Sending certificate exchange messages

To send new certificates to your trading partner(s) via EDIINT Certificate Exchange Messaging, the following pre-requisites must be satisfied:

  • The trading partner relationships must already exist.  EDIINT Certificate Exchange Messaging may only be used to upgrade certificates in established trading relationships.
  • Your trading partner(s) must be capable of sending and receiving EDIINT Certificate Exchange Messages (that is, for AS2-CEM protocols only).

If either of these pre-requisites has not been satisfied, you can still use the Certificate Exchange dialog boxes, but the certificates are sent using Email instead. See Exchanging certificates with your trading partner. See Non-CEM capable trading partners for further information.

  1. Open the Certificate Exchange dialog box. In the web UI, go to Administration > Cerfiticate Management > Certificate Exchange. In the native UI, click Certificates in the menu bar to display the Certificate Manager, and then in the Certificate Manager, go to Tools > Exchange Certificates.
    The My Certs tab appears.
  2. In the My Certs tab, select the AS2-CEM trading partner(s) you want to exchange with.
  3. In the Command menu, select Send New Certificates, and then click Proceed.
    The Send Local Certificates dialog box appears, allowing you to select certificates for this trading relationship.
  4. Select certificates.
    1. Before you enter information to select certificates, you might have to enable fields, except for the Signing Certificate fields, which are always enabled.
      To enable the Encryption Certificate Alias fields, clear the Use Signing Certificate check box. Clearing this check box means you choose to use separate certificates for signing and encryption. If you leave this check box selected, the certificate you select as the signing certificate is also used for encryption.
      To enable the SSL Client Certificate Alias fields, select the Send SSL Client Certificate check box.
      To enable the SSL Serer Certificate Alias fields, select the Send SSL Server Certificate check box.
      If a certificate is already pending from a previous certificate exchange, the fields and the Browse button for that certificate are not enabled. 
    2. For each certificate you want to send, type a certificate alias name in the Alias field or click Browse to navigate to a certificate and select it.
  5. The Send button is enabled only if previous messages from the trading partner have included a specific header indicating that the partner is CEM-capable. You can verify this capability by ensuring that the Partner Is CEM-Capable setting in the Host > AS2 panel is set to True.

    If the partner has specifically requested the exchange of new certificates using EDIINT Certificate Exchange Messaging but Send is not enabled, select the Partner Is CEM-Capable option to force sending of the new certificates via EDIINT Certificate Exchange Messaging.

  6. Click Send, click it to send the Certificate Request message.
    A confirmation dialog box appears.
  7. Click Yes to verify the certificates you selected are the ones you want to send.

    If any of the specified certificates are already active (that is, installed) for this trading relationship, an additional confirmation dialog box appears asking if you want to send the installed certificates.

  8. Click Yes to send all new and previously installed certificates to your trading parter.
    Click No to send only the newly selected certificates to your trading partner.
    If all the selected certificates are already installed, clicking No returns you to the previous Send Local Certificates panel allowing you to either choose new certificates to send to your trading partner or to cancel the send operation altogether.
  9. The My Certs tab appears and, if the Certificate Request is successfully sent, its status is set to Pending.
    If an error occurred, you can correct any issues, select the partner entry, and click Retry.
  10. Click Close.

    The status of the Certificate Request is set to Pending if it was successfully sent.  (If an error occurred, the Certificate Request message can be re-sent after correcting the problem, if possible, by selecting the partner entry and invoking Retry.)

    The new certificates are displayed in the panel with the current certificates and are be editable until after certificate acceptance and your trading partner begins encrypting with the new encryption certificate.

    If a new SSL Server certificate was sent, the new certificate is displayed in the Local Listener’s HTTP panel with the current certificate. Certificate Alias is read-only until all HTTP partners have received and accepted the new certificate.  Once this has occurred, the new SSL Server certificate is automatically installed (normally within five-minutes).    

    Since only one HTTP SSL Server certificate can be active at any time, the new SSL Server certificate is the only certificate that can sent for all subsequent Certificate Exchange Messages.