Sign in
< Back to User Guide Top

Exchanging certificates with your trading partner

There are several methods to exchange certificates with trading partners, including email and EDIINT Certificate Exchange Messaging (CEM).

CEM was developed through a Drummond Group initiative to automate the secure exchange of public-key certificates between trading partners over the internet. Since the structure of a CEM is of a specific format (currently only supported in AS2), CEMs should only be sent to trading partners capable of receiving and processing them. The Cleo HarmonyCleo VLTrader, and Cleo LexiCom applications are CEM-capable and can successfully process properly formed messages. CEMs should only be used to update existing certificates in an established trading partner relationship. The initial exchange of certificates for new trading partner relationships should be done out-of-band, for example, through the Email Profile Utility - see Emailing a profile to your trading partner.

Displaying the certificate exchange dialog box

There are several ways to launch the Certificate Exchange dialog box:

  • From the Certificate Manager window, choose the Tools > Exchange Certificates option. 
  • From the host tree, select a mailbox, right-click and select Exchange Certificates  
  • From the Certificates panel, click Exchange Certificates.

Additional certificate filtering

Independent of the current Protocol and Status filter settings, you can filter records containing specified certificates by clicking More Filters...

Each certificate field in the pull-down list contains all the certificates (for that field's type) that are currently defined in the table.  

Selecting a certificate for one or more certificate fields and clicking OK will cause records containing only the specified certificate(s) to be displayed.

To disable filtering on the previously selected certificate(s), click More Filters... again and then click Clear.

To hide all ‘Disabled’ and/or ‘Undefined’ status entries in the table view, check the appropriate selection.

After clicking OK, all entries with a status of ‘Disabled’ or ‘Undefined’ will no longer  be displayed.

Sending certificate exchange messages

To send new certificates to your trading partner(s) via EDIINT Certificate Exchange Messaging, the following pre-requisites must be satisfied:

  • The trading partner relationships must already exist.  EDIINT Certificate Exchange Messaging may only be used to upgrade certificates in established trading relationships.
  • Your trading partner(s) must be capable of sending and receiving EDIINT Certificate Exchange Messages (that is, for AS2-CEMprotocols only).

If either of these pre-requisites has not been satisfied, you can still use the Certificate Exchange dialog boxes, but the certificates are sent using Email instead. See Exchanging certificates with your trading partner. See Non-CEM capable trading partners for further information.

  1. Open the Certificate Exchange dialog box. In the web UI, go to Administration > Cerfiticate Management > Certificate Exchange. In the native UI, click Certificates in the menu bar to display the Certificate Manager, and then in the Certificate Manager, go to Tools > Exchange Certificates.
    The My Certs tab appears.
  2. In the My Certs tab, select the AS2-CEM trading partner(s) you want to exchange with.
  3. In the Command menu, select Send New Certificates, and then click Proceed.
    The Send Local Certificates dialog box appears, allowing you to select certificates for this trading relationship.
  4. Select certificates.
    1. Before you enter information to select certificates, you might have to enable fields, except for the Signing Certificate fields, which are always enabled.
      To enable the Encryption Certificate Alias fields, clear the Use Signing Certificate check box. Clearing this check box means you choose to use separate certificates for signing and encryption. If you leave this check box selected, the certificate you select as the signing certificate is also used for encryption.
      To enable the SSL Client Certificate Alias fields, select the Send SSL Client Certificate check box.
      To enable the SSL Serer Certificate Alias fields, select the Send SSL Server Certificate check box.
      If a certificate is already pending from a previous certificate exchange, the fields and the Browse button for that certificate are not enabled. 
    2. For each certificate you want to send, type a certificate alias name in the Alias field or click Browse to navigate to a certificate and select it.
  5. The Send button is enabled only if previous messages from the trading partner have included a specific header indicating that the partner is CEM-capable. You can verify this capability by ensuring that the Partner Is CEM-Capable setting in the Host > AS2panel is set to True.

    If the partner has specifically requested the exchange of new certificates using EDIINT Certificate Exchange Messaging but Send is not enabled, select the Partner Is CEM-Capable option to force sending of the new certificates via EDIINT Certificate Exchange Messaging.

  6. Click Send, click it to send the Certificate Request message.
     
    A confirmation dialog box appears.
  7. Click Yes to verify the certificates you selected are the ones you want to send.

