In this tutorial, you will learn how to create an SSL certificate used to protect the HTTP and AS2 tunnel in GoAnywhere.
Before configuring the HTTPS/AS2 service, it is first necessary to create an SSL certificate that will be used to protect the HTTP tunnel.
To create the SSL certificate, log in to GoAnywhere MFT. Click Encryption from the main menu, and then click the SSL Certificate Manager link. Here you will find a list of trusted certificates already included with GoAnywhere MFT. From this page, click on Open Key Store in the toolbar.
On the next screen, when asked to choose the Key Store Type, choose Default Private Keys and click Open.
From the Default Private Keystore, you can import, create, or modify certificates. To create the new SSL certificate, click on New, and then select New Certificate. You will then need to complete the SSL Certificate form.
A few field notes:
Key Type – This is the algorithm used to generate the key value for the Certificate.
Key Size – This is the length (in bits) of the key. Values may be 1024, 2048, or 4096 bits. Larger key sizes will provide strong protection but will slow the performance of encryption and decryption processes.
Signature Algorithm – This is the algorithm used for signing the Public key portion of the certificate. SHA1withRSA is recommended in most cases.
Alias – Assign a unique name to the Certificate (for example, “Certificate_for_Financial_Transfers”). It is not recommended to use spaces in the Alias. Instead, an underscore can be used to separate words.
Common Name – Assign a unique name that your trading partner could use to verify your identity. It is recommended that you use your organization’s URL as the Common Name since it is unique to your organization. It is not recommended to use spaces in the Common Name.
When you are finished completing the SSL Certificate form, click Save, which will return you to the Default Private Keystore Certificate Manager.
If you need a signed certificate, you’ll need to create a signing request for your Certificate that you will send to a Certificate Authority (CA). This is necessary if your trading partners require your Certificates to be signed by a CA and not self-signed.
Select the Action icon for the Certificate and then select the Generate CSR option. The file will download to your internet browser’s default folder. The file will be named using the Certificate’s Alias with a .csr extension. You can then send this file to a Certificate Authority (CA) for signing.
When your CSR is approved, you will receive a reply from your Certificate Authority that will contain an updated digital certificate. To import this certificate, return to the SSL Certificate Manager’s Private Key Store, select the Action icon for the Certificate and then select the Import CA Reply. You will be prompted to identify the location where the CA Reply file is located. Input the location or browse for the file.
Now that your Certificate has been created and signed by a Certificate Authority, and the reply has been imported to your key store, you’ll need to assign the certificate to your HTTPS service. To do this, navigate to the Service Manager page via the Services drop-down menu. Once there, click the Action icon for HTTPS/AS2 Service and select the Edit option. On the HTTPS Configuration page, on the left-hand navigation pane, select Listener under the Server section.
In the Listener pane, navigate to the SSL tab. In the SSL tab, set the Key Alias attribute to the name of the newly signed certificate. You can enter the name manually or browse for the Key Alias. Set the Trust Store File to the same file location that holds your SSL certificate. Also ensure that the Key Store Type matches that of the Trust Store File. Once finished, Save and Finish your changes. Finally, restart the HTTPS/AS2 service by clicking on the Action icon and selecting Restart.