Safety with Virtual Certificate: Will have to you generate your personal or use a Certificates Authority?
In the world of B2B, the recommended approach for ensuring the security of the documents you exchange with business partners – such as your suppliers, customers, logistics providers, financial institutions – via the Internet is the same encryption approach used by many communications protocols such as AS2 and SFTP. These communications protocols use a system of public and private keys – one set for the sending company and one set for the receiving company – while leveraging digital certificates to enable the easy exchange and management of the key pairs. (See How Digital Certificates Help Ensure the Security of EDI Data.) One of the decisions you’ll need to make when using this approach is how you will generate the digital certificates your company uses. You have two options for generating the digital certificate: (1) You can generate your own, using special software, or (2) you can use one of the Certificate Authorities (CAs), suchas Verisign and Entrust, to generate and manage them on your behalf. If the digital certificate is generated by a CA, it is usually valid for one or two years. If you generate it yourself, you can make it valid for a longer period. When certificates expire, they need to be renewed or replaced and you must provide the new certificate to your trading partners in advance of expiration to ensure that the critical business documents you exchange, such as purchase orders and invoices, can continue to flow without interruption. For an annual fee, a certificate authority (CA) will issue digital certificates, and can also provide additional services, such as:
- If a certificate is compromised – for example, the private key has been lost or stolen – the CA can “revoke” it before it expires. These revoked certificates are put on a revocation list that is automatically checked by your software to verify the certificate prior to its use.
- The CA ensures that the certificate holder is who they claim to be by verifying their credentials. This adds an additional level of assurance of the trustworthiness of any business partners with whom you are exchanging documents.
- Prompted by the expiration date within your partner’s certificate, the CA will verify the identity of your trading partner on a regular basis, increasing the security of the system still further.
The alternative to using a CA is to get everyone in your community to “self-generate” certificates, allowing them to set their own expiration dates. The benefits of this approach include:
- It’s free, as many B2B software applications include a certificate self-generation capability.
- You may have less administration headaches because everyone can set longer certificate expiration dates, say 5 or 10 years. Then, instead of having to update your system with everyone’s new certificate every one or two years, as would be necessary for CA-issued certificates, you only need to do it every 5-10 years. However, having longer expiration dates reduces the overall security of the system, since no organization is “policing” the system and confirming that a certificate does belong to the person it appears to come from.
If your trading partners set the rules, you may need to support both models, with some partners asking you to use a certificate from a CA, while others will accept self-generated certificates. Whichever route you choose, you must be careful not to lose access to your private key (by forgetting your own password, for instance), since neither a CA nor a system that self- generates certificates can retrieve it. In these circumstances, you would need to generate a new certificate and distribute it to all of your trading partners, and you or your partners may need to re-send some documents if they were sent using the old key. To learn more about the best options for B2B Communications, watch this webinar: How to Determine the Best Communications Protocol for B2B Integration