BusinessConnect (BC) and BusinessConnect Container Edition (BC/BCCE) require the upload of a valid certificate as part of a trading partner's HTTPS transport configuration.  Similarly, the BC/BCCE Gateway Server uses an uploaded identity (.p12 file) which contains the private key and public certificate chain for the HTTPS server's use.

For outbound transactions, TIBCO Engineering has verified that once a valid trading partner certificate has been uploaded into the trading partner's configuration, HTTPS connections will still function successfully even after the configured certificate expires, as long as the certificate chain provided by the trading partner's server remains valid, and the CA authorities used by the certificate remain valid in the BC/BCCE certificate store.

For inbound transactions, the revised identity/certificate .p12 file will have to be uploaded upon certificate expiration, and the Gateway Server engine will have to be restarted to have the new file take effect.  However, the new file can be uploaded in advance, and the configuration updated prior to the Gateway Server restart.  The restart duration should take about 60-120 seconds.  If continuous operation is desired during a switchover, multiple gateway servers behind a load balancer can be used, with a rolling restart of the individual Gateway Server engines to handle the switchover.

NOTE: The 47 day rule is related to Server certificates only.  AS2 and Email transports use SMIME certificates for signing and encryption, and are not impacted by this rule (the current standard for these types of certificate/keys is 2 years).   These certificates are usually separate from the server certificates.

However, some organizations use certificates configured to support all three functions (TLS, signing, and encryption), and these certificates WILL have to be updated frequently in the trading partner configuration to continue to support signing and encryption (the TLS function will continue to work).   For this situation, customers are urged to review their certificate usage with their trading partners to ensure that the certificates are separated.

The CA/Browser Forum and the major Certificate Authorities (CA) have revised the TLS server certificate durations.  The current duration has just been revised with a 200 day duration, reducing to 47 days in 2029.  This article will discuss the impact of this change on BusinessConnect and BusinessConnect Container Edition usage.