Applying AS2 Encryption

A tutorial showing how to apply AS2 encryption. This can serve as an added layer of security that can come in handy if your HTTPS connection is compromised
  1. Blog


If your AS2 connection already runs over HTTPS, your EDI messages should already be protected by the data-in-motion encryption that comes with SSL/TLS. But what if you want an added layer of security or if you're somehow only using HTTP and want to encrypt your transmission? You'll need something like this.

I'll assume you already have an operational AS2 service running on JSCAPE MFT Server and that's it's protected by HTTPS. In case you don't have that yet, this post should help you get one up and running in no time:

The Quickstart Guide To Setting Up An AS2 Server

Already got that AS2 server up? Let's proceed with our main topic then.

Let's start by discussing what you need to do on the receiving end of an AS2 connection.


Setting up decryption on the AS2 receiver

Note: This is done on the AS2 receiver

The destination server or receiver is the server that will be receiving the encrypted AS2 message. You need to configure this server so that it will be capable of decrypting the encrypted message. To do that, go to Settings > Web > AS2 tab.

Tick the Decryption key check box and select an existing server key from the drop-down list. In our example, we choose the server key that has been assigned the alias "as2server2crypt". This tells our server to use the private key of server key as2server2crypt for decrypting incoming AS2 messages.

To learn more about server keys and where to create them, read the post Roles of Server and Client Keys in Secure File Transfers.

as2 decryption key list

As soon as you're done, click the Save changes button found at the lower-right corner of that screen.

With that, this server should now be capable of decrypting AS2 messages. However, it's important to note that it will only be capable of decrypting those AS2 messages that have been encrypted by copies of as2server2crypt's corresponding public key.

Thus, if you want this server to decrypt AS2 messages coming from a particular trading partner, that trading partner should have in its possession a copy of the said public key. Only those AS2 messages coming from trading partners that have encrypted using that particular public key can be decrypted by our AS2 receiver.


To furnish trading partners with the needed public key, navigate to Keys > Server Keys. Select the server key whose public key you want to export, which in our case would be as2server2crypt, and then click the Export button. Next, choose Certificate from the drop-down list. This digital certificate will already contain the needed public key.

export server key certificate

In the Export Certificate dialog, choose the X509 format and click the OK button.

export certificate x509 as2

As soon as you're prompted, click the Save File button.

save digital certificate file as2

Save the certificate file and then hand it over to your trading partner. Your trading partner should then import that certificate and public key into their AS2 server.

Setting up encryption on the AS2 sender

Note: This is done on the AS2 sender

If the sending AS2 server is a JSCAPE MFT Server, importing public key certificates for encrypting AS2 messages should be easy. Go to Keys > Host Keys tab. Next, click the Import button and then Import File.

import host keys as2 server

Give the key an alias. This is just an arbitrary name that you'll use to refer to this key in this particular JSCAPE MFT Server installation. We've called ours 'fromas2server2cert'. And then browse to the folder that contains the public key certificate file. Choose the file and then click the OK button to import.

import public key as2 server

Your our newly imported certificate should then be added to your list of Host Keys.

public key in host keys tab as2 server

The last part is to assign this certificate/public key to the trading partner object that represents the AS2 receiver. To understand what I mean, review section "Configuring Trading Partner settings for sending AS2 messages" in the post The Quickstart Guide To Setting Up An AS2 Server.

Just edit the trading partner object, tick the Encryption key checkbox, and select the recently imported host key/public key certificate.

Click OK to finalize.

encryption key as2 server

That's it! That's all you need to do to enable AS2 encryption between two AS2 trading partners.

Still haven't installed JSCAPE MFT Server? Download a free, fully-functional evaluation edition now