Walmart AS2 Requirements 2026: Certificate, MDN, and Endpoint Checklist
What Walmart Requires From AS2 Suppliers in 2026
Walmart is the largest driver of AS2 adoption in the world. Every supplier that exchanges EDI documents directly with Walmart does it over AS2. Not SFTP. Not email attachments. AS2. The mandate dates back to the mid 2000s, when Walmart pushed suppliers off VANs to cut fees and get direct, non repudiated communication with its supply chain.
Here is the short version of what Walmart expects from your AS2 setup:
- An always on HTTPS endpoint that accepts inbound AS2 messages from Walmart's IP ranges, around the clock.
- An AS2 signing and encryption certificate, RSA 2048 bit minimum, uploaded to Walmart's GEM portal.
- Synchronous, signed MDNs returned on the same HTTP connection for every message Walmart sends you.
- SHA-256 signing on the messages you send and the MDNs you return.
- X12 EDI documents (850, 855, 856, 810, and more depending on your category) that conform to Walmart's implementation guides, not the generic X12 spec.
Everything routes through two Walmart systems. Retail Link is the supplier portal where you access EDI documentation and applications. GEM (Global Enterprise Messaging) is the application inside Retail Link where the actual AS2 configuration lives: your AS2 ID, your endpoint URL, and your certificate. You cannot start any of this without a Walmart supplier number, which is assigned when you become an approved supplier.
The full onboarding process typically runs 4 to 6 weeks. Most of that time is spent in testing, and most testing delays trace back to configuration problems you could have caught before the window opened. This guide covers each requirement, then gives you a checklist to run before Walmart's testing team ever sees your connection.
Walmart AS2 Certificate Requirements
Certificates are where most Walmart AS2 setups stall. There are two separate certificates involved, and mixing them up causes real delays.
The AS2 signing and encryption certificate
This is the certificate you upload to GEM. Walmart uses it to encrypt messages sent to you and to verify the signatures on messages you send. Requirements:
- RSA 2048 bit minimum. 4096 bit works and buys you headroom, at a small processing cost per message.
- Self signed is accepted for the AS2 layer. You do not need a commercial CA for this certificate. Many suppliers assume they do and burn a week waiting on a CA for nothing.
- Validity of at least 1 year. Two years is the practical sweet spot: long enough to avoid frequent rotation, short enough to stay in line with modern certificate hygiene.
- PEM or DER format. GEM accepts both. Upload only the public certificate. Never upload your private key anywhere.
- A descriptive subject CN, ideally your company name or AS2 ID, so Walmart's team can identify it at a glance.
Before you upload anything, confirm the certificate and the private key on your AS2 server are from the same key pair:
# These two commands must output the same hash
openssl x509 -in your_cert.pem -noout -modulus | openssl md5
openssl rsa -in your_key.pem -noout -modulus | openssl md5If the hashes differ, you regenerated one without the other. You will be able to sign messages, but Walmart cannot verify the signatures, because the public key they hold does not match the private key you sign with. This failure looks like a Walmart side problem in your logs. It is not.
The TLS certificate
Separate from the AS2 certificate, your HTTPS endpoint needs a TLS certificate. This one must be CA signed, not self signed, and served with its full intermediate chain. A missing intermediate is one of the most common silent failures in AS2: some clients fill the gap automatically, others reject the handshake, and the error message rarely says why.
For a deeper walkthrough of the certificate types, exchange formats, and rollover process, read the AS2 certificate guide. To check a specific certificate file right now, run it through the free AS2 certificate checker.
MDN Requirements: Synchronous and Signed
Walmart uses synchronous MDNs. When Walmart POSTs a message to your endpoint, your system decrypts it, verifies the signature, and returns a signed MDN on the same HTTP connection before it closes. Configure asynchronous MDN only if Walmart's team explicitly tells you to, which is rare.
Three settings to lock down:
- MDN mode: synchronous. If your platform defaults to async, change it. An async MDN sent to a partner expecting sync reads as no MDN at all, and Walmart's side logs the exchange as failed.
- MDN signing: SHA-256. Sign every MDN. An unsigned MDN gives Walmart no proof the receipt came from you, and their system will flag it.
- MDN timing. A synchronous MDN has to come back within the HTTP timeout. If your system queues inbound messages for slow processing before responding, the connection times out and the message counts as undelivered even though you received it.
The MDN also carries the MIC (Message Integrity Check), which proves the payload arrived unaltered. A MIC mismatch usually means a content transfer encoding disagreement between the two platforms. If you see MIC errors during testing, compare canonicalization and encoding settings before touching anything else.
Endpoint and TLS Requirements
Your AS2 URL in GEM points at an HTTPS endpoint that Walmart's systems POST to. Requirements in practice:
- Reachable 24/7. Walmart sends documents on its schedule, not yours. Downtime means missed purchase orders.
- Stable hostname or static IP. Changing the endpoint means a GEM update and coordination with Walmart. Pick a hostname you can keep, like
as2.yourcompany.com. - HTTPS with a CA signed TLS certificate and the complete chain, as covered above. TLS 1.2 or later.
