Install a certificate for Axway CFT
Those instructions are suitable for Axway CFT servers. Here is the procedure to obtain a SSL server certificate for CFT (server authentication serveur only or mutual):
- Generate a private key and a CSR with OpenSSL
- Obtain a certificate with TBS INTERNET
- Convert the elements in DER binary files
- Import the elements in the TransferCFT PKIbase
- Configure SSL in TransferCRT
1a- Retrieve the certificates
Go back where the private key has been generated.In the delivery email you'll find several links. Click on them and download the associated files:
- A: your server certificate
- B: each elements of the certification chain
1b- Convert the certificates
CFT wants the certificates to be in DER binary format. It requires a conversion. For each .crt or .cer files, follow the instructions:openssl x509 -in FIC.crt -outform DER -out FIC.der
1c- Convert the private key
CFT CFT wants the private key to be in DER binary format. It requires a conversion.openssl rsa -in FIC.key -outform DER -out FIC.key.der
2- Import the elements in the TransferCFT PKI base
Here is the CFT configuration part needed to be able to use the certificate. It would be better to check with a CFT specialist the exact procedure. Initialize the PKI base with:PKIUTIL pkifile fname=$CFTPKU, mode=createIf the file already exists, the command will fail.
Then import each certificate with the command
PKIUTIL pkicerConsult the documentation of the product to enter the exact parameters for each certificate, especially the parameteritype that take the value ROOT, INTER or USER.
Make sure all the elements are here with the command
PKIUTIL listpki
3- Configure SSL in TransferCFT
The configuration is used to- Define the protocol with the key word cftprot, line ssl=
- Define the server SSL profile with the key word cftssl
- Activate the SSL server in TransferCRT by adding in the parameter (cftparam) the protocol defined 2 lines in the key word prot
- Define the SSL client profile with the key wordcftssl
- Activate the SSL client by calling the SSL client profile created here above in a partner profile with cftpart, line ssl=
Last edited on 08/18/2020 07:35:14 --- [search]