How does it work? Companies must receive and install certificates before messages can be exchanged with trading partners. However, as a security precaution, certificates usually expire after 3-5 years. As a certificate nears expiration, a new certificate must be created, exchanged and installed with each trading partner. A company cannot continue trading with its partner until the new certificate is loaded into the partner's B2B application. For example, if there is any mix-up, such as the trading partner incorrectly loads the new certificate, transactions cease until the issue is resolved.

An initiative to automate the certificate exchange messaging (CEM) process began in 2003 by the eCom Technology Group (eTG, formerly known as ecGIF) within GS1. The CEM standard is a protocol for distributing digital certificates to trading partners over AS2. CEM uses a Request/Response system of communication. A CEM request sent to a trading partner contains a new certificate with instructions on how the certificate should be used (e.g. digital signatures) and when the CEM response must be returned. The CEM response is then returned with a status value indicating if the certificate was accepted and loaded or rejected. Also, CEM requires implementing products to ensure they maintain new and old certificates, and are capable of using either in trading until the actual certificate expiration date. This is significant because it does not require all of its trading partners to switch simultaneously to the new certificate.

CEM is now an Internet-Draft within the IETF. It has been adopted and interoperability tested by several different AS2 vendors. There is growing interest and demand from supply chains for CEM because of the significant time savings it provides by replacing the manual effort. Certificates can be specified for use in digital signatures, data encryption or SSL/TLS over HTTP (HTTPS).

The CEM optional profile has been implemented in AS2 interoperability test rounds conducted by DGI since 2005. For a list of products certified in the CEM profile during the recent AS2 interoperability test round, please see: http://www.drummondgroup.com/html-v2/as2-companies.html

For more information about the CEM standard, see:
https://datatracker.ietf.org/public/idindex.cgi?command=id_detail&id=12703

Read the CEM Internet-Draft >

Industry Support for Certificate Message Exchange

Excerpt from 2006 endorsement letter from eTG (eCom Technology Group, formerly known as ecGIF) of GS1

"GS1 supports the use of the EDIINT AS1 and AS2 standards for transporting electronic business messages securely over the Internet. The number of AS1 and AS2 implementations has grown dramatically over the past few years, and the manual effort required to periodically replace trading partners' digital certificates has become significantly greater. End users within the Electronic Commerce Global Implementation Forum (ecGIF) group within GS1 developed business requirements and the Internet Engineering Task Force (IETF) developed a technical specification that automates the exchange and replacement of digital certificates. End users need this functionality in AS1 and AS2 software solutions to better manage the constantly increasing number of trading partner certificates which are expiring. The significant amount of manual effort needed to manage this process currently can be eliminated if most or all software vendors implement the automatic exchange of certificates capability in this specification. This is a voluntary standard that benefits a number of user communities in various industries."