picture of tbs certificates
picture of tbs certificates
Our products range

Install a certificate for Axway CFT

Those instructions are suitable for Axway CFT servers. Here is the procedure to obtain a SSL server certificate for CFT (server authentication serveur only or mutual):

  1. Generate a private key and a CSR with OpenSSL
  2. Obtain a certificate with TBS INTERNET
  3. Convert the elements in DER binary files
  4. Import the elements in the TransferCFT PKIbase
  5. Configure SSL in TransferCRT
You received your certificate by email with one or several intermediate certificates and a root certificate. Keep this email within reach.

1a- Retrieve the certificates

Go back where the private key has been generated.

In the delivery email you'll find several links. Click on them and download the associated files:
  • A: your server certificate
  • B: each elements of the certification chain

1b- Convert the certificates

CFT wants the certificates to be in DER binary format. It requires a conversion. For each .crt or .cer files, follow the instructions:
openssl x509 -in FIC.crt -outform DER -out FIC.der 

1c- Convert the private key

CFT CFT wants the private key to be in DER binary format. It requires a conversion.
openssl rsa -in FIC.key -outform DER -out FIC.key.der 

2- Import the elements in the TransferCFT PKI base

Here is the CFT configuration part needed to be able to use the certificate. It would be better to check with a CFT specialist the exact procedure. Initialize the PKI base with:
PKIUTIL pkifile fname=$CFTPKU, mode=create
If the file already exists, the command will fail.

Then import each certificate with the command
PKIUTIL pkicer
Consult the documentation of the product to enter the exact parameters for each certificate, especially the parameteritype that take the value ROOT, INTER or USER.

Make sure all the elements are here with the command
PKIUTIL listpki

3- Configure SSL in TransferCFT

The configuration is used to
  • Define the protocol with the key word cftprot, line ssl=
  • Define the server SSL profile with the key word cftssl
  • Activate the SSL server in TransferCRT by adding in the parameter (cftparam) the protocol defined 2 lines in the key word prot
  • Define the SSL client profile with the key wordcftssl
  • Activate the SSL client by calling the SSL client profile created here above in a partner profile with cftpart, line ssl=
Consult the product documentation to enter the exact parameters.