CertCutover

guide · troubleshooting

AS2 "decryption failed" or certificate mismatch

Almost always, one side is using a different certificate than the other expects. Here's how to find which side, and confirm both hold the right one.

What the error means

In AS2, the sender encrypts each message to the recipient's public encryption certificate. If the recipient tries to decrypt with a private key that doesn't match — because the sender used an old, wrong, or expired certificate — you get a decryption failure. The message arrives; it just can't be opened.

Common causes

Confirm both sides match

  1. Get the fingerprint of the certificate you published. Paste it into the inspector and note the SHA-256.
  2. Ask the partner for the fingerprint they imported. They can read it from their AS2 system, or paste the public certificate into the same inspector.
  3. Compare fingerprints. If they differ, the partner is holding the wrong or old certificate — resend the correct public certificate and have them re-import.
  4. Confirm the role. Make sure it's the encryption certificate in play, not the signing one.
  5. Send a test message and confirm a positive MDN.
Fingerprint comparison is the fastest way to end a "but I imported it" standoff. Two people, one number: if the SHA-256 doesn't match, the certificate doesn't match.

get the fingerprint

Paste the certificate to read its fingerprint and role

public certificate — PEM or DER, never uploaded
loading inspector…