Public and Private Keys in EDI
In Electronic Data Interchange (EDI), public and private keys play a crucial role in securing data transmission, ensuring data integrity, and authenticating trading partners. These keys are primarily used in encryption, decryption, and digital signatures within secure protocols like AS2, SFTP, and HTTPS.
Understanding Public and Private Keys
Public and private keys are part of asymmetric cryptography (Public Key Infrastructure - PKI), where:
- The public key is shared with anyone and is used for encryption.
- The private key is kept secret by the owner and is used for decryption or signing.
This key pair ensures secure data exchange between trading partners in EDI.
Use of Public and Private Keys in EDI
1. Encryption & Decryption (Data Security in Transmission)
When sending EDI data over secure channels like AS2 or SFTP, public and private keys are used to encrypt and decrypt the message.
πΉ Example Scenario:
- Step 1: The sender (Supplier) encrypts the EDI message (e.g., ANSI X12 850 - Purchase Order) using the recipient's public key.
- Step 2: The receiver (Retailer) decrypts the EDI message using their own private key.
πΉ Illustration:
Let’s say Supplier A wants to send an encrypted Purchase Order (850) to Retailer B securely over AS2.
- Supplier A encrypts the 850 message with Retailer B’s public key.
- The encrypted file is transmitted over AS2.
- Retailer B decrypts it using their private key and reads the order.
This process ensures that even if someone intercepts the message, they cannot read it without Retailer B’s private key.
2. Digital Signatures (Authentication & Data Integrity)
In EDI, digital signatures confirm the authenticity of the sender and ensure the message has not been altered.
πΉ Example Scenario:
- Step 1: The sender (Supplier) digitally signs the EDI file using their private key before sending it.
- Step 2: The receiver (Retailer) verifies the signature using the sender’s public key.
πΉ Illustration:
- Supplier A generates a digital signature using their private key and attaches it to the 850 Purchase Order.
- Retailer B receives the signed message and verifies the signature using Supplier A’s public key.
- If the verification fails, it means the message was tampered with or came from an unauthorized sender.
This prevents message tampering and fraud in EDI transactions.
3. Secure Protocols in EDI using Public/Private Keys
EDI transactions use secure communication protocols that implement public-private key encryption, such as:
✅ AS2 (Applicability Statement 2) – Uses public-private key pair for encryption and digital signatures to ensure data security.
✅ SFTP (Secure File Transfer Protocol) – Uses SSH keys (public/private pair) to authenticate trading partners securely.
✅ HTTPS (Hypertext Transfer Protocol Secure) – Uses SSL/TLS certificates with public-private keys to encrypt data transmission.
πΉ Example: AS2 Communication Flow
- Encryption: Sender encrypts the message using the recipient’s public key.
- Signing: Sender signs the message with their private key.
- Transmission: The encrypted and signed message is sent over AS2.
- Verification: Receiver verifies the signature using the sender’s public key.
- Decryption: Receiver decrypts the message using their private key.
This ensures secure and authenticated message exchange in B2B EDI transactions.
Public and private keys are essential for securing EDI transactions, ensuring data confidentiality, authentication, and integrity. They are widely used in secure EDI protocols like AS2, SFTP, and HTTPS to encrypt messages and verify sender identities.
Generating and Using Public-Private Keys in AS2 & SFTP for EDI
Here we will walk you through how to generate and use public-private keys in AS2 and SFTP for secure EDI transactions.
1. Using Public-Private Keys in AS2 for EDI
Step 1: Generate a Public-Private Key Pair (SSL Certificate)
AS2 relies on X.509 certificates for encryption and digital signatures. These certificates contain public-private key pairs. You can generate them using OpenSSL.
Generating a Self-Signed Certificate (Public-Private Key Pair)
Run the following command in your terminal or command prompt:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out public.crt
private.key → Your private key (kept secret).public.crt → Your public certificate (shared with trading partners).
π‘ If using a third-party CA (Certificate Authority), you’ll need to generate a CSR (Certificate Signing Request) and get a signed certificate.
