guide · rollover
Roll over an AS2 certificate without an outage
A certificate swap only stops traffic when it's rushed. Done with an overlap window and the right cutover order, no partner ever loses a message.
the overlap window
Run both certificates at once
For a stretch of time, your old and new certificates are both valid and both accepted. Partners import the new one whenever they can during that window — no one is forced to cut over on the exact expiry day.
overlap: partners migrate here
The sequence
- Issue the new certificate early — ideally 60+ days before the old one expires, so slow partners have room.
- Add the new certificate alongside the old one on your AS2 system, so both are accepted for inbound traffic during the overlap.
- Notify every affected partner with the new public certificate and its fingerprint, and a target cutover date.
- Track acknowledgement per partner. "Sent" is not "imported" — you need confirmation each partner activated the new certificate.
- Cut over sending to the new certificate once partners confirm.
- Remove the old certificate only after every partner is confirmed and a test message succeeds both ways.
The failure mode is almost never the crypto — it's losing track of which of 30 partners has actually imported the new certificate. That coordination is what CertCutover's workspace is being built to handle.
Direction matters
Signing and encryption are directional. Your signing certificate affects what partners accept from you; their encryption certificate affects what you send to them. Roll them independently and confirm both directions with a test exchange.
Ready to work through it step by step? Use the rollover checklist.
before you start
Confirm what you're rolling
public certificate — PEM or DER, never uploaded
loading inspector…