AS2 Certificates

AS2 utilizes two X.509 Certificates.

One certificate is used to encrypt and protect transmissions to your AS2 HTTPS endpoint and the other is used to encrypt the AS2 message, or payload, that is being exchanged with your trading partner.

The same certificate can be used for both purposes but this isn't recommended. Partner certificates tend to be longer lived while HTTPS endpoint certificates are more regularly expired and updated.

AS2 HTTPS Endpoint Certificate

The AS2 protocol implements a HTTP endpoint that listens for incoming AS2 transmissions from your trading partners.

Just like any other web server, this HTTP endpoint can be protected with encryption by implementing TLS, formerly known as SSL, on the HTTP port.

An X.509 format SSL Certificate is required to implement TLS for your AS2 endpoint. We use the same SSL Certificate of your Files.com site for your AS2 endpoint.

By default, Files.com will generate, manage, and rotate your SSL Certificate automatically. Your site, including AS2, will always use a valid and chained SSL Certificate which is renewed every 90 days.

You can choose to use your own SSL certificate for your Files.com site and this will also apply to your AS2 endpoint.

The expiration date of the certificate being used for your AS2 endpoint is shown on the AS2 page, allowing you to confirm if the certificate being used is currently valid.

All transmissions to your AS2 endpoint, from any trading partner, are TLS/SSL encrypted using this certificate. Similarly, transmissions that you make to a trading partner's AS2 endpoint are encrypted using their AS2 HTTPS certificate. When configuring trading partners, we provide an option for you to specify the security level of the trading partner's endpoint certificate. This is so that less secure SSL certificates, such as self-signed ones, will be accepted when connecting to that trading partner.

HTTPS endpoint certificates, much like HTTPS SSL certificates, tend to be short lived and updated frequently. It was common for SSL certificates to be valid for 2 or 3 years but now much shorter durations are common.

AS2 Partner Certificate

The AS2 protocol expects messages to have been encrypted. This encryption ensures that the message can only be read (decrypted) by you. The message can also be digitally signed, which ensures that the sender (your trading partner) is really who they say they are.

Together encryption and signing provide non-repudiation of the message by explicitly verifying who the message was for (encryption) and who the message is from (signing). Only the receiver can decrypt the message and a valid signature could only have been applied by the sender.

Each trading partner requires two X.509 format certificates to encrypt and sign AS2 messages. One certificate is their own and the other certificate is their trading partner's.

Certificates have a public portion and a private key. Each trading partner exchanges the public portion of their certificate with each other.

The sender encrypts the AS2 message with the recipient's public certificate, and signs the message with the sender's private key.

The recipient decrypts the AS2 message with their own private key, and verifies the signature using the sender's public certificate.

The expiration date of your AS2 partner certificate is shown next to your AS2 Identity on the AS2 page. Each of your AS2 Identities may have its own certificate or a certificate may be shared with multiple AS2 Identities.

The expiration date of your trading partner's AS2 partner certificate is shown next to their entry in the AS2 Trading Partners table on the AS2 page.

Partner certificates tend to be long lived due to the impact of transmission interruptions when updating them. It's common to have partner certificates that are valid for 5 years or longer. Ultimately the duration of partner certificates is agreed upon between you and your trading partner.

Get Instant Access to Files.com

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.