AS2 Rollover Certificates



During the lifetime of your AS2 solution it is likely that your private certificate will expire and will need to be updated. Updating a certificate can require a lot of preparation to ensure that all of your partners are ready to switch over to your new public certificate on a given date. This articles details how you can use your old and new certificate at the same time so partners have more time to update the public certificate they have on file for you.


  1. Signing with multiple private keys
  2. Decrypting with multiple private keys
  3. Conclusion

Signing with multiple private keys

When using a rollover certificate messages you send are signed with both your existing (old) and rollover (new) certificate. This means that your partner can have either of your certificates configured and the file will be processed normally. To configure a rollover certificate for signing simply set the RolloverSigningCert property.

as2sender.SigningCert = new Certificate(CertStoreTypes.cstPFXFile, "C:\\old.pfx", "password", "*"); as2sender.RolloverSigningCert = new Certificate(CertStoreTypes.cstPFXFile, "C:\\new.pfx", "password", "*"); That is all that is necessary. Your partner will then be able to verify the signature with either your old or new certificate.

Decrypting with multiple private keys

When using a rollover certificate the encrypted messages you received may have been encrypted with either the old or new certificate. You may not know which public certificate your partner used to encrypt the message. When RolloverCertificate is set the component will choose the right certificate to be used for decryption without any special steps in your code.

as2receiver.Certificate = new Certificate(CertStoreTypes.cstPFXFile, "C:\\old.pfx", "password", "*"); as2receiver.RolloverCertificate = new Certificate(CertStoreTypes.cstPFXFile, "C:\\new.pfx", "password", "*"); Now you can decrypt messages that were encrypted with either your old or new public certificate.


As you can see, this allows a more lenient approach to updating certificates within your application. You may choose to have a time during which your application will accept both old and new certificates; to give your partners more time to update their configurations.

We appreciate your feedback.  If you have any questions, comments, or suggestions about this article please contact our support team at