Demystifying AS2 Certificates

Person using AS2 and AS2 Certificates

In this article, we'll cover:

What is AS2?

AS2 (Applicability Statement 2) is an HTTP-based protocol for securely, inexpensively, and quickly transmitting messages (particularly EDI messages). AS2 has become the most broadly used EDI protocol in many industries, including consumer goods and retail, over the last 20 years.

How does AS2 work?

AS2 is a standard by which users transfer EDI or other data, such as Extensible Markup Language (XML) or plain text documents, over the Internet using HTTP and HTTPS.  AS2 is a global method for transporting data used by millions of businesses worldwide, including most major retailers including Amazon, Target, and Bed Bath & Beyond. Walmart was the first major retailer to require its suppliers to use the AS2 protocol effectively replacing dial-up modems for ordering goods. AS2 communication has remained one of the most prominent communication protocols ever since.

How do you create an AS2 connection?

To create an AS2 connection there are several required components: two computers, a server, and a client.  Both computers connect to the Internet via a point-to-point connection. To transmit the desired data, AS2 creates an 'envelope' that allows for secure transmission via the Internet using both digital certificates and encryption.

Why Choose AS2 communication?

AS2 connection offers increased verification and security achieved using receipts, digital signatures, and file encryption. Its transactions and acknowledgments occur in real-time, increasing the efficiency of document exchanges. Because of its expansive security features and reliable, flexible transmission capabilities, AS2 is one of the most popular and mandated protocols in the business world.  Organizations use AS2 to facilitate EDI transactions (purchase orders, advanced shipment notices, invoices), and other standardized messages. With its ability to securely exchange documents quickly and reliably over the Internet, AS2 has been widely adopted across industries. 

What are the benefits of AS2?

AS2 provides many benefits in order to power business exchanges and securely facilitate data exchanges with customers, suppliers, and partners. Learn more about the essentials of an AS2 Connector from a more in-depth coverage.

  • Added security/privacy: End-to-end data encryption ensures the information in transit is secure. SSL encryption on the pipe, as well as hashing, also deliver added security.
  • Flexibility: Almost any type of data can be transmitted.
  • Authentication: Digital signatures validate the authenticity and integrity of a message or digital document.
  • Nonrepudiation: The use of digital certificates confirms the document was actually sent by the claimed sender, and just as important, received by the intended recipient.
  • Confirmation: The AS2 standard provides a status message called the Message Disposition Notification (MDN) to indicate whether the document was successfully delivered.
  • Low cost: Facilitates point-to-point communication thereby reducing the need to outsource to managed services. It's very much like directly dialing long distance from your phone as opposed to seeking assistance from a phone company operator to place a call.

Understanding As2 Certificates

When using electronic data interchange (EDI) software or MFT file transfer solutions, digital certificates can be used to secure data transfers between systems. Certificates can encrypt the data transfer in multiple ways.  First, the data itself could be encrypted, making it unreadable by any receiving system unless it has the proper decryption key. Second, the communication channel that the data is being sent through could be encrypted.  Third, AS2 encryption could apply to both the data and communications channel.  It is common for certificates to secure AS2 communication (data encryption) or SSL connections (communication channel encryption).

AS2 Encryption and Signing

AS2 communications will often use certificates to secure data via encryption, based on public and private keys.  The receiver of the AS2 secured data has a private key that either they created themselves or purchased from a certificate authority.  From this private key, the receiver will export a public key that is given to the party sending the data.  The execution begins with the sender encrypting the data using the receiver's public key.  Next, the data is transmitted by the sender to the receiver.  Last, the receiver decrypts the data using their associated private key.

A digital certificate can be either self-signed or part of a certificate chain.  A "self-signed" certificate does not require a chain and is self-sufficient.  A certificate that is part of a "chain" (consisting of a Root Certificate, Intermediate Certificate, and Leaf Certificate - the part of the certificate that is most often worked with) requires the higher-level certificates to also exist on the system.  Often, the root (primary) and intermediate certificates are already on each user's system and do not need to be sent when exchanging leaf certificates.  If not, then the receiver would send the associated root and intermediate certificates needed to complete the chain, to the sender.

