What is TLS, and why it matters
When systems exchange data securely over the internet, they rely on a technology called TLS, or Transport Layer Security. Whether it’s a user opening a website, an API call between applications, or a B2B/EDI transaction between partners, TLS is what makes that communication secure and trustworthy.
TLS relies on digital certificates to ensure that data is encrypted in transit, that the system on the other end is truly who it claims to be, and that the information cannot be altered along the way. TLS certificates act as digital identities, allowing systems to establish trust before exchanging any data.
A simple example illustrates this. When a website uses HTTP, data is transmitted in plain text and could potentially be intercepted or modified. With HTTPS, the “S” stands for secure, and that security comes from TLS. The data is encrypted and protected, making it accessible only to the intended recipient.
The same principle applies to B2B integration, but at a much larger scale.
Take the example of AS2, widely used for B2B/EDI communications, especially in the United States. When companies exchange documents using protocol AS2, such as purchase orders or invoices, the data is typically formatted using standards like X12 or EDIFACT. These formats define the message, but not how it is securely delivered.
In Europe, similar exchanges are often handled through OFTP2, especially in industries like automotive and manufacturing. While the protocol differs, the underlying approach remains the same, relying on TLS and certificates to ensure secure communication.
Put simply, data standards such as X12 or EDIFACT define the message, protocols like AS2 or OFTP2 handle its delivery, and TLS provides the security layer. The digital certificates utilized by TLS therefore are not just an added safeguard. They are fundamental to establishing trust between partners and ensuring that business data is exchanged reliably and securely.
What is changing in the certificate landscape
The certificate ecosystem is undergoing a major shift, driven by decisions from the CA/Browser Forum, the industry body that defines standards for publicly trusted TLS certificates.
One of the most visible changes is the reduction of certificate lifetimes for publicly trusted TLS server certificates, such as those used for HTTPS and other internet-facing services, on a phased path that reduces lifetimes from what was historically measured in multiple years, and more recently around one year, to just 47 days by 2029. While this change may seem significant, its impact is often manageable in B2B scenarios.
For example, organizations may have a single external-facing HTTP endpoint used for all incoming AS2 or AS4 connections. In such cases, renewing the server certificate is a localized operation that can be performed without coordinating with every trading partner. Although this renewal will need to happen more frequently, it remains a relatively limited and predictable operational task.
The bigger disruption for many enterprise environments comes from a second change. Public certificate authorities (CAs), trusted providers such as DigiCert, GlobalSign, or Sectigo whose certificates are recognized by browsers and operating systems, are moving away from issuing publicly trusted TLS certificates that support client authentication (referred to as the “clientAuth” Extended Key Usage, or EKU).
These certificates will be limited to server authentication (“serverAuth”) only, meaning they can no longer be used for both purposes. While the transition is phased, this change is defined by industry standards and will be enforced across all publicly trusted certificate authorities.
As a result, organizations that previously relied on a single public CA certificate for both server and client authentication will need to separate these use cases, introduce private or internal issuance for client authentication, and in many cases find new ways to create or procure these certificates without relying on public CAs. This shift increases operational complexity, especially in B2B ecosystems where a single certificate is often used across protocols such as AS2, AS4, and OFTP. Moving to separate server and client certificates, along with private CA governance, can represent a significant change for companies operating large partner networks.
More broadly, this is not only a B2B challenge. It affects any external-facing or internal application that relies on TLS. As certificate lifecycles shorten and usage becomes more strictly defined, organizations will need a more structured approach to certificate lifecycle management.
This includes maintaining a complete certificate inventory, monitoring expiration, renewing or issuing certificates in time, and ensuring consistent deployment across connected systems, making integration capabilities increasingly critical.
The real impact: operational, not technical
At first glance, these changes seem technical in nature. In practice, their biggest impact is operational.
Consider a typical B2B environment. A company exchanges orders and invoices with multiple partners using protocols such as AS2, AS4, or OFTP, and each of these connections depends on certificates that must remain valid on both sides for communication to continue.
When a certificate expires, the impact is immediate. Connections fail, messages are rejected, and business processes stop until the issue is resolved. What looks like a minor technical issue quickly becomes a real business disruption.
In the past, this risk was manageable because certificate lifetimes were long, and organizations could often rely on public certificate authorities for most use cases. As lifecycles shorten and certificate usage becomes more strictly defined, this approach is no longer sustainable.
Organizations now need to introduce and manage their own private certificate authority (CA) strategies, particularly for client authentication. Relying on public CAs alone is no longer a complete solution.
While modern B2B integration solutions, such as Axway B2Bi, fully support private and self-managed certificates, many organizations have not yet established the processes, governance, and tooling required to manage them effectively at scale.
Each certificate change now requires coordination. Certificates must be updated internally, shared with partners, validated on both sides, and activated at the right time. When this has to happen across dozens or hundreds of partners, the effort increases significantly.
The challenge is no longer about supporting certificates from a technical standpoint. It is about managing them efficiently across an entire partner ecosystem. Manual workflows, limited visibility, and dependencies between partners increase the risk of missed updates and service disruptions. Certificate management is therefore becoming an ongoing operational responsibility, with a direct impact on business continuity.
How Axway helps
As certificate lifecycle management becomes more complex, the key question for organizations is not whether their systems support certificates, but how they can manage them effectively at scale.
In B2B environments where one of the main challenges is coordination between partners, updating a certificate is not just a local action. It requires sharing the new certificate, validating it on both sides, and ensuring that both systems switch at the right time. When handled manually, this quickly becomes time-consuming and error-prone, especially as the number of partners grows.
This challenge is not theoretical. It was a key topic discussed last year during the joint user group “Why Automation Matters for Certificate Management” with Drummond, Cencora, and Axway, where participants highlighted the operational complexity and risks associated with certificate updates across partner ecosystems.
Axway B2B Integration helps simplify this process by supporting automated certificate exchange. With capabilities such as Certificate Exchange Messaging (CEM) for AS2, and similar mechanisms for AS4 and OFTP2, organizations can exchange and validate certificates in a more structured and reliable way. This reduces manual coordination and helps avoid misalignment during updates.
At the same time, effective certificate management is not only about exchanging them, but also about gaining visibility into their lifecycle. Organizations need to know which certificates are in use, when they expire, and where potential risks exist.
Going further, Axway extends its approach with Workbench. What started with MFT is gradually extending to B2B flows, with the goal of providing customers a more centralized view of certificate lifecycles. This allows teams to monitor expiration dates, identify issues earlier, and move toward a more proactive approach to certificate management.
By combining automation with improved visibility, Axway supports a more scalable and reliable way to manage certificates across complex B2B environments. This is becoming increasingly critical as certificate lifecycles shorten and organizations transition toward private CA strategies.
Ultimately, the goal is not just to support certificates from a technical perspective, but to make their management predictable and aligned with the realities of modern B2B ecosystems and what comes next.
You can explore this perspective in our latest research, B2B 2034: Revisiting the vision, which looks at how B2B ecosystems are evolving under the combined pressure of digital acceleration, regulatory change, and increasing requirements for data control and sovereignty.
We’re looking forward to discussing this upcoming change with you and helping you prepare for it. Feel free to contact us anytime!