AS2 Certificates
AS2 uses two X.509 Certificates.
One certificate encrypts and protects transmissions to your AS2 HTTPS endpoint. The other encrypts the AS2 message, or payload, exchanged with your trading partner.
The same certificate can serve both purposes, but this isn't recommended. Partner certificates tend to be longer lived, while HTTPS endpoint certificates are renewed more frequently.
AS2 HTTPS Endpoint Certificate
The AS2 protocol implements an HTTP endpoint that listens for incoming AS2 transmissions from your trading partners.
Just like any other web server, this HTTP endpoint can be protected with encryption by implementing TLS, formerly known as SSL, on the HTTP port.
An X.509 format SSL Certificate is required to implement TLS for your AS2 endpoint. We use the same SSL Certificate of your Files.com site for your AS2 endpoint.
By default, Files.com generates, manages, and rotates your SSL Certificate automatically. Your site, including AS2, always uses a valid and chained SSL Certificate that is renewed every 90 days.
You can choose to use your own SSL certificate for your Files.com site, and this also applies to your AS2 endpoint.
The expiration date of the certificate in use for your AS2 endpoint is shown on the AS2 page, so you can confirm the certificate is currently valid.
All transmissions to your AS2 endpoint, from any trading partner, are TLS/SSL encrypted using this certificate. Transmissions that you make to a trading partner's AS2 endpoint are encrypted using their AS2 HTTPS certificate. When configuring trading partners, we provide an option to specify the security level of the trading partner's endpoint certificate. This allows less secure SSL certificates, such as self-signed ones, to be accepted when connecting to that trading partner.
HTTPS endpoint certificates, much like HTTPS SSL certificates, tend to be short lived and updated frequently. SSL certificates were once commonly valid for 2 or 3 years, but much shorter durations are now standard.
AS2 Partner Certificate
The AS2 protocol expects messages to be encrypted. This encryption ensures that the message can only be read (decrypted) by you. The message can also be digitally signed, which verifies that the sender (your trading partner) is really who they say they are.
Together, encryption and signing provide non-repudiation of the message by explicitly verifying who the message was for (encryption) and who the message is from (signing). Only the receiver can decrypt the message, and a valid signature could only have been applied by the sender.
Each trading partner requires two X.509 format certificates to encrypt and sign AS2 messages. One certificate is their own and the other certificate is their trading partner's.
Certificates have a public portion and a private key. Each trading partner exchanges the public portion of their certificate with each other.
The sender encrypts the AS2 message with the recipient's public certificate, and signs the message with the sender's private key.
The recipient decrypts the AS2 message with their own private key, and verifies the signature using the sender's public certificate.
The expiration date of your AS2 partner certificate is shown next to your AS2 Identity on the AS2 page. Each of your AS2 Identities may have its own certificate or a certificate may be shared with multiple AS2 Identities.
The expiration date of your trading partner's AS2 partner certificate is shown next to their entry in the AS2 Trading Partners table on the AS2 page. Our site alert email feature does not trigger for expiring partner AS2 certificates and does not include information about them. Review the AS2 Trading Partners table periodically to look for any upcoming expiration dates.
Partner certificates tend to be long lived due to the impact of transmission interruptions when updating them. It's common to have partner certificates that are valid for 5 years or longer. Ultimately the duration of partner certificates is agreed upon between you and your trading partner.
Downloading Public Certificates
When generating your certificates, you have the option to download and save them.
Private certificates must be protected and never shared. Public certificates can be freely shared.
You can re-download the public certificates of your AS2 Identities, and the public certificates of your AS2 trading partners, from your site's AS2 configuration settings.
Get The File Orchestration Platform Today
4,000+ organizations trust Files.com for mission-critical file operations. Start your free trial now and build your first flow in 60 seconds.
No credit card required • 7-day free trial • Setup in minutes