1

I'm absolutely new to this topic of ssl certificates, so please be patient with me.

My task is to install an AS2 communication with some business partner. Therefore we need message signing and encryption. Some communication partners are accepting self created certificates, which is a bit curious, since they cannot be sure, that I am the one, who I pretend to be.

Nevertheless, I want to purchase a ssl certificate from a CA, e.g. godaddy. Now here is the question.

Can I use any certificate, which I can purchase from godaddy, to sign and encrypt the AS2 messages?

I didn't find anything about this combined with AS2, so I've to ask. Perhaps, it's not a matter of the technology used. Since, I really want to understand ssl certificates a reference to an article or something similar, would be highly appreciated. Well a short "Yes" or "No" would also be fine.

If it's not possible, which requirements on a ssl certificate must be met?

Rafael Marazuela
  • 105
  • 3
DHN
  • 113
  • 1
  • 5

1 Answers1

1

AS2 builds over S/MIME, so you need a certificate for S/MIME. Certificates for S/MIME are very similar to certificates for SSL, but some details may vary. See this answer for some details.

You might want to generate your own certificates with some tool like OpenSSL. Godaddy is an established CA whose main asset is that their root public key is already known to most OS and browsers in the World, and that's very convenient when you want to establish a communication channel with someone that you do not know beforehand. But for a business partner that you already know, you do not need Godaddy to come and say "yeah, that's his real name". You could simply manually exchange the certificates (the public keys) in a formal "key ceremony" between you and your partner. (Formalism can include a pint of Guinness.)

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • _But for a business partner that you already know [...]_ well I'm with you, but some partners still want to have a certificate signed by a CA. – DHN Mar 22 '13 at 12:51
  • Well, thank you. I guess I'm understanding it, now. I think the Guinness is most important part of ceremony. ;o) Unfortunately, the partner still wants to have the trusted certificate, first. Let's see, where I can purchase one. – DHN Mar 22 '13 at 13:20
  • I am not convinced the first sentence is true, as I have used self-signed certificates for proof-of-concept work and did not specify that they should be specifically S/MIME certificates, and those worked. I understand that the AS2 payload format *is* S/MIME, but that doesn't necessarily prove that implementers (e.g: Microsoft) are strict about checking those very specific key usage parameters as you mention in your linked answer. That said, `makecert.exe` appears to apply 'Any Purpose' as the key usage, so perhaps that is misleadingly lax as compared to certs issued by a public CA. – Tom W Feb 27 '19 at 09:29