Step 2: Configure AS2 in EDI Software
Once the key pair is generated, configure it in your EDI/AS2 software (e.g., IBM Sterling Integrator,OpenText TradingGrid, Cleo, BizTalk, Seeburger, Axway, etc.).
For the Sender (Supplier):
- Encryption: Use the receiver’s public key (from their
.crt file).
- Signing: Use your private key to sign outgoing messages.
For the Receiver (Retailer):
- Decryption: Use your private key to decrypt messages.
- Signature Verification: Use the sender’s public key to verify signatures.
Step 3: AS2 EDI Transmission Process
- Supplier (Sender) encrypts the EDI 850 Purchase Order using the retailer’s public key.
- Supplier signs the document with their private key.
- Supplier sends the AS2 message to the retailer’s AS2 endpoint.
- Retailer decrypts the AS2 message using their private key.
- Retailer verifies the sender’s signature using the supplier’s public key.
- Retailer sends back an MDN (Message Disposition Notification), signed with their private key, which the supplier verifies.
πΉ MDN (Message Disposition Notification) confirms successful receipt and integrity of the file.
✅ If MDN verification fails → The message was tampered with or sent from an unauthorized source.
2. Using Public-Private Keys in SFTP for EDI
SFTP (Secure File Transfer Protocol) uses SSH key pairs instead of SSL certificates.
Step 1: Generate SSH Key Pair
On your local machine, run:
ssh-keygen -t rsa -b 2048 -f my_sftp_key
my_sftp_key → Your private key (kept secret).my_sftp_key.pub → Your public key (shared with trading partners).
Step 2: Configure SFTP Authentication
- Send the
my_sftp_key.pub file to your trading partner.
- The partner adds the public key to their SFTP server’s authorized_keys file:
cat my_sftp_key.pub >> ~/.ssh/authorized_keys
- When connecting, use the private key for authentication:
sftp -i my_sftp_key user@sftpserver.com
✅ No password is needed, and authentication is secure.
Step 3: Secure File Transfer in EDI
πΉ Example: Sending an EDI 810 Invoice via SFTP
- Encrypt the file (optional, using OpenSSL):
openssl smime -encrypt -aes-256-cbc -in invoice_810.edi -out invoice_810.enc -outform DER partner_public.crt
- Transfer the encrypted file using SFTP:
sftp -i my_sftp_key user@sftpserver.com <<EOF
put invoice_810.enc
bye
EOF
- The receiver decrypts the file using their private key:
openssl smime -decrypt -in invoice_810.enc -out invoice_810.edi -inform DER -inkey private.key
- AS2 (EDI over HTTP): Uses public-private key pairs (X.509 certificates) for encryption & signing.
- SFTP (EDI over SSH): Uses public-private key pairs (SSH keys) for authentication.
Both methods ensure security, integrity, and authentication in EDI transactions. π
Real-World Example: AS2 EDI Message Exchange with Public-Private Keys
This example will demonstrate how to encrypt, sign, and send an EDI file over AS2 using OpenSSL and Python. It includes:
✅ Generating Keys & Certificates
✅ Encrypting & Signing an EDI 850 Purchase Order
✅ Sending via AS2
✅ Receiving, Decrypting, and Verifying the Signature
Step 1: Generate Public-Private Key Pairs
Each trading partner (Supplier & Retailer) needs their own key pair.
Run these commands to generate keys:
For Supplier (Sender)
# Generate private key
openssl genrsa -out supplier_private.key 2048
# Generate public certificate
openssl req -new -x509 -key supplier_private.key -out supplier_public.crt -days 365
For Retailer (Receiver)
# Generate private key
openssl genrsa -out retailer_private.key 2048
# Generate public certificate
openssl req -new -x509 -key retailer_private.key -out retailer_public.crt -days 365
Step 2: Encrypt & Sign the EDI Message
Let’s say the Supplier wants to send an EDI 850 Purchase Order securely to the Retailer.
