Once you have gathered the required setup information, you can configure your Stedi AS2 connection.

Enable your AS2 server

If you only need to send transactions to your trading partners over AS2, you can skip this section.

If you plan on receiving transactions from your trading partners over AS2, you must first enable inbound AS2 for your account. This process will provision a unique server URL for you to share with your partners.

To enable inbound AS2:

  1. Go the Core > Settings page.
  2. Click Enable inbound AS2. This process can take several minutes to complete. When finished, your server’s URL will be displayed.

After your AS2 server is provisioned, you can choose to Disable inbound AS2. If you do, your server’s URL will change when re-enabled later. This action can cause disruption in the transmission of data from your trading partner.

Choose your AS2 identifier

The AS2 protocol requires that the sender and receiver provide each other with AS2 IDs to help identify and route transactions during the AS2 file exchange process.

Your partner will provide their AS2 ID during the onboarding process.

There is no central authority that registers or tracks AS2 IDs, so you can choose any value you like. You should choose a value that is unlikely to be used by other companies. It’s common to use the same value that you chose for your ISA ID when you created your Local profile.

An AS2 ID must be between 1-128 printable ASCII characters (except double quote or backslash), and is case sensitive. It’s customary to use all capitalized letters and include no spaces.

Create an AS2 connection

Creating an AS2 connection provisions all the resources required to send and receive data using the AS2 protocol. You can only create one AS2 connection per partnership.

To create an AS2 connection:

  1. Go to the Trading partners page.
  2. Click the partnership where you want to add the connection.
  3. Click Create connection.
  4. Select AS2 as the Connection type.
  5. Enter a Connection name.
  6. Enter your AS2 ID as the Local AS2 profile identifier.
  7. (Optional) Under Local profile signing credentials you can upload the three different certificates required:
    • Certificate: Your public signing certificate
    • Private Key: Your private signing key
    • Certificate chain: Only required if you are using certificates and keys generated by a trusted certificate authority (CA)
  8. (Optional) By default, your Local profile encryption credentials use the same data you supplied for your local signing credentials. If you are using different certificate and key for encryption, toggle Same as signing credentials to OFF and supply: -Certificate: Your public encryption certificate
    • Private Key: Your private encryption key
    • Certificate chain: Only required if you are using certificates and keys generated by a trusted certificate authority (CA)
  9. Enter your trading partner’s AS2 ID as the Partner AS2 profile identifier.
  10. (Optional) Under Partner profile signing credentials, you can upload the two different certificates:
    • Certificate: Your trading partners’ signing certificate
    • Certificate chain: Only required when your trading partners are using certificates and keys generated by a trusted certificate authority (CA).
  11. (Optional) By default, the Partner profile encryption credentials use the same data you supplied for your partner signing credentials. If your trading partner is using a different certificate and key for encryption, toggle Same as signing credentials to OFF and supply:
    • Certificate: Your trading partner’s public encryption certificate
    • Certificate chain: Only required when your trading partner is using certificates and keys generated by a trusted certificate authority (CA)
  12. (Optional) If you plan to send data to your trading partner, set the Enable AS2 outbound to ON and enter the Partner AS2 server URL, the MDN response, and Encryption algorithm.
    • (Optional) If your trading partner requires Basic authentication, click Advanced > Enable basic access authentication, and enter the Username and Password.
  13. (Optional) If you plan to receive data from your trading partner, set the Enable AS2 inbound to ON and enter the Encryption algorithm.
  14. Click Create connection. You must have enabled one or both of the Inbound or Outbound sections, before you can create the connection.

Certificates and keys

Before you configure your AS2 connection, you need to prepare the certificates that you will use. This involves generating your own certificates as well as requesting certificates from your trading partner.

A certificate consists of both a public key and a private key. In AS2, there are two types of certificates:

  • Signing certificate: This certificate allows you and your partners to verify the message sender’s identity.
  • Encryption certificate: This certificate allows you and your trading partners to encrypt and decrypt messages.

Some partners require two certificates – one for signing and one for encryption. Others may want you to use the same certificate for both tasks. For example, Walmart’s AS2 portal only asks you to upload a single certificate. Follow the instructions from your trading partner when defining your AS2 configuration.

If either you or your partner are using a certificate issued by a third-party Certificate Authority (CA), you can skip the certificate creation steps and use the provided certificate and key directly.

If you are sending files to a trading partner’s HTTPS endpoint, you must use an SSL certificate signed by a publicly-trusted certificate authority (CA). Self-signed certificates for HTTPS are not currently supported.

Certificates with the following cryptographic algorithms and key sizes are supported:

  • 2048-bit RSA
  • 4096-bit RSA

Convert certificates and keys between formats

The format in which the encryption materials are provided to you by your trading partner may be different than the PEM format that Stedi AS2 requires. You can use OpenSSL utilities to convert certificates and keys between different formats.

Convert CRT to PEM:

openssl x509 -in cert.crt -out cert.pem

Convert CER to PEM:

openssl x509 -in cert.cer -out cert.pem

Convert DER to PEM:

openssl x509 -in cert.der -out cert.pem

Create your signing and encryption certificates

If your trading partner requires unique certificates for signing and encryption, run the command twice. For each run, change the key names to indicate whether they are for signing or encryption. For example, use acme-signing-private.pem for the first run and acme-encryption-private.pem for the second run.

Create a new certificate. The -days option specifies the number of days the certificate will remain valid.

openssl req -x509 -newkey rsa:4096 -keyout <PRIVATE_KEY_NAME>.pem \
    -out <PUBLIC_KEY_NAME>.pem -sha256 -days 365 -nodes

Enter information to identify your organization. You don’t need to fill out all the fields, but you should specify what you can.

Static IP addresses

All AS2 connections in your Stedi account use the same set of static IP addresses for outbound EDI. If you need to allowlist these addresses, please contact customer success for a full list.

Was this page helpful?

RequirementsMDN responses