CAs), as supplementary information for building the certification-path trust anchors for PARTNER certificates
  • HTTPS_CHAIN: supplementary CA certificates to provide trust anchors for HTTPS certificates

HTTPSand HTTPS_CHAIN are rarely used; only if your partner has an HTTPS endpoint with a certificate issued by someone other than the common, globally trusted CAs.

2 Certificate List

Certificate List
Certificate List

Open image on lightbox

The list view offers common details and operations for all certificate types:

  • Self signed indicates whether the certificate is self-signed or not
  • Common Name (CN) field of the certificate identifier (distinguished name, DN)
  • Serial Number; unique identifier of the certificate generated by the certificate issuer
  • Expire On; expiration date of the certificate
  • Type; certificate type (as listed earlier)
  • Belongs To; the set of entities (partners, stations) that are currently using the certificate
  • Option to Download the certificate as PEM, DER, P7B, CER
  • Option to Delete certificate from MFT Gateway certificate store. Before you can delete the certificate safely, you must detach all usages shown under the “Belongs To” column.

For STATION certificates (which are actually key pairs), there is an additional option to renew the certificate through an external CA. Using the Generate CSR (Certificate Signing Request) option, you can download a .csr file and share with your CA in order to get the new certificate issued, and then assign it back to the existing STATION entry.

3 Certificate Management Operations

3.1 Import Public Certificate to MFT Gateway Trust/HTTPS Store

You can import public certificate to MFT Gateway trust/HTTPS store using the New Certificate button and moving to the Import Public Certificate section. You can use public certificates imported as your trading partner’s encryption, signature verification and HTTPS certificates.

Import Public Certificate
Import Public Certificate

Open image on lightbox

From this section you can upload below mentioned certificate types;

  • Encrypt/Sign Certificate
  • HTTPS Certificate
  • Encrypt/Sign Chain Certificate
  • HTTPS Chain Certificate


  • When importing public certificates, only PEM, DER, CER, CRT and P7B formats are supported.
  • When importing a public certificate, if a copy of the certificate is already available in the MFT Gateway certificate store, MFT Gateway will consider the second one as a Duplicate and skip importing the certificate again.
  • If you see an error like “Trust Anchor Validation Failed” while uploading HTTPS Certificate, it indicates the HTTPS certificate that you are trying to upload is not trusted by MFT Gateway. You need to upload corresponding issuer certificate as an HTTPS Chain Certificate to complete trust anchor before importing certificate.

3.1 Import Public/Private Key Pair From Existing Keystore

You can import public/private key pair from existing keystore to MFT Gateway identity store by uploading the keystore and providing the keystore password. When importing the keystore, use the JKS (Java Keystore) or P12 (PKCS#12) formats. You can use key pairs imported from this section as your station certificates.

Import From Keystore
Import From Keystore

Open image on lightbox

Note: .p12 is more standardized and widely supported. Check out this reference for more details on the differences between .jks and .p12.

3.2 Generating a New Key Pair (STATION Certificate)

You can generate a new self signed certificate and add to MFT Gateway identity store. You can use certificates generated from this section as your station certificates by assigning them later.

Generate Self-signed Certificate
Generate Self-signed Certificate

Open image on lightbox

The process is similar to generating a new key pair for a new trading station. You would provide:

  • a Common Name (CN)
  • identification details (organization/unit, address etc.)
  • a Key Length for the key being generated
  • a Validity period for the certificate (number of years forward); validity (NotBefore) starts from the actual time of generation.
  • a Certificate Password for securely storing the generated private key