How AS2 Certify Tests Your Connection

The exact 8-step diagnostic behind every grade, how the A-F score is calculated, and a sample graded report so you can see the deliverable before you sign up.

The 8-step diagnostic

Every plan, including Free, runs the same 8 steps in the same order. Steps 1-4 run independently. Steps 5-8 depend on step 5: if the message exchange fails, they are skipped rather than scored as failures.

  1. TCP/TLS Connection

    Weight 25Critical

    Confirms your endpoint accepts a TCP connection and negotiates a TLS handshake, recording the protocol version and cipher suite. This is the most heavily weighted check because nothing else works if the connection itself fails.

  2. Certificate Validation

    Weight 15High

    Inspects the certificate for expiration, key strength, and trust chain issues. A certificate expiring within 30 days triggers a warning even if everything else passes.

  3. Encryption Verification

    Weight 10High

    Confirms the negotiated cipher suite supports AES-256 or 3DES, the encryption algorithms AS2 trading partners require.

  4. Signing Verification

    Weight 10High

    Checks the certificate's signature algorithm and flags outdated hashes such as SHA-1 or MD5 in favor of SHA-256 or better.

  5. AS2 Message Exchange

    Weight 20Critical

    Sends a real test AS2 message to your endpoint. If this step fails, the remaining three steps are skipped, since they depend on a successful exchange.

  6. MDN Receipt Validation

    Weight 10Medium

    Confirms your endpoint returned a signed MDN (Message Disposition Notification) receipt for the exchange.

  7. Payload Integrity Check

    Weight 5High

    Hashes the sent payload with SHA-256 to confirm exactly what was sent, and compares it against a received payload when one is available.

  8. Latency Measurement

    Weight 5Low

    Times the round trip. Two seconds or less is excellent, up to five seconds is acceptable, and anything slower is flagged as a warning.

How the A-F grade is calculated

Each step is scored pass, warn, or fail. A pass earns its full weight, a warn earns 60% of its weight, and a fail earns nothing. The 8 weights above add up to 100, so the result is a score out of 100.

Criticality overrides apply on top of the score so a high number can't hide a broken connection. If both critical steps (the initial connection and the message exchange) fail, the test is automatically graded F regardless of the score. Otherwise:

  • A: score 95 or higher, zero failed steps, zero high or critical severity warnings.
  • B: score 80 or higher, no critical-step failures.
  • C: score 60 or higher, at most one critical-step failure.
  • D: score 40 or higher.
  • F: below 40, or 2 or more critical-step failures.

Sample report

This is an illustrative example, not a real customer's data. It shows what a passing-but-imperfect connection looks like once all 8 steps have run.

GRADE B

Sample report · score 92/100

Pass: TCP/TLS Connection

TLS 1.3 negotiated with AES-256-GCM cipher suite.

Warning: Certificate Validation

Signing certificate expires in 18 days. Renew it before it lapses.

Pass: Encryption Verification

Cipher suite supports AES-256.

Pass: Signing Verification

SHA-256 signature confirmed.

Pass: AS2 Message Exchange

Test message accepted by the partner endpoint.

Pass: MDN Receipt Validation

Signed MDN received.

Pass: Payload Integrity Check

SHA-256 payload hash matched.

Warning: Latency Measurement

3.8 second round trip. Acceptable, but slower than the 2 second target.

Why this connection is a B and not an A: both critical steps (the connection and the message exchange) passed, so it can't auto-fail. But the certificate warning is a high-severity finding, which keeps the grade out of A territory even at a 92 score. Renewing the certificate before it expires clears the way for an A on the next run.

Run it on your own connection

Try the free public check with no signup, or create a free account to run the full 8-step diagnostic against your endpoint.

Back to pricing