CertCutover

guide · AWS Transfer Family

AS2 certificate expired in AWS Transfer Family

Your AWS Transfer Family (AS2) AS2 traffic stopped moving. Here's what actually broke, how to recover in the right order, and how to confirm which certificate lapsed in seconds.

What broke

AWS Transfer Family references certificates via Certificate Manager and partner/agreement config; expiry causes AS2 message failures in CloudWatch logs. The certificate itself is standard X.509 — AWS Transfer Family is just where it's stored and referenced — so the failure and the fix are the same shape regardless of platform:

Not sure which certificate expired? Paste the public certificate into the inspector — it shows the role (signing / encryption / TLS), the exact expiry date, and the fingerprint, entirely in your browser. Nothing is uploaded.

Recover in the right order

  1. Identify the expired certificate and its role in AWS Transfer Family. Confirm subject, fingerprint and notAfter so you replace the correct one.
  2. Issue the replacement with the same key usage. The private key stays in AWS Transfer Family — it never needs to leave.
  3. Send the new public certificate to every affected partner with its fingerprint, so they can confirm they imported the right file.
  4. Have each partner import and activate it. This is the slow, human step across different portals and contacts.
  5. Send a test message and confirm a positive MDN before calling it resolved.
We don't publish click-by-click menu paths for AWS Transfer Family here — versions differ and a wrong path costs you time mid-incident. The recovery order above is what matters; check AWS Transfer Family's own docs for exactly where its certificate store lives.

Prevent the next one

Expiries surprise teams because no single place tracks every certificate across every partner, and because a rollover has to start weeks early to give partners time to import. Two habits fix that: keep one inventory of every AS2 certificate's expiry, and roll over during an overlap window so no partner is forced to cut over on the exact expiry day. The rollover checklist walks through it.

check a certificate now

Paste the certificate — see its role and expiry

public certificate — PEM or DER, never uploaded
loading inspector…