guide · troubleshooting
AS2 "decryption failed" or certificate mismatch
Almost always, one side is using a different certificate than the other expects. Here's how to find which side, and confirm both hold the right one.
What the error means
In AS2, the sender encrypts each message to the recipient's public encryption certificate. If the recipient tries to decrypt with a private key that doesn't match — because the sender used an old, wrong, or expired certificate — you get a decryption failure. The message arrives; it just can't be opened.
Common causes
- Stale certificate after a rollover. You issued a new encryption certificate, but the partner is still encrypting to the old one.
- Wrong certificate imported. The partner imported a signing certificate where an encryption certificate was needed, or a certificate from a different environment.
- Expired certificate. The certificate lapsed and the AS2 system rejected it before decryption. Check the expired-certificate guide.
- Fingerprint drift. Both sides think they have the same certificate, but the fingerprints differ.
Confirm both sides match
- Get the fingerprint of the certificate you published. Paste it into the inspector and note the SHA-256.
- Ask the partner for the fingerprint they imported. They can read it from their AS2 system, or paste the public certificate into the same inspector.
- Compare fingerprints. If they differ, the partner is holding the wrong or old certificate — resend the correct public certificate and have them re-import.
- Confirm the role. Make sure it's the encryption certificate in play, not the signing one.
- Send a test message and confirm a positive MDN.
Fingerprint comparison is the fastest way to end a "but I imported it" standoff. Two people, one number: if the SHA-256 doesn't match, the certificate doesn't match.
get the fingerprint
Paste the certificate to read its fingerprint and role
public certificate — PEM or DER, never uploaded
loading inspector…