CertCutover

guide · recovery

Your AS2 certificate expired

Here's exactly what stopped working, how to get traffic flowing again fast, and how to make sure the next expiry never surprises you.

What actually breaks

An AS2 relationship usually involves three kinds of certificate. Which one expired decides what you're seeing:

In every case the visible symptom is the same: documents stop moving, and it's usually a person — not a monitor — who notices.

Not sure which certificate lapsed, or when? Paste it into the inspector — it tells you the role, the exact expiry date and the fingerprint, entirely in your browser.

Recover in the right order

  1. Identify the expired certificate and its role. Confirm subject, fingerprint and notAfter so you replace the correct one.
  2. Issue the replacement with the same key usage. Keep the private key on your own AS2 system — it never needs to leave it.
  3. Send the new public certificate to every affected partner. Include the fingerprint so they can confirm they imported the right file.
  4. Have each partner import and activate it. This is the slow, human step — different portals, contacts and lead times.
  5. Send a test message and confirm a positive MDN before declaring it resolved.

Why it happened — and how to prevent the next one

Expiries are rarely a surprise in principle; the date is printed on the certificate. They surprise people because no single place tracks every certificate across every partner, and because the rollover has to start weeks early to give partners time to import the new certificate.

Two habits prevent almost every recurrence:

check any certificate now

Paste the certificate — see its real expiry

public certificate — PEM or DER, never uploaded
loading inspector…