AS2

AS2 Compliance Checklist: Key Steps Before Going Live

Verify your AS2 configuration, certificates, and partner setup. Use this AS2 compliance checklist to go live securely and without errors.

Indunil Rajapakse

Indunil Rajapakse

Published: 09 Oct 2025

Blog image

AS2 (Applicability Statement 2) is a popular protocol for securely transmitting EDI and other business data via the internet. It supports encryption, digital signatures, and message integrity, making it an ideal choice for businesses that require secure and reliable data transmission. Before implementing AS2, businesses must ensure that their systems are properly set up, secure, and fully compliant with partner and protocol standards. A single error, such as an expired certificate, incorrect configuration, or missing MDN, can result in transmission failures and disruptions to business operations. This checklist is intended to help you through the critical technical, security, and operational aspects of AS2 use. When you’re enrolling your initial business partner or launching a complete production introduction, this list helps you to address all important areas for a successful and compliant AS2 setup.

Let’s review the items you want to verify before clicking “Go Live.”

How Does AS2 Message Flow Work?

📃 Document Preparation

AS2 supports sending documents in any format. If the sender’s system generates a business document, such as an EDI 850 Purchase Order, the document follows the agreed-upon structure and schema between you and your trading partner.

📦 AS2 Packaging

The documents are then prepared for AS2 transfer by guaranteeing that the payload is structured and ready for secure delivery to trading partners.

  • Encryption: The document is encrypted using the recipient’s public key extracted from their certificate.

  • Digital Signature: The document is digitally signed using the sender’s private key to verify authenticity.

  • Compression (Optional): Compress the document to reduce its size.

  • MIME Encoding: The encrypted and signed document is enclosed in a MIME message.

📨 AS2 transmission

Securely transferring AS2-packaged communications over the internet using HTTP or HTTPS. It entails delivering the signed/encrypted payload to a trade partner’s AS2 endpoint and handling the return of an MDN (Message Disposition Notification) to validate successful delivery and processing.

✔️ Receiving and validating the AS2 message

The receiver system decrypts, confirms the signature, and retrieves the original payload. The recipient produces and returns an MDN to serve as a delivery receipt. The MDNs may be:

  • Synchronous - returns immediately in the same HTTP response.

  • Asynchronous - delivered later by a new HTTP request.

AS2 Communication Requirements

You are free to select any AS2 solution that best matches your company’s requirements. Choose an AS2-compliant solution that covers all necessary protocol features, whether open-source or commercial. Create a unique AS2 Identifier (AS2 ID) for your organization; it must be case-sensitive, alphanumeric, and consistent across all partner agreements. Configure your AS2 endpoint URL and ensure that it is externally accessible over HTTPS. Your server should have a static IP address or a fully qualified domain name that resolves properly via DNS and a dedicated firewall port or ports.

Digital Certificates

An essential part of AS2 security and compliance is certificate management. Digital certificates use public key cryptography, which encrypts and decrypts data using a public and private key combination. The public certificate is shared with AS2 trading partners, while the private key is securely stored by the certificate owner. Digital certificates can be obtained from a reputable commercial certifying authority or self-signed by mutual agreement between sender and receiver.

For message encryption and digital signatures, your AS2 system must at the very least support X.509 digital certificates. Your private key, which is required to decrypt incoming messages and sign outgoing ones, must be generated and stored securely. To encrypt outgoing messages and validate incoming signatures, incorporate your trading partners’ public certificates into your system. To avoid transmission issues, closely monitor certificate life cycles by keeping track of expiration dates and giving a replacement to your trade partner before they expire.

AS2 Security Settings

The AS2 transmission can be secured at several levels during communication. Messages should be digitally signed with the sender’s private key to ensure they are authentic. The recipient verifies the signature using the sender’s public key. To ensure confidentiality, messages are encrypted with the recipient’s public key and decrypted with their private key. AS2 compression emphasizes efficiency and performance. You have the option of applying before or after signing and/or encryption. AS2 additionally employs HTTPS (TLS) at the transport level, which provides an additional layer of encryption and authentication. Security headers, such as Disposition-Notification-Options, must be specified to request signed MDNs if necessary.

AS2 Partner Setup Validation

AS2 Partner Setup Validation is critical when ensuring consistent and secure data exchange between trading partners. Authenticating the partner’s AS2 ID, which must be unique, case-sensitive, and correctly configured on both ends. The partner’s AS2 endpoint URL must be correctly entered and publicly accessible. Import the right public key certificate from the partner to confirm it is active and unexpired. The encryption and signing algorithms, such as AES-256 or SHA-256 must be compatible with the partner’s capabilities, and any compression should be mutually agreed upon.

AS2 Gateway

Conclusion

When everything is in position, an AS2 message exchange can be a speedy, secure, and consistent way to exchange critical business files. Because every checkpoint is essential to ensure the dependability and compliance associated with your AS2 integration. MFT Gateway provides secure file transfers for enterprise use cases by combining secure transmission protocols, file transmission automation, integration, and administrative features into a single solution without having to purchase, install, or maintain software. It is an all-in-one platform that offers AS2 as a service with flexible pricing plans and usage-based payments. Businesses that use MFT Gateway can handle all of their file transfer requirements with a single solution. Take a fully functional 30-day trial with no restrictions and no credit card necessary!

Do you require an MFT solution? Sign up for our MFT Gateway and start your free trial today!

Indunil Rajapakse

Indunil Rajapakse

Indunil is a senior quality assurance engineer with 5 years of experience in the software industry, engaging in test-related activities in B2B communication. Outside of work, she loves gardening, making food, and spending time with pets.
Talk to an EDI Expert
Stay Compliant. Stay Connected. Powered by AS2.

Join hundreds of organizations already taking full control of their B2B AS2 communications with our trusted solutions. Contact us today to tailor a solution that fits your specific AS2 EDI needs.

Request a demo and take a live look at all the features of our AS2 EDI solutions.
Get answers to your questions and explore customizations that we can offer tailored specifically for you.
Get to know the dedicated deployment option available for your specific use cases.
Loading...
Please wait...

We're processing your request

Related Articles

View All Blogs
MFT gateway
Dedicated AS2 Server - B2B Trading via AS2
Aayu logomark
Driving Innovation, Simplifying Connections.
EDI via AS2
30-day Free Trial
Secure and Compliant