Ctrl K
Docs Certificates

Certificates

AS2 uses X.509 certificates for encryption and digital signatures. Manage your certificates and your trading partners' public certificates through the web UI.

Certificate Types

AS2 communications require two types of certificates:

  • Your Certificate (with Private Key) - Used to sign outgoing messages and decrypt incoming messages. Keep this secure!
  • Partner's Public Certificate - Used to encrypt messages to the partner and verify their signatures.

Certificate List

The Certificate list shows all configured certificates with download capabilities:

Certificate List
Serverless AS2
AS2 Instances Partner PartnerShip Certificate TrackLog
user@example.com
Search By myAs2Id
+ Create Cert
My AS2 ID
Partner AS2 ID
PublicKeyURL
Actions
mycompany
amazon
private/tenantId/amazon/mycompany/cert/mycompany-amazon.cer

Downloading Certificates

There are two places to download certificates, each serving different purposes:

From Certificate List Page

The Download button on the Certificate list provides options to export your keystore:

Option Contents Purpose
Complete KeyStore (.p12) Your private key + your certificate + partner's certificate Backup, migration, or importing to another system
Partner Certificate (.p12) Only the partner's public certificate Export partner's certificate for use elsewhere

Both downloads use the same password you set when creating the certificate.

Keep Your KeyStore Secure

The Complete KeyStore contains your private key. Never share this with trading partners!

From Partnership Page

The Download PublicKey button on the Partnership detail page downloads your public certificate in PEM format (.cer):

Edit Partnership Page
Serverless AS2
AS2 Instances Partner PartnerShip Certificate TrackLog
user@example.com
Edit PartnerShip
Save
mycompany
my_name: mycompany
my_alias: mycompany
my_email: edi@mycompany.com
amazon
partner_name: amazon
partner_alias: amazon
partner_email: edi@amazon.com
certificate: private/tenantId/amazon/mycompany/cert/mycompany-amazon.cer Please click on Edit Download PublicKey
Option Format Purpose
Download PublicKey PEM (.cer) Share with your trading partner so they can encrypt messages to you and verify your signatures
Which Download to Use?

For trading partners: Use "Download PublicKey" from the Partnership page - this is safe to share.

For yourself: Use "Complete KeyStore" from the Certificate list for backup or migration.

Adding Certificates

To add a certificate for a partnership:

Certificate Management
Serverless AS2
AS2 Instances Partner PartnerShip Certificate TrackLog
user@example.com
Create Cert
Save
mycompany
amazon
Or drop a file

Option A: Auto-Generate Certificate

If you don't have an existing certificate, ServerlessAS2 will generate one for you:

  1. Select Partnership

    Choose the AS2 Instance and Partner for this certificate.

  2. Set Password and Private Key Alias

    Enter a password to protect the keystore. The privateKeyAlias field is auto-populated from your AS2 Instance's my_as2_alias value - this identifies your private key within the keystore.

  3. Upload Partner Certificate

    Upload your partner's public certificate (.cer/.crt/.pem format). The alias is auto-populated from the partner's configuration.

  4. Save

    Click Save. ServerlessAS2 will automatically generate a self-signed certificate for you.

Option B: Import Your Own Certificate

If you have an existing PKCS#12 certificate:

  1. Select Partnership

    Choose the AS2 Instance and Partner for this certificate.

  2. Enter Password

    Enter the password that was used to protect your P12/PFX file. This is required to unlock and read the imported keystore.

  3. Enter Private Key Alias

    Enter the alias of the private key entry inside your imported keystore. This must match the actual alias used when the P12 file was created. If you're unsure, use tools like keytool -list -keystore your.p12 -storetype PKCS12 to view the aliases.

  4. Import Your Certificate

    Click "Import Your Certificate" and upload your PKCS#12 (.p12/.pfx) file.

  5. Upload Partner Certificate

    Upload your partner's public certificate (.cer/.crt/.pem format).

  6. Save

    Click Save to store the certificates securely.

Field Reference

Field Required Description
my_as2_id Yes Your AS2 Instance identifier. Select from your configured AS2 Instances.
partner_as2_id Yes The trading partner's AS2 identifier. Select from your configured Partners.
password Yes When auto-generating: password to protect the new keystore. When importing: password to unlock your existing P12/PFX file. Cannot be changed after creation.
privateKeyAlias Yes When auto-generating: auto-populated from your AS2 Instance's my_as2_alias - used as the alias for the generated private key. When importing: must match the actual alias of the private key entry inside your imported P12 file. Used for signing outgoing messages and decrypting incoming messages. Cannot be changed after creation.
alias No The alias for the partner's public certificate in the keystore. Auto-populated from the partner's configuration.
Understanding privateKeyAlias

Auto-generating: The privateKeyAlias is auto-populated from your AS2 Instance's my_as2_alias. This ensures consistency - your AS2 alias becomes your key alias in the keystore.

Importing: The privateKeyAlias must match the alias already used inside your P12 file. To find this, run: keytool -list -keystore your.p12 -storetype PKCS12

Certificate Formats

Format Extension Use Case
PKCS#12 .p12, .pfx Your certificate with private key (password protected)
X.509 DER .cer, .crt Partner's public certificate (binary)
X.509 PEM .pem, .crt Partner's public certificate (base64)
Certificate Expiration

Certificates expire! Monitor expiration dates and coordinate with trading partners to exchange new certificates before expiry. CA certificate lifespans are shrinking to 47 days by 2029.

Partner Certificate Rotation

When your trading partner rotates their certificate (due to expiration, security policy, or key compromise), you need to update their public certificate in your system.

When to Rotate

  • Partner notification - Partner sends you a new certificate before their current one expires
  • Certificate expiration - Partner's certificate is approaching or has passed its expiry date
  • Security incident - Partner's private key was compromised and they issued a new certificate
  • Signature verification failures - Incoming messages fail signature verification (may indicate partner started using a new certificate)

Rotation Steps

  1. Obtain the New Certificate

    Get the new public certificate from your trading partner. They should provide it in .cer, .crt, or .pem format.

  2. Go to Certificate List

    Navigate to the Certificate tab and find the certificate entry for the partnership.

  3. Edit the Certificate

    Click on the certificate entry to edit it.

  4. Upload New Partner Certificate

    In the certificate section, upload the new partner certificate file. This replaces the old partner public key while keeping your private key intact.

  5. Save and Test

    Save the changes and send a test message to verify the new certificate works correctly.

Your Certificate Stays the Same

Partner certificate rotation only updates the partner's public key. Your private key and certificate remain unchanged. If you need to rotate your own certificate, you'll need to generate a new one and share the public key with your partner.

Best Practices

  • Plan ahead - Request new certificates from partners at least 2 weeks before expiration
  • Test in staging - If possible, test the new certificate in a non-production environment first
  • Coordinate timing - Agree on a switchover time with your partner to minimize disruption
  • Keep backups - Download your complete keystore before making changes
  • Monitor after rotation - Watch message tracking for any signature or encryption errors after the switch