Sample EDI 850 File (purchase_order.edi)
ISA*00* *00* *ZZ*SENDERID *ZZ*RECEIVERID *230201*1234*U*00401*000000001*0*T*>
GS*PO*SENDERID*RECEIVERID*20230201*1234*1*X*004010
ST*850*0001
BEG*00*NE*123456**20230201
N1*ST*Retailer Name*92*12345
PO1*1*10*EA*25.00*PE*XYZ123
CTT*1
SE*6*0001
GE*1*1
IEA*1*000000001
Encrypt the EDI File with Receiver’s Public Key
openssl smime -encrypt -aes-256-cbc -in purchase_order.edi -out encrypted_edi.dat -outform DER retailer_public.crt
Sign the Encrypted File with Supplier’s Private Key
openssl smime -sign -in encrypted_edi.dat -out signed_edi.dat -signer supplier_public.crt -inkey supplier_private.key -nodetach -outform DER
At this point, the signed and encrypted file (signed_edi.dat) is ready for secure AS2 transmission.
Step 3: Sending the AS2 Message
We will use Python to send the AS2 message via an AS2 server.
Python Code to Send AS2 Message
import requests
# Define AS2 parameters
as2_url = "https://as2.receiver.com/receive" # Retailer AS2 server
headers = {
"AS2-To": "RetailerAS2ID",
"AS2-From": "SupplierAS2ID",
"Content-Type": "application/pkcs7-mime",
"EDIINT-Features": "multiple-attachments",
}
# Load the signed EDI file
with open("signed_edi.dat", "rb") as file:
edi_data = file.read()
# Send AS2 request
response = requests.post(as2_url, headers=headers, data=edi_data)
# Print response
print(f"Response Code: {response.status_code}")
print(f"MDN Response: {response.text}")
✅ If successful, the retailer will return an MDN (Message Disposition Notification) confirming receipt.
Step 4: Receiving & Verifying the AS2 Message
At the Retailer’s AS2 server, the received message must be:
- Verified for authenticity using the sender’s public key.
- Decrypted using the receiver’s private key.
Verify the Digital Signature
openssl smime -verify -in signed_edi.dat -CAfile supplier_public.crt -out verified_edi.dat
✅ If successful, the file is verified as authentic.
Decrypt the Verified EDI File
openssl smime -decrypt -in verified_edi.dat -inform DER -inkey retailer_private.key -out decrypted_edi.edi
✅ Now the EDI 850 Purchase Order is readable and can be processed!
Step 5: Sending MDN Response
After successful verification and decryption, the Retailer sends an MDN response back to the Supplier.
Example MDN Message (mdn_response.txt):
AS2-To: SupplierAS2ID
AS2-From: RetailerAS2ID
Disposition: automatic-action/MDN-sent-automatically; processed
Original-Message-ID: <123456@example.com>
Digitally Sign the MDN with the Retailer’s Private Key
openssl smime -sign -in mdn_response.txt -out signed_mdn.dat -signer retailer_public.crt -inkey retailer_private.key -nodetach -outform DER
Send MDN via AS2
import requests
# AS2 Endpoint of Supplier
as2_supplier_url = "https://as2.supplier.com/receive_mdn"
# Load Signed MDN
with open("signed_mdn.dat", "rb") as file:
mdn_data = file.read()
# Send MDN
response = requests.post(as2_supplier_url, headers={"Content-Type": "application/pkcs7-mime"}, data=mdn_data)
print(f"MDN Sent. Response Code: {response.status_code}")
✅ If the Supplier receives and verifies the MDN, the transaction is complete!
Summary of AS2 Secure Exchange Process
1️⃣ Supplier encrypts the EDI file with Retailer’s public key.
2️⃣ Supplier signs the encrypted file with their private key.
3️⃣ Supplier sends the AS2 message to the Retailer.
4️⃣ Retailer verifies the signature using Supplier’s public key.
5️⃣ Retailer decrypts the file using their private key.