    If any of the specified certificates are already active (that is, installed) for this trading relationship, an additional confirmation dialog box appears asking if you want to send the installed certificates.

  8. Click Yes to send all new and previously installed certificates to your trading parter.
    Click No to send only the newly selected certificates to your trading partner.
    If all the selected certificates are already installed, clicking No returns you to the previous Send Local Certificates panel allowing you to either choose new certificates to send to your trading partner or to cancel the send operation altogether.
     
  9. The My Certs tab appears and, if the Certificate Request is successfully sent, its status is set to Pending.
    If an error occurred, you can correct any issues, select the partner entry, and click Retry.
  10. Click Close.

    The status of the Certificate Request is set to Pending if it was successfully sent.  (If an error occurred, the Certificate Request message can be re-sent after correcting the problem, if possible, by selecting the partner entry and invoking Retry.)

    The new certificates are displayed in the panel with the current certificates and are be editable until after certificate acceptance and your trading partner begins encrypting with the new encryption certificate.

    If a new SSL Server certificate was sent, the new certificate is displayed in the Local Listener’s HTTP panel with the current certificate. Certificate Alias is read-only until all HTTP partners have received and accepted the new certificate.  Once this has occurred, the new SSL Server certificate is automatically installed (normally within five-minutes).    

    Since only one HTTP SSL Server certificate can be active at any time, the new SSL Server certificate is the only certificate that can sent for all subsequent Certificate Exchange Messages.

Receiving inbound EDIINT CEM responses

When a response to the Certificate Request message has been received and the partner has accepted all the new certificates, an email notification will is sent to the email addresses specified in the Admin Email Address field on the Other tab in Configure System Options panel, the status of the partner record is set to Active and the appropriate statuses of the certificates can be viewed using the tool tips (by using the cursor to mouse-over the desired certificates). See Other system options.

The new SSL certificate remains in an "accepted/pending" state until it has been exchanged with and accepted by all trading partners using HTTP/s.

Note: Your trading partner should respond to the Certificate Request within the Maximum Allowed CEM Response Days specified in the Local Listener Advanced Panel. See Specifying Local Listener advanced properties. If this time period is exceeded without a response, an email notification will be sent to the email address(es) specified in the Admin Email Address field on the Other tab in Configure System Options panel , and the status will be set to Expired.  See Other system options. Since it is possible that your trading partner may not be able to respond to your CEM requests, you should contact him to determine why a timely response has not been received. You may need to resend your CEM request or distribute your new certificate(s) through another method.  Once your  trading partner has verified that he has installed your new certificates, you should then manually switch this trading relationship to the new certificates using the ‘Set As Active’ command in the Certificate Exchange dialog.

Using the local encryption certificate for the first time

Since the partner might not always begin using the newly-accepted certificate immediately, messages received by the trading partner might be decrypted with either the old certificate (CLEO-ENCRYPT) or the newly accepted certificate (CLEO).  Once an encrypted message is received from the trading partner using the new certificate (referred to as “first-usage”), it is automatically installed as the active certificate in the panel.

Receiving inbound EDIINT CEM requests

When you receive an inbound Certificate Request message from your trading partner:

  1. An email notification of the inbound Certificate Request (CEM) message is sent to the email addresses specified in the Admin Email Address field on the Other tab in Configure System Options panel with information about the received certificates and the "Respond By" date by which a response should be sent. See Other system options
  2. The received certificates are stored in the certs\pending folder until they are either accepted or rejected; or manually installed by you when it is deemed necessary.
  3. The status of the partner record in the Trading Partner Certs panel is set to Pending.
  4. The Signing Certificate field is updated to indicate that there is a new pending certificate, although it is not used to validate signed messages until after it has been accepted.  Likewise, the encryption field is not updated until after the new encryption certificate is accepted.

Auto-accepting inbound EDIINT CEM requests

You can choose to auto-accept inbound Certificate Request messages from any or all of your trading partners by selecting the Auto Accept Received Certificate (CEM) Advanced property in the Local Listener panel.  This system-wide setting can be overridden at the host level by selecting the Override Listener CEM Auto Accept setting, allowing you to limit auto-accepting to only the desired trading partners.