- Firewall open to Walmart's IP ranges. Walmart transmits from specific ranges. Get the current list from your Walmart EDI contact and allow them inbound before the first connectivity test. A blocked firewall is the number one cause of a failed first test, and it produces zero useful evidence in your logs because the packets never arrive.
- Correct content type handling. Use
application/edi-x12for X12 documents.
How the Onboarding and Testing Process Works
The sequence runs through GEM from start to finish.
1. Register your GEM mailbox
Log in to Retail Link, open the GEM application, and create a mailbox for your AS2 connection. If GEM does not appear in your Retail Link menu, request access through your buyer or Walmart's EDI support team. In the mailbox you provide your AS2 ID (case sensitive, so copy and paste it everywhere afterward), your AS2 URL, and your public certificate. Walmart provides its AS2 ID (which varies by division), its endpoint URL, and its public certificate in return.
2. Configure your platform
Build the Walmart partner profile on your AS2 software with the values from GEM: Walmart's AS2 ID and URL, Walmart's certificate for encryption, SHA-256 signing, synchronous signed MDN. Encryption has historically been 3DES, with AES-128 and AES-256 also supported. Confirm the current algorithm with the GEM team rather than assuming, because requirements tighten over time.
3. Connectivity testing
Walmart's team sends a test AS2 message to your endpoint. Your system receives, decrypts, verifies, and returns a signed MDN. Then you send one to Walmart and they do the same. Both directions must round trip cleanly. Failures at this phase are always configuration: firewall, certificate mismatch, AS2 ID typo, or MDN mode disagreement. This is the phase you can fully rehearse in advance, and the checklist below exists for exactly that reason.
4. EDI document testing
Once connectivity passes, Walmart sends test 850 purchase orders and expects a correctly formatted 855 acknowledgment, 856 ASN, and 810 invoice in return. Each document is validated against Walmart's implementation guide. Fail a document and you get feedback, fix, resubmit, and wait for the next review cycle. Every cycle adds days. Walmart's guides add required segments and Walmart specific qualifier codes on top of the base X12 standard, so build your maps from the guides in Retail Link, never from the generic spec.
5. Go live
After all documents pass, Walmart flips your GEM mailbox to production and live 850s start arriving. Watch the first two weeks closely: MDN success rate, 997 functional acknowledgment rejections, and ASN timeliness. Late or missing ASNs trigger chargebacks per shipment under Walmart's supplier performance programs, so alert on any shipment without a transmitted 856.
Pre Testing Checklist: Run This Before Walmart's Window Opens
Walmart's testing window moves at Walmart's pace. Every defect their team finds costs you a feedback cycle measured in days. Every defect you find yourself costs minutes. Run this list before the window opens:
- Confirm your Walmart supplier number is active and you can log in to Retail Link.
- Confirm GEM access. If the application is missing from your menu, request it now. Access requests take time.
- Generate your AS2 certificate: RSA 2048 bit minimum, 1 to 2 year validity, descriptive CN.
- Verify the certificate and private key moduli match (the openssl commands above).
- Check the certificate validity dates. Do not enter a testing window with a certificate expiring within 90 days.
- Confirm your TLS certificate is CA signed and the full intermediate chain is served. Test from outside your network.
- Confirm your endpoint answers on the exact URL you will put in GEM, including port and path.
- Get Walmart's current IP ranges from your EDI contact and allow them through your firewall.
- Set MDN mode to synchronous and MDN signing to SHA-256 in your Walmart partner profile.
- Set message signing to SHA-256 and encryption to the algorithm GEM specifies.
- Copy and paste both AS2 IDs between GEM and your platform. Never retype them. One character of drift, including case, breaks routing in both directions.
- Set content type to
application/edi-x12and leave compression off for initial testing. - Run a full round trip against a neutral test endpoint: send, receive, decrypt, verify signature, return signed MDN. The free AS2 connection test does this and grades each step, so you see certificate, encryption, signing, and MDN problems before Walmart does.
- Import Walmart's public certificate and record its fingerprint, so a future replacement cert can be verified as genuinely new.
- Pull Walmart's X12 implementation guides for your document set from Retail Link and map against them, not the base spec.
- Confirm your system generates 855s within Walmart's expected acknowledgment window (24 hours of the 850, per the standard supplier requirement).
- Set a calendar reminder 90 days before your AS2 certificate expires, with the GEM rollover steps attached.
- Prepare test data. Never send production orders, invoices, or ASNs during the testing phase.
Eighteen items. Most take under five minutes. Together they cover every failure mode that shows up in Walmart's connectivity phase.