6️⃣ Retailer sends a signed MDN response back to the Supplier.
7️⃣ Supplier verifies the MDN signature, confirming receipt.
πΉ This real-world AS2 example shows how public-private keys are used for encryption, signing, and verification in EDI transactions.
πΉ It ensures data integrity, security, and non-repudiation in B2B communications.
AS2 EDI Message Exchange Example Using Mendelson AS2 & Cleo
This guide covers how to set up an AS2 connection, configure certificates, and exchange EDI messages securely using Mendelson AS2 and Cleo Integration Cloud.
1. Setting Up AS2 in Mendelson AS2
Mendelson AS2 is an open-source AS2 server used for testing and real-world EDI AS2 transactions.
Step 1: Install Mendelson AS2
- Download Mendelson AS2 from:
π https://www.mendelson-e-c.com/AS2
- Install and run it.
Step 2: Generate Public-Private Keys in Mendelson
Mendelson AS2 allows you to generate X.509 certificates for encryption and signing.
Generate Key Pair (Certificate)
- Go to Certificates → Generate new key.
- Enter details (Company Name, Validity, Algorithm = RSA 2048).
- Export:
- Public Certificate (
.cer) → Share with Trading Partner.
- Private Key (
.p12 or .keystore) → Keep secure.
Import Trading Partner’s Public Key
- Ask your Trading Partner (e.g., Cleo Integration Cloud) for their public certificate.
- In Mendelson, go to Certificates → Import public certificate.
- Browse and import the
.cer file.
Step 3: Configure AS2 Trading Partner
-
Add Trading Partner (Cleo or any AS2 endpoint).
- AS2 ID: CleoAS2
- AS2 URL:
https://cleoas2.com/receive
- Public Key: Use Cleo’s .cer file.
- Private Key: Use your private key for signing.
-
Configure MDN Settings
- Request MDN (Signed) to get confirmation of message receipt.
Step 4: Sending an EDI File from Mendelson
- Prepare an EDI 850 Purchase Order file (
purchase_order.edi).
- Go to Mendelson AS2 → Send File.
- Select the Trading Partner (Cleo).
- Choose the EDI file and click Send.
- Monitor the Log Tab to check transmission status.
✅ If successful, Cleo will send an MDN receipt confirming delivery.
2. Setting Up AS2 in Cleo Integration Cloud
Cleo Integration Cloud (CIC) is a cloud-based AS2 solution for B2B/EDI transactions.
Step 1: Configure Cleo AS2 Partner
- Log in to Cleo Integration Cloud.
- Navigate to Partners → Add AS2 Partner.
- Enter Partner Details:
- AS2 ID: MendelsonAS2
- AS2 URL:
http://mendelsonserver.com:4080/as2/HttpReceiver
- Public Certificate: Upload Mendelson’s
.cer file.
Step 2: Sending an EDI File from Cleo
- Go to Cleo Integration Cloud → Transactions.
- Select Send New AS2 Message.
- Choose the Trading Partner (Mendelson).
- Upload the EDI File (
purchase_order.edi).
- Click Send.
✅ Mendelson will receive the AS2 message and send an MDN in response.
Step 3: Verify MDN (Message Disposition Notification)
After the message is received:
- Mendelson logs show "MDN Received Successfully."
- Cleo logs confirm the message was decrypted and processed.
3. Debugging AS2 Issues
π‘ Common AS2 Issues & Fixes
| Issue |
Possible Cause |
Fix |
| AS2 Connection Failed |
Wrong URL |
Verify AS2 endpoint URL |
| Signature Verification Failed |
Wrong public certificate |
Re-import correct .cer file |
| Encryption Failed |
No matching private key |
Use correct .p12 keystore |
✅ Mendelson AS2 & Cleo Integration Cloud allow secure AS2 EDI transactions using public-private keys.
✅ This setup ensures encryption, authentication, and MDN confirmations in B2B EDI.
I can guide you through a step-by-step Mendelson & Cleo AS2 setup with logs and screenshots. Since I can't generate actual screenshots, I'll provide detailed instructions so you can follow along easily.
