AS2CertificationTestingEDI

AS2 Certification vs AS2 Connection Testing: What Drummond Certifies (and What It Does Not)

8 min readBy Marwan Nakhaleh

A trading partner sends you their AS2 onboarding packet. Somewhere in it is a line like "AS2 software must be Drummond certified." You search "AS2 certification" and now you're wondering whether your company needs to get certified, how much it costs, and how long it takes.

Short answer: you almost certainly don't need to get certified. Certification applies to AS2 software products, not to the companies that use them. What you actually need is proof that your specific AS2 connection works. Those are two different things, and mixing them up wastes weeks.

Here's the full picture.

What is Drummond certification?

Drummond Group runs an interoperability certification program for AS2 software. Vendors who build AS2 products enroll their software in a test event. During the event, every enrolled product exchanges messages with every other enrolled product across a matrix of test cases: different encryption algorithms, signing algorithms, MDN modes, compression settings, large payloads, certificate exchange scenarios.

A product that passes the full matrix earns the "Drummond Certified" mark for that test round. The vendor pays for this. It's a serious, rigorous program, and it solved a real problem: in the early days of AS2, two implementations of the same RFC 4130 spec would routinely fail to talk to each other. Certification gave buyers confidence that Product A and Product B had actually exchanged messages under controlled conditions, not just claimed spec compliance.

Walmart's 2002 mandate that suppliers use AS2 leaned on this program heavily, and it remains the reference standard for AS2 software interoperability today.

Who needs Drummond certification?

Software vendors. That's the list.

If your company builds and sells an AS2 product, certification is worth it. Large retailers and pharma trading partners often require that suppliers connect using certified software, so being on the certified list is table stakes for selling an AS2 product into those markets.

If your company uses AS2 to exchange EDI documents with partners, you are not the one who gets certified. There is no process by which a supplier, distributor, or 3PL becomes "Drummond certified." The certification attaches to the software product, not to your company, your team, or your deployment of it.

The confusion, spelled out

The requirement you'll see in partner onboarding documents reads something like: "Partner must use Drummond certified AS2 software."

What it means: pick an AS2 product that appears on Drummond's certified list. Most commercial AS2 products you'd shortlist are on it.

What it does not mean: your company must go through a certification process, pay Drummond, or pass a test event. You satisfy the requirement the moment you deploy a certified product. If your partner's onboarding form asks which software you use, you name the product and you're done with that line item.

One wrinkle worth knowing: certification applies to specific versions tested in specific rounds. If a partner is strict about it, check that the version you're running (not just the product name) appears on the certified list.

So why do connections built on certified software still fail?

Because certification proves the software can interoperate when configured correctly. It says nothing about whether your deployment is configured correctly.

Two Drummond certified products can still fail to exchange a message because:

  • Your TLS certificate expired, or your server offers only cipher suites the partner rejects
  • You loaded the partner's signing cert into the encryption slot, or they did the same with yours
  • Your AS2 ID has a trailing space that their system treats as significant
  • You're signing with SHA-1 and they require SHA-256
  • Your firewall accepts the inbound message but blocks the async MDN return path
  • An intermediate certificate is missing from your chain, so their validation fails while yours passes

None of these are software defects. All of them are configuration facts about your specific endpoint and your specific partner relationship. Certification was never designed to catch them, and it can't.

What is AS2 connection testing?

Connection testing verifies that your endpoint, with your certificates and your configuration, can complete a real AS2 exchange. A thorough test covers the full round trip:

  • TLS: the handshake completes, the certificate on your HTTPS endpoint is valid, and the protocol versions and ciphers on offer are ones partners actually accept
  • Certificates: your signing and encryption certs are unexpired, chained correctly, and assigned to the right roles
  • Encryption: a message encrypted to your cert decrypts on your server
  • Signing: your signature verifies on the receiving side with the algorithm your partners expect
  • MDN: your server returns a correctly signed MDN, and processes one when it's the sender

This is the test that predicts whether Monday's go-live works. Certification of the underlying software is a prerequisite your vendor already handled. The round trip is yours to prove.

When you need each

You need certified software when a trading partner mandates it, which in retail and pharma is most of the time. Solve this at purchase time by picking a product from the certified list. Done once.

You need connection testing when anything about your endpoint changes or is about to be trusted:

  • Before onboarding a new trading partner, so the first real message isn't your first test
  • After renewing or replacing a certificate, the single most common cause of sudden AS2 failures
  • After a server migration, firewall change, or TLS policy update
  • When a partner reports failures and both sides insist their config is fine

A failed onboarding burns 2 to 5 engineer days of back and forth email at three days per round trip. A connection test takes about a minute. Run it first.

How to verify your AS2 setup actually works

Testing an AS2 connection has a chicken and egg problem: the protocol has no self test mode, so you need a counterparty. Your options range from running your own second endpoint to using a hosted test service. We've written a full walkthrough in how to test an AS2 connection, and compared the free routes (mendelson's public test server, a DIY OpenAS2 instance, and our own tool) in Free AS2 Testing Options Compared.

The fastest path: run a free automated test against your endpoint. AS2 Certify acts as the counterparty, exercises the full round trip (TLS, certificates, encryption, signing, MDN), and grades the result A through F with a per-check breakdown you can forward to your partner. If you just need to sanity check a certificate before an exchange, the free certificate checker validates expiry, chain, and key parameters in seconds.

Certified software, tested connection. You need both. Only one of them is your job.

Frequently asked questions

Does my company need to be Drummond certified to use AS2?

No. Drummond certification applies to AS2 software products, and vendors obtain it. Companies that use AS2 satisfy partner requirements by deploying software that appears on the certified list. There is no certification process for end user companies.

What does "Drummond certified AS2 software" mean in my partner's requirements?

It means choose an AS2 product from Drummond Group's certified list. The vendor already did the certification work. You name the product on the onboarding form and the requirement is met. If your partner is strict, confirm your specific version was part of a certified test round.

Is Drummond certification the same as testing my AS2 connection?

No. Certification proves two software products can interoperate under controlled test conditions. Connection testing proves your specific deployment, with your certificates, TLS setup, and configuration, completes a real exchange. Certified software with a misconfigured endpoint still fails.

My software is Drummond certified. Why does my connection still fail?

The usual suspects are configuration, not software: expired or misassigned certificates, TLS cipher mismatches, AS2 ID typos, signing algorithm mismatches, or blocked MDN return paths. Run a connection test to find out which one in about 60 seconds.

How do I test my AS2 connection before a partner go-live?

Use a counterparty you control or a hosted test service, since AS2 has no loopback mode. See the full guide for the options, or start with a free automated round trip test that checks TLS, certificates, encryption, signing, and MDN handling in one pass.

If what you actually need is the X.509 file itself, how to generate it, exchange it with a partner, and roll it over before expiry, that lives in the AS2 certificates guide.