Free cookie consent management tool by TermsFeed The Role of Certificates in AS2 | Aayu Technologies Cookies preferences
Home Blog The Role of Certificates in AS2

The Role of Certificates in AS2

The certificate is an electronic document that organizations can use to employ digital authentication to reliably identify entities (including themselves and remote parties).

Indunil Rajapakse
Indunil Rajapakse

The AS2, or Applicability Statement 2, has turned into one of the most reliable, safe, and widely used methods of delivering and receiving data over the internet. AS2 certificates are digital certificates based on public-key infrastructure (PKI) that allow for safe communication between business partners. Certificates are used in a variety of ways throughout the B2B AS2 transmission. They are essential for making an AS2 connection secure and trustworthy. Certificates are used for data signing and/or encryption, in addition to within the secure socket layer (SSL) for server and/or client authentication.

Understanding certificates’ role in secure AS2 connections

Users can develop and sign their own certificates using software of their choice, or they can use certificates issued and confirmed by a trustworthy certification authority. Therefore, users can choose to have certified certificates if their partners require them, or they can choose to generate self-signed certificates on their own. To send the needed data, AS2 constructs an ‘envelope’ that uses digital certificates and encryption to ensure secure transmission over the Internet. The public key of these certificates must be exchanged with the chosen partner before transmitting data.

AS2 certificates

The certificate is an electronic document that organizations can use to employ digital authentication to reliably identify entities (including themselves and remote parties). A certificate includes identifiable information, such as the certificate’s issuer, shows its expiration date, and provides an issuer-assigned serial number allocated to the certificate known as a serial number.

When an AS2 certificate is created, two algorithmically linked keys are generated: one private key and one public key. The private key is kept in a repository, and the public key needs to be shared with the AS2 message receiver. The public key is used to encrypt data and validate digital signatures. The private key is used for decryption and digital signing, and it is always kept private and secure.

In AS2 transactions, data signing and encryption are always performed with two certificates: your local system certificate (your own private key) and your trading partner’s certificate (certified public key shared by them). The certificates involved are determined by the communication direction (inbound or outbound) and the activity (signing or encryption). Prior to the AS2 transmissions, the relevant certificates must be added to the relevant certificate stores in order to aid in the security of AS2 data transport.

AS2 Encryption and Signing

AS2 certificates are essential for encryption and signing, assuring data security throughout the AS2 communication process. Partners can use one keypair for each purpose, or they can use different keys for each. Data security with AS2 encryption technology has enabled applications to host and send data without fear of unauthorized users intercepting and using it.

In the AS2 encryption process, the receiver needs to share a public key, which is handed to the party delivering the data. The sender first encrypts the data with the receiver’s public key. Following that, the sender transmits the data to the receiver. Finally, the receiver decrypts the data using the private key linked to it.

AS2 can employ data signatures to confirm the sender. The sender signs the data with their own private certificate, which the receiver then uses the sender’s public certificate to verify. This validates the sender’s identity because they should be the only ones who own their private key.

Inbound AS2

The received data has been encrypted by the partner using your public key; therefore, to decrypt it, you will need to use your own system certificate (private key).

The data has been signed by the partner using their private key; hence at your end, you would validate their signature using the partner’s public key certificate.

Outbound AS2

Data is encrypted using the partner’s public key certificate; hence, only the partner with the matching private key can decrypt the data.

The data is signed using your own system private key certificate, so the partner should use your public key (pre-shared with them) to verify your signature.

SSL Certificate

In order to establish trust when connecting to send outbound messages and MDNs, the SSL/TLS certificates are assigned to trading partners’ secure (https://) URLs. HTTPS can provide extra security, such as server and client authentication with SSL/TLS.

A server certificate contains both the public key of the website and information about the site’s identification. To use TLS or SSL encryption, devices attempting to interact with the website require the site’s public key, which identifies the server that hosts the site. This is an important part of the handshake that occurs when your browser connects to a site using TLS or SSL.

Client certificates are used to identify clients or users. It authenticates the client to the server and determines exactly who they are, ensuring that the server is interacting with a legitimate user.

MFT Gateway: certificate management

MFT Gateway provides you with the ability to manage your certificates effectively and conveniently. All certificates imported into MFT Gateway, as well as existing partner certificates, will be displayed in a single UI.

 certificates certificates

Import public and chain certificates

MFT Gateway supports two types of public certificates: trust certificates for AS2 trading partners and HTTPS certificates for network-level communications. The ‘Import Public Certificate’ option allows you to directly import public certificates under the above categories. Public certificates imported from here can be used as encryption, signature verification, and HTTPS certificates for your trading partners.

Import public/private key pair from existing keystore

Use the ‘Import From Keystore’ option to import your existing key pairs into MFT Gateway. This feature presently allows you to import keypairs from keystores in JKS, PKCS12, and PFX formats. You can use imported key pairs as station certificates.

Generate self-Signed certificate

Click the ‘New Certificate’ option and use the ‘Generate Self-Signed Certificate’ view to create a self-signed certificate by filling in the details of your organization and choosing an appropriate validity period. This process is comparable to producing a new key pair for a new trading station. After creating the certificate, you can assign it to your AS2 trading stations using the appropriate creation and update views.

Download certificates

Certificates can be downloaded from the certificate list and information views in PEM, DER-encoded, P7B, and CER formats according to the requirements of your partners and the systems. You can also produce CSRs (certificate signing requests) for self-signed certificates. The.csr file specifies the details for the certificate you want to generate. Share the.csr file with your CA in order to get the new CA-signed certificate, and then assign it back to the relevant ‘Station’ entry. You must make sure to share your new or renewed station certificate with your trading partner(s) in order to exchange messages successfully after the update has been completed.


Having an AS2 certificate is an essential step for businesses seeking to protect their B2B communication connections over AS2 protocol. Businesses can use the MFT Gateway to obtain AS2 certificates that match their security needs while also facilitating seamless data interchange with trading partners via AS2 protocol .

Profile Card
Indunil Rajapakse

Indunil Rajapakse

Indunil is a senior quality assurance engineer with 5 years of experience in the software industry, engaging in test-related activities in B2B communication. Outside of work, she loves gardening, making food, and spending time with pets.

MFT gateway
AS2 Connection as a service for B2B EDI/ file transfer
Start Free Trial View Pricing