# Manage AS2 Connection Certificates

Veeva Safety uses partner and sponsor certificates to securely send (encrypt) and receive (decrypt) messages through an _AS2 Connection_. This ensures that only the intended recipients (the sponsor and the partner) can read the messages. Once created, a certificate remains valid for a certain period of time, after which it expires and must be replaced with a new certificate, or communications between the partner and sponsor will fail.

You can use Vault to perform the following actions to keep the certificates for an _AS2 Connection_ updated:

* [Create a new sponsor certificate][1] for a connection. Alternatively, you can [upload a sponsor certificate created by a third party][3]. Once you have created or uploaded a sponsor certificate, you can [download the public sponsor certificate][4] and send it to the partner so they can also update their connection.
* [Upload a new certificate][0] received from a partner to replace the existing partner certificate for a connection.

## Resyncing a Connection

After uploading a partner or sponsor certificate for an _AS2 Connection_, the connection's _AS2 Vault Gateway State_ moves to the _Unregistered_ state.
You must <a href="/en/gr/01458/#sync-as2-connection">synchronize the connection</a> again so the connection can continue to send and receive messages through the gateway.

## AS2 Certificate Considerations

Consider the following when creating or uploading AS2 certificates:

* AS2 certificate files must be 50KB or less.
* Upload only certificates intended for AS2 message encryption/decryption. Do not upload certificates intended for any other purpose ([TLS/SSL certificates][5] for example).

## Upload a Partner Certificate for an AS2 Connection {#upload-partner-cert}

To upload a partner certificate for an _AS2 Connection_:

1. Navigate to **Admin > Connections > [AS2 Connection]**.
2. From the **All Actions** menu, select **Manage Partner Certificate**.
3. In the _Manage Partner Certificate_ dialog, select **Upload**, then select the partner's public certificate. The following accepted formats are:
    * PKCS7 (*.p7b or *.p7c)
    * DER (*.cer or *.der)
    * PEM (*.cer, *.crt, or *.pem) \
Vault checks the expiry date of the certificate. If the certificate is no longer valid, you cannot save the record.
4. Select **Continue**.
5. <a href="/en/gr/01458/#sync-as2-connection">Synchronize the connection</a>

## Create a Sponsor Certificate for an AS2 Connection {#create-sponsor-cert}

To create a new sponsor certificate for an _AS2 Connection_:

1. Navigate to **Admin > Connections > [AS2 Connection]**.
2. From the **All Actions** menu, select **Manage Sponsor Certificate**.
3. In the _Manage Sponsor Certificate_ dialog, select **Create**.
4. In the _Create a Sponsor Certificate_ dialog, complete the applicable [fields][2].
5. Select **Save**.

**Result**

Vault:
* Creates and attaches a new sponsor certificate for the _AS2 Connection_.
* Creates a _User Task_<sup><a href="#create-footnote-1">1</a></sup> (of the type _AS2 Connection Task_) to <a href="/en/gr/01458/#sync-as2-connection">synchronize the connection</a><sup><a href="#create-footnote-2">2</a></sup> and assigns it to the person who created the certificate.

[Download a copy of the public sponsor certificate][4] for sending to the partner.


<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>:</p>
<ol>
<li><a id="create-footnote-1"></a>If you receive an error when saving the record, check that the <em>User Task</em> is not missing any field values (<em>Due Date</em> for example) that are required by your Vault's <a href="/en/gr/46866/"><em>Validation Rules</em></a> for the <em>User Task</em> object.</li>
<li><a id="create-footnote-2"></a>If you are creating a new sponsor certificate to replace one that is about to expire, we recommend that you wait until the partner has confirmed they have uploaded the new sponsor certificate into their system and are ready to send and receive requests using the new certificate before you synchronize the connection. Until then, communications can continue using the existing certificate until it expires.</li>
</ol>
    </div>
  </div>
</div>



### Sponsor Certificate Fields {#sponsor-cert-fields}

The following fields may be available:

<table>
    <thead>
        <tr>
            <th><strong>Field</strong></th>
            <th><strong>Description</strong></th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td><em>Sponsor</em></td>
            <td rowspan="7">Enter the details of the sponsor.</td>
        </tr>
        <tr>
            <td><em>Sponsor Person Email</em></td>
        </tr>
        <tr>
            <td><em>Street Address</em></td>
        </tr>
        <tr>
            <td><em>City</em></td>
        </tr>
        <tr>
            <td><em>State / Province</em></td>
        </tr>
        <tr>
            <td><em>Zip Code / Postal Code</em></td>
        </tr>
        <tr>
            <td><em>Country Code</em></td>
        </tr>
        <tr>
            <td><em>Password</em></td>
            <td>
                <p>Enter a password for the certificate.</p>
                <p>The password must be between 6 and 32 characters.</p>
            </td>
        </tr>
        <tr>
            <td><em>Confirm Password</em></td>
            <td>Re-enter the password from the <em>Password</em> field above.</td>
        </tr>
        <tr>
            <td><em>Expiration Date</em></td>
            <td>Select when the sponsor certificate will expire from your Vault's current date and time.</td>
        </tr>
    </tbody>
</table>

## Upload the Sponsor Certificate for an AS2 Connection {#upload-sponsor-cert}

If you use a third party to supply the sponsor certificates for your connections, follow these steps to upload a sponsor certificate for a connection:

1. Navigate to **Admin > Connections > [AS2 Connection]**.
2. From the **All Actions** menu, select **Manage Sponsor Certificate**.
3. In the _Manage Sponsor Certificate_ dialog, select **Upload**, then select the sponsor's public certificate. The accepted formats are PKCS12 (*.pfx or *.p12). \
Vault checks the expiry date of the certificate. If the certificate is no longer valid, you cannot save the record.
4. Select **Continue**.

**Result**

Vault:
*  Uploads and attaches the new sponsor certificate to the _AS2 Connection_.
*  Creates a _User Task_<sup><a href="#upload-footnote-1">1</a></sup> (of the type _AS2 Connection Task_) to <a href="/en/gr/01458/#sync-as2-connection">synchronize the connection</a><sup><a href="#upload-footnote-2">2</a></sup> and assigns it to the person who uploaded the certificate.

[Download a copy of the public sponsor certificate][4] for sending to the partner.


<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>:</p>
<ol>
<li><a id="upload-footnote-1"></a>If you receive an error when saving the record, check that the <em>User Task</em> is not missing any field values (<em>Due Date</em> for example) that are required by your Vault's <a href="/en/gr/46866/"><em>Validation Rules</em></a> for the <em>User Task</em> object.</li>
<li><a id="upload-footnote-2"></a>If you are uploading a new sponsor certificate to replace one that is about to expire, we recommend that you wait until the partner has confirmed they have uploaded the new sponsor certificate into their system and are ready to send and receive requests using the new certificate before you synchronize the connection. Until then, communications can continue using the existing certificate until it expires.</li>
</ol>
    </div>
  </div>
</div>




## Download the Public Sponsor Certificate for an AS2 Connection {#download-public-sponsor-cert}

Follow these steps to download the public sponsor certificate for an _AS2 Connection_ to send to the partner:

1. Navigate to **Admin > Connections > [AS2 Connection]**.
2. From the **All Actions** menu, select **Manage Sponsor Certificate**.
3. In the _Manage Sponsor Certificate_ dialog, select **Download Public Sponsor Certificate**.

**Result**

Vault downloads the public sponsor certificate to your computer. You can then send this file to the partner to update their corresponding AS2 connection.

## AS2 Connections and TLS/SSL Certificates {#tls-ssl-note}

Veeva Safety does not use or hard code Partner or Health Authority TLS/SSL certificates. If you receive such certificates from a Partner or Health Authority, do not upload these certificates into your Safety Vault.

Likewise, it is advised and recommended that Partners and Health Authorities do not use or hard code Veeva Safety TLS/SSL certificates in their system. TLS/SSL certificates are often updated within shorter time periods which subsequently breaks the connection between the Partner or Health Authority and Veeva Safety. Partners and Health Authorities that still require TLS/SSL certificates can refer to the <a class="external-link " href="https://veeva-customer-services.veevavault.com/ui/approved_viewer?token=5375-e5ca4f82-6ead-4a97-9e5f-9db9d55ca804" target="_blank" rel="noopener">Veeva Certificate Expiry Date Ranges<i class="fa fa-external-link" aria-hidden="true"></i></a>.

[0]: #upload-partner-cert
[1]: #create-sponsor-cert
[2]: #sponsor-cert-fields
[3]: #upload-sponsor-cert
[4]: #download-public-sponsor-cert
[5]: #tls-ssl-note