Step-by-Step AS2 Setup: Mendelson AS2 & Cleo Integration Cloud
πΉ Step 1: Install & Configure Mendelson AS2
1.1 Install Mendelson AS2
1️⃣ Download Mendelson AS2 from:
π https://www.mendelson-e-c.com/AS2
2️⃣ Extract and run startserver.bat (Windows) or startserver.sh (Linux).
3️⃣ Open Mendelson AS2 GUI (http://localhost:4080) in your browser.
1.2 Generate Public-Private Keys in Mendelson
πΉ Go to: Certificates → Generate new key
1️⃣ Enter:
- Company Name: MendelsonAS2
- Algorithm: RSA 2048
- Validity: 365 Days
2️⃣ Click Generate and Export:
- Public Certificate (
mendelson_public.cer) → Share with Cleo.
- Private Key (
mendelson_private.p12) → Keep safe.
1.3 Import Cleo's Public Key into Mendelson
πΉ Go to: Certificates → Import Public Certificate
1️⃣ Browse and select Cleo’s .cer file.
2️⃣ Click Import.
1.4 Add Cleo as a Trading Partner in Mendelson
πΉ Go to: Configuration → Partner Management
1️⃣ Click Add New Partner
- AS2 ID: CleoAS2
- AS2 URL:
https://cleoas2.com/receive
- Public Certificate: Select Cleo’s imported certificate.
- Private Key: Use Mendelson’s private key for signing.
2️⃣ Click Save.
πΉ Step 2: Configure Cleo Integration Cloud (CIC AS2)
2.1 Add Mendelson as an AS2 Partner in Cleo
πΉ Go to: Cleo Integration Cloud → Partners
1️⃣ Click Add Partner → AS2 Partner
2️⃣ Enter:
- Partner Name: Mendelson
- AS2 ID: MendelsonAS2
- AS2 URL:
http://mendelsonserver.com:4080/as2/HttpReceiver
3️⃣ Upload Mendelson’s .cer file.
4️⃣ Click Save.
πΉ Step 3: Send an EDI File via AS2
3.1 Sending an EDI 850 Purchase Order from Mendelson
πΉ Go to: Transactions → Send File
1️⃣ Select the Trading Partner (Cleo).
2️⃣ Upload EDI 850 File (purchase_order.edi).
3️⃣ Click Send.
4️⃣ Monitor Logs:
- ✅
AS2 Message Sent Successfully.
- ✅
MDN Received from Cleo.
3.2 Sending an EDI 810 Invoice from Cleo to Mendelson
πΉ Go to: Cleo Integration Cloud → Transactions → Send AS2 Message
1️⃣ Select the Trading Partner (Mendelson).
2️⃣ Upload EDI 810 File (invoice_810.edi).
3️⃣ Click Send.
4️⃣ Monitor Cleo Logs:
- ✅
AS2 Message Sent Successfully.
- ✅
MDN Received from Mendelson.
πΉ Step 4: Verify AS2 Transactions
4.1 Checking AS2 Logs in Mendelson
πΉ Go to: Logs → Transaction Log
✅ Look for:
- Sent Message → 200 OK (if successful)
- MDN Received → Signature Verified
4.2 Checking AS2 Logs in Cleo
πΉ Go to: Cleo Integration Cloud → Logs
✅ Look for:
- Received AS2 Message → Decryption Successful
- MDN Sent to Mendelson
π ️ Troubleshooting AS2 Issues
| Issue |
Possible Cause |
Fix |
| AS2 Connection Failed |
Wrong URL |
Verify AS2 endpoint URL |
| Signature Verification Failed |
Wrong public certificate |
Re-import correct .cer file |
| Encryption Failed |
No matching private key |
Use correct .p12 keystore |
π Final Outcome
✅ Mendelson ↔ Cleo AS2 communication is successfully established!
✅ EDI files are securely transmitted, encrypted, signed, and acknowledged with MDNs!