Self Managed AS2 vs Managed Provider for Walmart
Suppliers connect to Walmart two ways: run their own AS2 software, or pay a managed EDI provider to run the connection. Both pass Walmart's requirements. The tradeoffs:
| Factor | Self managed AS2 | Managed provider |
|---|---|---|
| Software | OpenAS2, Mendelson, IBM Sterling, Cleo, others | Provider's platform, no software to run |
| Monthly cost | Hosting plus your time; open source options are free | Recurring fees, often per document or per kilocharacter |
| Setup effort | You configure certificates, MDNs, endpoints yourself | Provider configures against Walmart for you |
| Control | Full: logs, certificates, retry logic all yours | Limited: you see what the provider exposes |
| When something breaks | You debug directly with full evidence | You open a ticket and wait |
| Certificate rotation | Your responsibility, on your schedule | Handled by provider |
| Best fit | Teams with an engineer who owns EDI | Teams with no technical EDI owner |
If you have anyone technical in house, self managed AS2 for a single large partner like Walmart is very achievable, and this guide plus Walmart's implementation guides covers the ground. The catch is verification: a managed provider has tested its Walmart connection hundreds of times, while your self managed setup has been tested zero times. Close that gap yourself with a graded connection test before the window opens, not during it.
Common Failure Modes During Walmart Onboarding
Firewall blocks Walmart's first message. The most common first test failure. Nothing appears in your AS2 logs because nothing arrives. Allow Walmart's IP ranges in advance and confirm with a packet capture or an external reachability check.
AS2 ID mismatch. One character off, including case or a trailing space, and messages fail routing on both sides. Copy and paste from GEM. Every time.
Certificate and key from different pairs. Regenerating a certificate mid setup without redeploying the matching key produces signature verification failures that look like Walmart's problem. Check the modulus hashes.
Wrong certificate uploaded to GEM. Uploading the TLS certificate instead of the AS2 certificate, or an old expired one from a previous attempt. Verify the fingerprint of what GEM holds against what your server uses.
MDN mode disagreement. Your platform defaults to async, Walmart expects sync. Walmart's side reports no MDN received while your side reports MDN sent. Both are right. Set sync.
Missing TLS intermediate. The handshake fails from Walmart's side but succeeds from your browser, because browsers cache intermediates and AS2 clients often do not. Serve the full chain.
Implementation guide shortcuts. Maps built from the generic X12 spec fail Walmart's document validation on required segments and qualifier codes. Budget real time to read the guides.
Ignored 997s in production. A rejected 997 means Walmart did not process your document. If it was an 810 invoice, you do not get paid until you fix and resend. Alert on every 997 rejection.
Frequently Asked Questions
Does Walmart require Drummond certified software?
No. Walmart requires a working, interoperable AS2 connection, not a specific certification on your software. Drummond certification is an interoperability program that software vendors put their products through; it is not a supplier requirement. Plenty of suppliers pass Walmart testing on open source software with no certification at all. The distinction trips up a lot of teams, and we wrote up the difference in AS2 certification vs AS2 testing.
What certificate does Walmart AS2 require?
For the AS2 layer: an RSA certificate, 2048 bit minimum, self signed accepted, uploaded to GEM as the public certificate only. For the HTTPS endpoint: a CA signed TLS certificate with the full chain. Two different certificates, two different rules. Details and openssl commands are in the certificate guide.
How long does Walmart EDI onboarding take?
Plan for 4 to 6 weeks from GEM registration to production. Connectivity testing is fast when your configuration is right and slow when it is not, because every failure adds a feedback cycle with Walmart's team. Document testing takes the longest, since each X12 document is validated individually against Walmart's implementation guide. Suppliers who arrive at the testing window with a verified AS2 setup routinely cut 1 to 2 weeks off the total.
Can I test my AS2 setup before the Walmart testing window?
Yes, and it is the highest value hour you will spend on this project. You do not need Walmart's cooperation to prove your endpoint receives, decrypts, verifies, and returns signed synchronous MDNs. Run the free AS2 connection test against your endpoint. It exercises the same steps Walmart's connectivity test does and grades each one, so you walk into the window with evidence instead of hope.
Do I need a static IP address for Walmart AS2?
You need a stable endpoint Walmart can reach around the clock. A static IP works, and so does a stable hostname with DNS you control. What does not work is an endpoint that changes, because every change means a GEM update and coordination with Walmart. Pick a hostname you can keep for years.
Can I use a VAN instead of direct AS2 with Walmart?
Walmart moved its supplier base to direct AS2 specifically to eliminate VAN intermediaries, and direct AS2 is the standard path for suppliers today. Some third party providers offer managed connections that handle the AS2 layer for you, which is different from a classic VAN arrangement. If a provider manages your connection, the requirements in this guide still apply; they just apply to the provider's infrastructure instead of yours.
Verify Before the Window Opens
Walmart's testing process rewards preparation. Their team tests on their schedule, their feedback arrives in cycles, and each cycle you trigger with a preventable defect pushes your go live out by days. A failed onboarding round burns engineer days at real cost, and the purchase orders do not start flowing until you pass.
Everything in the connectivity phase is verifiable in advance. Certificates, key pairs, TLS chain, encryption, signing, synchronous MDNs. Run the free AS2 connection test, get the graded report, fix what it flags, and enter Walmart's window with a connection you have already proven.
Know it works before Walmart tests it.