ITU-T X.509 v3 defines a standard digital certificate format that is broadly applicable, therefore implementations of technologies that provide PKI may have differences in the digital certificates they produce. Interoperability between STAR partners using digital certificates means that they need to agree on the subset of formats and extensions that are necessary for interoperability.

The Internet Engineering Task Force (IETF) created the Public Key Infrastructure Working Group (PKIX) to develop standards appropriate for the use of X.509 based PKIs. One such standard is the profile for Certificates and Certificate Revocation defined in IETF RFC 3280. It describes the X.509 v3 format and profiles the format and semantics of certificates and certificate revocation lists for internet use. In addition, the OASIS PKI Forum Technical Committee works to provide best practices and profiles related to PKI and Digital Certificates.

Further definition of the particular formats that STAR members use will help assure interoperability between messaging systems in the transport layer and messaging functions implemented in applications. At a minimum, ASN.1 encoding of the subject and issuer distinguished names for alphanumeric characters is available across most messaging implementations; non-alphanumeric characters like “#” and “&” should be avoided in favor of the common characters “a-z”, “A-Z”, “0-9”, space ' () + , - . / : = ?. The X.509v3 certificate extensions basic constraints, key usage, subject alternative name and CRL distribution point extensions provide a sufficient minimum for STAR certificates.

Distribution of certificates can be handled through face-to-face means, LDAP services, S/MIME, FTP or email. Any of these means are acceptable between STAR partners; as the STAR trading community matures with the implementation of registries/repositories and dynamic trading, certificate distribution may settle into a recommended method.

Certificate management includes the revocation and validation of certificates. STAR RECOMMENDS but does not require the use of a 3rd party root CA; self-signed, self-generated certificates do not provide the level of party identification needed for true authentication but may suffice for current STAR member needs. Certificate Management Protocol (CMP) is a protocol from the ITEF PKIX group defined in RFC 2510 and RFC 2511 (ieft.org). If certificate management is implemented or supplied by a third party then it should comply with CMP.