Skip to main content

AS2 Dual Certificates — How to Configure When Your Trading Partner Provides Separate Signing and Encryption Certificates

Your trading partner (or their setup documentation) is providing two separate AS2 certificates — one for signing and one for encryption — and you're not sure how to configure this in Orderful.

A
Written by Ashwath Kirthyvasan
Updated today

Audience: EDI developers, B2B integration teams, AS2 administrators

Your trading partner has provided two separate AS2 certificates — one labeled for signing and one for encryption — and you need to know how to configure this connection in Orderful. This article explains Orderful's single-certificate approach and how to resolve dual-certificate scenarios.

What's Happening

Orderful uses a single certificate per trading partner for all AS2 functions — both encrypting outbound messages to your partner and verifying signatures on inbound messages from your partner. Your partner's system does the same with Orderful's certificate.

Some AS2 systems can be configured for dual-certificate mode, where signing and encryption operations use different certificates. However, this creates unnecessary complexity and potential failure points. The single-certificate approach covers 95% of AS2 connections and is the preferred standard.

When partners provide two certificates, it's usually because:

  1. Their system defaults to dual-certificate mode — but can be reconfigured for single-certificate operation

  2. Their documentation shows both options — and they sent both without clarifying which to use

  3. They're migrating from an old system — that required separate certificates for technical limitations

How to Configure Your AS2 Connection

Step 1 — Request one certificate from your trading partner

Contact your trading partner's technical team and explain that Orderful requires a single certificate for both signing and encryption. Ask them to provide one certificate that handles both functions.

Most partners can accommodate this immediately. If they pushback, explain that this is standard AS2 practice and reduces configuration complexity on both sides.

Step 2 — Confirm they can use single-certificate mode

Ask your trading partner to verify their AS2 system supports single-certificate operation for your connection. Modern AS2 systems (including Drummond-certified solutions) support this configuration even if they default to dual-certificate mode.

Step 3 — Send the certificate to Orderful Support

Email the certificate to [email protected] along with:

  • Your trading partner's AS2 ID (from their AS2 setup documentation)

  • Their AS2 URL and port (e.g., https://as2.partner.com:5080/as2)

  • The certificate file (usually a .cer, .crt, or .pem file)

  • Your Orderful account name or relationship ID

Important: If you receive two certificates, don't send both. Contact the trading partner first to clarify which single certificate to use, then send only that one to Orderful Support.

When AS2 Connections Fail Due to Certificate Mismatches

If your AS2 connection was working and suddenly starts failing, or if test transmissions fail immediately after setup, the issue is often certificate-related.

Common failure scenarios:

  • Your partner is still configured for dual certificates — Their system is signing messages with the "signing certificate" but Orderful only has the "encryption certificate" on file.

  • Certificates got mixed up during configuration — Orderful has Certificate A, but your partner's system is using Certificate B to sign outbound messages.

  • Your partner updated their certificates — without notifying you, so Orderful is still using the old certificate.

How to diagnose:

AS2 certificate mismatches typically produce errors like: Certificate validation failed, Unable to verify signature, Unknown certificate fingerprint, ...

If you see these errors, contact [email protected] immediately with both certificates (if you have them) so the team can identify which one your partner's system is actually using.

Real-World Example

In a recent case, a logistics partner provided separate signing and encryption certificates during AS2 setup. Their initial test transmissions failed with signature verification errors because Orderful had been configured with the encryption certificate, but their system was signing outbound messages with the signing certificate.

The resolution was straightforward: the partner's AS2 administrator reconfigured their system to use the encryption certificate for both signing and encryption. All subsequent transmissions succeeded.

What to Send Orderful Support

For AS2 certificate configuration or troubleshooting, include:

  • Your AS2 ID (visible in your Orderful account AS2 settings)

  • Your trading partner's AS2 ID and AS2 URL

  • The single certificate file you received from your partner

  • Any error messages from failed AS2 transmissions (full text)

  • Whether this is a new setup or an existing connection that stopped working

Frequently Asked Questions

Our trading partner insists they must use separate certificates for compliance reasons. Are there any workarounds?

No workarounds exist within Orderful. However, "compliance" rarely requires dual certificates — it's usually a system default or internal policy that can be changed. Ask your partner to verify this requirement with their compliance team, as single-certificate AS2 is industry standard and meets all major compliance frameworks.

Does Orderful also use one certificate for both signing and encryption?

Yes. Orderful uses a single certificate for signing outbound messages to your partner and decrypting inbound messages from your partner. You can download Orderful's AS2 certificate from your the onboarding form to share with trading partners.

The partner documentation shows two SHA256 fingerprints — which one do I use?
Two fingerprints indicates dual-certificate mode. Contact your partner's technical team to either provide one certificate for both purposes, or ask them to reconfigure their system for single-certificate mode. Don't guess which fingerprint to use.

Can I configure the dual certificates myself and avoid involving the trading partner?

No. Orderful's AS2 implementation requires one certificate per partner. The trading partner must provide a single certificate or reconfigure their system accordingly. This isn't a limitation — it's how AS2 woks, both AS2 servers must configure the same set of certificates.

What if my partner says their old EDI provider supported dual certificates?

Some AS2 systems do support dual-certificate configurations, but it's not a requirement. Explain that Orderful uses the single-certificate approach (which is more common) and ask them to accommodate this for your connection. Most partners can make this change in their AS2 system settings.

Did this answer your question?