Demystifying AS2 Certificates
Please note: This post originally appeared on Extol.com (EXTOL has been acquired by Cleo).
In Electronic Data Interchange (EDI), digital certificates can be used to secure data transfers between systems. Certificates can encrypt the data transfer in multiple ways. First, the data itself could be encrypted, making it unreadable by any receiving system unless it has the proper decryption key. Second, the communication channel that the data is being sent through could be encrypted. Third, encryption could apply to both the data and communications channel. It is common for certificates to secure AS2 communication (data encryption) or SSL connections (communication channel encryption).
AS2 communications will often use certificates to secure data via encryption, based on public and private keys. The receiver of the AS2 secured data has a private key that either they created themselves or purchased from a certificate authority. From this private key, the receiver will export a public key that is given to the party sending the data. The execution begins with the sender encrypting the data using the receiver’s public key. Next, the data is transmitted by sender to receiver. Last, the receiver decrypts the data using their associated private key.
A digital certificate can be either self-signed or part of a certificate chain. A “self-signed”certificate does not require a chain and is self-sufficient. A certificate that is part of a “chain” (consisting of a Root Certificate, Intermediate Certificate, and Leaf Certificate – the part of the certificate that is most often worked with) requires the higher-level certificates to also exist on the system. Often, the root (primary) and intermediate certificates are already on each users system and do not need to be sent when exchanging leaf certificates. If not, then the receiver would send the associated root and intermediate certificates needed to complete the chain, to the sender.
AS2 can also sign data to verify the sender, based on certificates. The sender signs the data using their own private certificate that is then verified by the receiver against the sender’s public certificate. This verifies the sender’s identity, as they should be the only entity to own their private key.
Securing data through encryption technologies such as AS2 has made it possible for applications to host and transmit data without concern that unauthorized users may intercept and use this data without the necessary decryption and authorization.