Skip to main content

Upgrading FoodLogiQ's AS2 Server - Frequently Asked Questions

Updated

Why is Trustwell changing AS2 servers?
Trustwell is migrating to a new AWS-hosted AS2 server to improve security, increase reliability, and ensure long-term scalability of our file transfer infrastructure.

What is the updated AS2 Connection String?
Our updated AS2 Connection String is https://as2-transfer.foodlogiq.com.

I received an email saying I need to update my AS2 connection string. How do I do that?
You'll need to update the AS2 connection string in your system or third-party integration tool where your AS2 connection to Trustwell is configured. This is usually handled by your IT or integration team.

I received an email asking me to update my AS2 Certificate. What requirements does my certificate need to meet?
To ensure compliance with AWS security standards and to avoid any interruption in AS2 file exchange, we ask that you generate a new certificate that meets each of the following requirements:

  1. Certificate Format
    1. Must be in X.509 v3 format.
    2. Must be in .pem or .crt format (PEM-encoded). 
      Avoid .cer or .der unless you're sure it's PEM-encoded and in plain text.
  2. Key Length
    1. Minimum RSA key length: 2048 bits. 
      AWS does not support RSA keys smaller than 2048 bits.
    2. ECC keys are not supported for AS2 certificates—only RSA keys are currently accepted.
  3. You may provide either a:
    1. Self-signed certificate, or Certificate signed by a trusted Certificate Authority (CA)If using a self-signed certificate, the Issuer and Subject fields must be identical.
    2. If using a CA-signed certificate, please ensure the certificate is valid, includes the appropriate key usages (e.g., digital signature, encryption), and that the public portion is shared with us for configuration in AWS Transfer Family.
       
  4. Validity Period: Recommended to have a validity of at least 1 year (365+ days).  Certificates with very short validity (e.g., a few days or weeks) may work but are discouraged and may trigger warnings or short renewal cycles.
  5. Certificate Usage (Extensions): The certificate must include appropriate Key Usage and Extended Key Usage extensions. 

Key Usage should include:

  1. Digital Signature
  2. Key Encipherment
  3. Extended Key Usage is optional, but if present, it should include Email Protection or Client Authentication.
  4. Do not include Server Authentication, as it’s irrelevant for AS2.
  5. Certificate Chain: Only a single self-signed certificate should be uploaded.  
    No certificate chain should be provided.  
    Do not include any Intermediate or Root certificates.
  6. ASN.1 Structure: Ensure the certificate is standards-compliant, with proper DER encoding under the hood (PEM is just Base64 DER). 
    Some broken generators produce malformed certificates that will be rejected.

Where do I send my new certificate to?
Using a secure email, send your updated certificate to devops@trustwell.com.

After I share my new certificate, what are my next steps?
Once you have shared your certificate with us, we will create your profile in our new server and test for any errors. After we have imported your certificate and created your profile, we will reach out with your next step to migrate.

How do I send a secure email?
In Outlook, create a new message, attach your certificate file, then go to Options > Encrypt and select “Encrypt-Only” before sending.

In Gmail, create a new message, attach your certificate file, then click the lock icon (if available) or select “Confidential mode” from the bottom toolbar to enable encryption before sending.

 

Related articles