AS2 SSL certificate renewal process


We need to renew the certificate we use to sign our AS2 communications. I understand it is possible to renew a certificate using the same key, so that our AS2 partners do not need to update the certificate at their side. Is this true and has anyone have experience of doing it with godaddy?

Secondly, what happens when the certificate expires at the AS2 partner/client side? Our certificate on our AS2 server will be the renewed one, but our client's will be the old one? I presume we need to send the new one for them to update on their system before the expiry period?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
(1) When you renew a certificate, you have the option of using the existing key set or creating a new key set.  If you use the same key set, the certificate should continue to work with your partners.

However, you can use this procedure to request certificates from an enterprise CA only. In this case, using the GoDaddy, you are not running such CA owned by your Enterprise.

Renewal cert from GoDaddy -

Furthermore, renewing a certificate with the same key provides maximum compatibility with past uses of the accompanying key pair, but it does not enhance the security of the certificate and key pair.

(2) For client/partner with expired AS2 (your old cert), the comms will failed as it is considered invalid and hence early planning has to be done prior to expiry. Below are practice for considerations. (in case you are into alternative and experience, you can check out ECGridOS) E.g.
Send a copy of your public certificate with every message you send to your trading partners for initial setup and changes. Do not make them look for previous messages or have to bother you to request the certificate again.

Attach the certificate to the e-mail in several ways. Many e-mail programs have problems with certificates as attachments. Attach with the extension renamed to .txt, zip it and attach the Zip file. Also, if you can, post it on a web site and give your trading partners the URL where they can download it.

There is one thing that can’t be avoided, adding a new trading partner just before you are going to update your certificate. Do let them know right then and there that you plan to update shortly.

Save your expired private keys and public certificates from your trading partners. If for some reason you ever need to revalidate or decrypt and old message, you will need these.
failedAuthor Commented:
Hi btan,

Thanks for your help here.

If I use the original CSR, surely I can renew with the same key with godaddy, and then install this cert on my server?
btanExec ConsultantCommented:
Based from GoDaddy site, yes it can be renewed using original CSR,  however, if any of the information in your CSR (including company name or address information) has changed, you must generate and submit a new CSR before your certificate can be renewed). I doubt you have changes to those info.

though not recommended in security view, it can still renew certificate with same key as mentioned in MS
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

failedAuthor Commented:
Thanks again btan.

I have the certificate that is about to expire on my IIS server at the moment.

Once I have renewed the certificate using the original CSR with godaddy, what is the best method to load it on to my IIS 8 server? Should I choose 'complete certificate request'? Or should I remove the old one and import the new one?

I presume this new/renewed certificate will work with the 'old' public key certs that our AS2 partners are currently using, since the key pair will be the same?
btanExec ConsultantCommented:
backup the old one cert (pfx included) and proceed to import the new cert (pfx). The intent for the same keyset is to be reused the same keys but the other info may change like the timestamp, serial no etc. see this blog and my last statement in this post
..the IIS site system certificates for server authentication can be easily renewed from the Certificates MMC, by right-clicking on the certificate and selecting All Tasks, and then either Renew Certificate with New Key (recommended), or Renew Certificate with Same Key.
Or there is a manual mean stated in the link using Certutil
Want to renew the certificate with an existing key set?  Use my previous post to find the long string of numbers for the certificate's key container, using the Certutil command.  Then specify this string in the .inf file with the KeyContainer option, along with UseExistingKeySet = Yes
Once the request is done, should be able to import and install as per

But do note the below from the MS blog
Even though you've renewed the existing certificate rather than replaced it, it still has a new serial number and a new certificate thumbprint.  This means that you must still specify the renewed site server signing certificate in the site properties, Site Mode tab.
btanExec ConsultantCommented:
just in case if really crop up then has to refurnish the cert but it should not. Below is another in case really cannot find the private key for info
failedAuthor Commented:
Just having a look at the 'renew certificate with the same key' option in the certificates snap in, I get an an error 'enrollment error, the request contains no certificate template information'
btanExec ConsultantCommented:
See if the forum shared may help
This issue may be caused by incorrect Certificate Template permission settings. Let’s give Authenticated user Enroll permission:
1.    Open MMC, click File menu, choose Add/Remove Snap-in, choose Certificate Templates, click OK.
2.    Double-click Web Server template, switch to Security tab, selected Authenticated users, click Enroll option. Click OK.
3.    Open CA console, stop CA service and restart it.
4.    Try to open MMC->Certificates of Local Computer, try to request Web Server certificates.
Note Stand-alone CAs do not use certificate templates. Therefore, this issue occurs only when you use the Certification Authority MMC snap-in to request a certificate from an enterprise CA.
It depends on what type oF CA you are using for the symantics of the submission.
1) generate the request using the IIS Manager console  
2) For Enterprise CAs, use the Domain Certificate request option (this does a direct submission to the CA, hard-coded for the Web Server certificate template. Just change permissions to allow a custom global or universal group Read and Enroll permissions
3) For standalone CAs, use the certificate request, this creates a PKCS#10 request, that must be submitted to the CA. (You can also do this for an enterprise CA). Then submit the request using certreq or the Web enrollment pages. (submitting a PKCS#10 request) and selecting the associated certificate template if submitting to an enterprise CA. (this method allows you to use a custom certificate template rather than Web Server).
4) COmplete the request at the IIS Manager console.
failedAuthor Commented:
I don't have the Certificate Template snap-in, presumably because I'm not running an Enterprise CA?
btanExec ConsultantCommented:
yap as you are using the GoDaddy..
failedAuthor Commented:
OK so to summarise:

1) We can renew our certificate using the original CSR (I've spoken to godaddy to confirm this)

2) This will retain the original key therefore allowing our AS2 partners to continue exchanging information using the 'old' public key up until the expiry date of the 'old' certificate

3) We are using a 3rd party CA therefore we can't renew through the Certificates snap-in; we must go in to IIS once we have downloaded the new certificate files and 'complete certificate request' as per these instructions:
btanExec ConsultantCommented:
yes that is what I think and forum has shed so far..there is mentioned of also using using the Certutil command (with UseExistingKeySet = Yes) command line as alternative for  snap-in. I am not certain this is workable as it seems more for MS CA instead of godaddy... stick to resubmit to godaddy for advice mentioned worst case, re-send new cert with key then (ref in my first post)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
failedAuthor Commented:
Thanks for your help btan; you've helped make things clearer in my head and I have a plan now :)
btanExec ConsultantCommented:
no worries. thks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.