Responding to inbound EDIINT CEM requests

After a new Certificate Request has been received by your trading partner and auto-accept has not been enabled (see Auto-accepting inbound EDIINT CEM requests), the pending certificates can be viewed by either right-clicking on the individual partner's record and choosing the Display option, or by double-clicking on the partner record.  A panel showing all active and pending certificates is displayed.

After viewing the newly-received certificates, you can choose to either Accept or Reject any or all the received certificates by selecting the partner record in the Trading Partner Certs panel, invoking the desired command option and then clicking Proceed...:

If you choose Accept, you will be given the option to accept any or all of the pending certificates.  (Likewise, if you choose Reject, you will be given the option to reject any or all of the received pending certificates.)

If the certificates are accepted, the old encryption, SSL client and SSL server certificates (if applicable) will be archived in the certs\archive directory and the newly received certificates will be installed and activated and the status of the partner record will be set to Active.

Using the partner's signing certificate for the first time

Since the partner might not always immediately begin signing with the newly-accepted signing certificate, the signatures of the messages received by the trading partner can be verified with either the original or newly-accepted partner signing certificates.  Once a message received from the trading partner has been signed with the newly-accepted signing certificate (referred to as “first-usage”), it is automatically installed as the active certificate in the panel and the original signing certificate is archived in the certs\archive directory.

CEM-specific email alerts

The following email alerts are generated and sent to the email addresses specified in the Admin Email Address field (see System) on the Other tab in Configure System Options panel when the following events occur:

  1. An inbound CEM Request message is received by a trading partner and auto-accept has not been enabled. (See Auto-accepting inbound EDIINT CEM requests.)
  2. An inbound CEM Response message is received by a trading partner.
  3. An inbound CEM Response message has not been received by the trading partner in response to a previously pending CEM Request before the locally specified 'Respond By' date (from the originally received CEM Request message). Daily email alerts will continue to be sent until the response is received or some other manual intervention is taken.
  4. An outbound CEM Response message has not been sent in response to a trading partner's previously pending CEM Request before the trading partner's specified 'Respond By' date. Daily email alerts will continue to be sent until the response is sent or some other manual intervention is taken.

Additionally, daily email alerts are sent for the following scenarios:

  1. An inbound CEM Request message has been received by a trading partner and still requires a response and it is still before the trading partner's specified 'Respond By' date.
  2. The pending SSL Server Certificate still needs to be sent and/or accepted by some of your trading partners.  Since only one SSL Server Certificate may be active, the pending certificate cannot be installed until all trading partners using the current SSL certificate have received and have accepted the pending SSL certificate.  Once this has occurred, the Local Listener will automatically install (normally within five minutes) and begin using the pending SSL certificate.
  3. One or more of your trading partners has rejected the pending SSL Server Certificate.  Since the new SSL Server Certificate cannot be activated in the Local Listener while it has a Rejected status for any trading partner relationships, you should contact these trading partners to resolve any issues and then manually set the status to Active by selecting the Set As Active command option in the My Certs panel and then click Proceed...
  4. More than one unique SSL Server Certificate has been accepted by your trading partners. Only one SSL Server Certificate can be defined in the Local Listener for HTTP/s or FTP/s (Cleo Harmony and Cleo VLTrader only), however different SSL Server Certificates can be specified for the HTTP/s and FTP/s protocols.

Non-CEM capable trading partners

The Certificate Exchange Dialog can be used to exchange certificates with non-CEM capable trading partners (that is, for protocols other than AS2-CEM) or when setting up initial trading partner relationships by sending the certificates via email.

Select the appropriate certificates to send to your trading partner just as you would do when sending certificates to your CEM-capable trading partners, but click Email instead of Send.

The following dialog is displayed.  See Emailing a profile to your trading partner for more information.

When you click Send, the following confirmation dialog box is displayed allowing verification of the new certificates before sending them to your trading partner:

 

Additionally, if the Partner's Email Address is not currently set in the Host's Advanced Panel, the following prompt is displayed, allowing you to update that property with the currently defined 'To:' email address:

Once the certificates have been successfully sent, the status of certificates in the My Certs panel is set to Emailed.

 

After you have received notification that your trading partner has verified and installed your new certificates, they should manually be activated by selecting the trading partner’s record in the My Certs panel, choosing the Set As Active command option and then clicking Proceed...:

 

Related articles

Comments

0 comments

Please sign in to leave a comment.