rollover checklist
Zero-downtime AS2 certificate cutover
Work top to bottom. The order matters more than the crypto — most outages come from removing the old certificate before every partner confirmed the new one.
Before you start (60+ days out)
- Inventory every AS2 certificate — signing, encryption and endpoint TLS — and its expiry date.
- List every trading partner affected by each certificate, with a current contact.
- Confirm the role and expiry of the certificate you're replacing (paste it into the inspector).
Issue and stage
- Issue the replacement certificate with the same key usage.
- Keep the private key on your own AS2 system — it never leaves it.
- Add the new certificate alongside the old one so both are accepted during the overlap.
- Record the new certificate's SHA-256 fingerprint to share with partners.
Notify partners
- Send each partner the new public certificate and its fingerprint.
- State a target cutover date and the overlap window.
- Track status per partner: sent → imported → confirmed. "Sent" is not "done."
Cut over
- Switch sending to the new certificate once partners confirm import.
- Send a test message to each partner and confirm a positive MDN.
- Verify both directions — inbound and outbound — for signing and encryption.
Clean up
- Remove the old certificate only after every partner is confirmed.
- Record the completed rollover: date, fingerprints, and who acknowledged, for your audit trail.
- Set a reminder well before the new certificate's own expiry.
The two lines that cause outages: "track status per partner" and "remove the old certificate only after every partner is confirmed." Coordinating that across dozens of partners is exactly what CertCutover is being built for.