AS2 can also sign data to verify the sender, based on certificates.  The sender signs the data using their own private certificate that is then verified by the receiver against the sender's public certificate.  This verifies the sender's identity, as they should be the only entity to own their private key.

Securing data through AS2 encryption technologies has made it possible for applications to host and transmit data without concern that unauthorized users may intercept and use this data without the necessary decryption and authorization. 



How to Find the Best AS2 Software

If you're considering MFT service options for your organization, refer to our guide on how to find the perfect MFT provider with just 10 questions.

Would you purchase a vehicle - the one that carts your entire family around - that had been rigorously tested for head-on collisions but not for side-impact crashes, which account for about 25% of all traffic collisions?

Would you count on a watch that told the right time but, only most of the time? What if the balance wheel or hairspring inside these mechanical devices was only tested for a limited number of altitudes or climates? Would you buy it?

The majority of companies go through appropriate testing processes to validate the functionality, safety, and usability of their products. But if they just certify the main features - the ones they deem important - does that really mean the product is certified?

The Drummond Group certifies a number of advanced communication protocols, AS2 being one of them, and not many AS2 software vendors go through every Drummond test, even the optional ones.

So, start with Drummond and work your way backward.

Why Cleo is #1 for AS2

Cleo's AS2 has been Drummond Group-certified since 2002 — passing every test, every time. Cleo's certification includes the optional tests for critical features every AS2 protocol should have, including:

Certificate Exchange Messaging (CEM) for automated certificate management

AS2 Restart or a more efficient and reliable transfer of large files

Chunked Transfer-Encoding

Filename Preservation with Multiple Attachments


SHA-2 for the emerging requirement for signing messages using secure hash algorithm 2


Some notes about three advanced features in leading AS2 software solutions:

• Automated certificate management: CEM was an initiative begun in 2003 to automate the certificate exchange process, and interest in CEM-capable solutions continues to grow because of the significant time savings compared with the manual replacement effort. Perhaps even better, it helps to ensure no communication downtime between you and your valued customers and critical supply chain.

AS2 Restart: This feature eliminates the need to resend the entire message when connections fail. The server picks up where the transmission left off, saving time and system resources. This is especially true when a communication hiccup occurs 80% of the way through a very large file. Why resend all of the data that already successfully made it through?

SHA-2 compliant: Canada's Telecom Decision CRTC 2015-435 mandates TSPs to use SHA-2 encryption by mid-2016. Few data exchange companies have been certified in every Drummond SHA-2 test since that option was introduced in 2012, and the use of SHA-2 encryption is only gaining in popularity.

Ask Microsoft and Facebook.

Leading MFT vendors test to ensure customers and partners get the most value for their money and can have full faith that the software will work for all of their business needs, now and in the future.

Coupled with the fastest setup (within two hours) of an AS2 connection, these are just some of the reasons Cleo became the favorite AS2 vendor for Walmart suppliers in the wake of the retail giant's 2002 mandate. Cleo led the way with standards work and Walmart to make AS2 implementation happen on a much bigger scale.

We've got much more reading on the history of AS2 and what leading organizations look for when choosing AS2 software. And remember, not all AS2 - and not even all certified AS2 software - is equally able to serve your organization's requirements.

See how our AS2 solution works

about cleo
About Cleo
Cleo helps organizations quickly onboard and automate every API and EDI integration directly into any back-office application and gain complete end-to-end visibility for every B2B transaction.
Learn More
Instantly access demo videos
Discover how Cleo is helping thousands of organizations take control over their B2B supply chain integrations.
View Demo
We hope you enjoyed reading this blog post.
If you’re ready to learn what Cleo can do for you, just reach out!
Contact Us Today