Skip to main content

Incorrectly Signed MDN

When a returned MDN can be decrypted successfully but has been signed by an invalid Signing certificate then the AS2 logs will show a MDN indicates a processing failure message.

This effectively means "We received a valid MDN, saying that the file was delivered successfully, but it's signed by someone that we can't verify so we can't trust the MDN's validity."

We provide an option for you to specify the MDN validation level to be performed in order to consider the AS2 transmission to be a success. This option allows you to accept MDNs based on varying levels of validation. Try setting this option to a lower level of validation for the trading partner.

Check with your trading partner to verify that they are signing the MDN using the correct AS2 certificate. The MDN should be signed using the private certificate key that corresponds to the public certificate they provided to you to set up the AS2 partnership.

The returned MDN may include a signature that is encoded in either base64 or binary formats.

If you need to provide the incorrect signature details to your trading partner, it can be found within the MDN contents, usually as the last segment.

PEM Base64 Encoded Signature

A PEM base64 encoded signature looks like this:

------7F351D7B2DF82DAA639F0F4BAF1126B2
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIHBwYJKoZIhvcNAQcCoIIG+DCCBvQCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggPyMIID7jCCAtYCCQCfMq8S3SzAkTANBgkqhkiG9w0BAQsFADCB
uDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExETAPBgNVBAcMCFZh
bGVuY2lhMRIwEAYDVQQKDAlGaWxlcy5jb20xEDAOBgNVBAsMB1Byb2R1Y3QxLjAs
BgNVBAMMJWNsYXVkaW9mb3VyLmFzMi5jbGF1ZGlvdGVzdC5maWxlcy5jb20xKzAp
BgkqhkiG9w0BCQEWHGNsYXVkaW8udGlubmlyZWxsb0BmaWxlcy5jb20wHhcNMjMw
NjAxMTg0NTU4WhcNMjQwNTMxMTg0NTU4WjCBuDELMAkGA1UEBhMCVVMxEzARBgNV
BAgMCkNhbGlmb3JuaWExETAPBgNVBAcMCFZhbGVuY2lhMRIwEAYDVQQKDAlGaWxl
cy5jb20xEDAOBgNVBAsMB1Byb2R1Y3QxLjAsBgNVBAMMJWNsYXVkaW9mb3VyLmFz
Mi5jbGF1ZGlvdGVzdC5maWxlcy5jb20xKzApBgkqhkiG9w0BCQEWHGNsYXVkaW8u
dGlubmlyZWxsb0BmaWxlcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7aBmHVHe5OcaFRPZytBlT4MeC0MW4+twsne+iiW4LZR6PkfNfwRYzVMCi
xDPyvfe6O7alGCXBd5jYgAI8LXTntHJlPDF3TKmQ/x7etQzFOFhaNYKD6r+0FP8l
25fHj59y6GUT9iR3W2JYFApmIle0pd540BTXvnD5mgv5FxWVJ5viB+5bAslXnH9c
Unyfcp0A+6vmmJpRK1KdiS4XTszs4J2DvgEEug3ALysEKay+zq0ysWZQB17EtNM5
/1ePR1qph6wPvyQQY5/o91r17T5gEP3QZj7Qg2O9aTwS1dbhb2JFbUJhEp/hcdbq
H9Qa1kMbQoiL5vVPFO5nWmVVwK8DAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFRH
fKW1TY5UY90+7ouf6DibX9RtBAfzOIRNrv54+ojBANaqscSMtBl08Wq+5HLrrPzg
EfqD8avf1C2eeHE3pmXACW5tVpT6S/arzx1CRP71sTIzBNhtBcWk6NxqvtwB7XLm
BL7rUMVA2oYxteHndDt6TLN7GVg85oSvz6hDIIb+bPkXf9zc9uXz8mozt4bIxuX6
F9TmcFtvy2LmZ3B8hJylYJK9zGJaT9xAed1vE6lHF0KfEpJSmBp5+nP3impcoD5M
7QCwiWLFjUNYMk1q29BdbUN5ZKbqrR3Rm6zHQgd7yqMu3iKsMWq21MiBXTT8Jq/F
rtiX+dULo0KcENpNQysxggLZMIIC1QIBATCBxjCBuDELMAkGA1UEBhMCVVMxEzAR
BgNVBAgMCkNhbGlmb3JuaWExETAPBgNVBAcMCFZhbGVuY2lhMRIwEAYDVQQKDAlG
aWxlcy5jb20xEDAOBgNVBAsMB1Byb2R1Y3QxLjAsBgNVBAMMJWNsYXVkaW9mb3Vy
LmFzMi5jbGF1ZGlvdGVzdC5maWxlcy5jb20xKzApBgkqhkiG9w0BCQEWHGNsYXVk
aW8udGlubmlyZWxsb0BmaWxlcy5jb20CCQCfMq8S3SzAkTANBglghkgBZQMEAgEF
AKCB5DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0y
MzEwMDUyMjMzMzNaMC8GCSqGSIb3DQEJBDEiBCArw1luHUS6Aagd2G2hU00/FuRp
PePJFvmMNcoQzbExDjB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglg
hkgBZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIA
gDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG
9w0BAQEFAASCAQARflZ/TDf8+NNvhqae8/BOyRImwwgXpqXEZ6O3OK6tqtcy8QsZ
IP7qzqjXqv0MJWaUCDLNK2KCw7O97GITBDckQCI0gGctJLlFBkegFIwsk+MTpuaV
5mUxG/pihxx9WFpuwyx3APZxasdKmnzOncWY2qgUpUj4IqoqkynU5OJD2U9R9qi+
ub3LkvreK27WRAn9KjsRl6hTlpoFMHM5+jmyE05o4c8oaTVfjwwBDOOBMIKL4JMY
ttncgV2mgq5TxROQuxyf649bbuV5YySJjjxfOHLzTyAOYT2x2VOGEZzd9Uzryniw
W38Tzmm9oflH6+XdjnO6JptjDYM/YGismxBB

------7F351D7B2DF82DAA639F0F4BAF1126B2--

You can also decode the MDN signature using the opensslExternal LinkThis link leads to an external website and will open in a new tab command line tool.

Save the above MDN segment to a file, then run this command:

openssl asn1parse -i -in /path/to/signature_file.txt

The output will show the details of the certificate that was used to sign the MDN, which you can provide to your trading partner to help them identify and correct this issue.

If the above command fails with an error that says "Error reading PEM file" then the signature might have been signed using an old pre-PEM Base64 format instead. Try this command to decode the signature:

openssl asn1parse -i -inform B64 -in /path/to/signature_file.txt

Binary Signature

Binary format signatures cannot be viewed properly in text editors, but looks somewhat like this:

------7F351D7B2DF82DAA639F0F4BAF1126B2
Content-Type: application/pkcs7-signature; name=smime.p7s; smime-type=signed-data
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

0€	*†H†÷
 €0€10
	`†He�0€	*†H†÷
��1‚=0‚90¦0™100.	*†H†÷
	!10U
192.168.2.1000U
ESM REDACTED
REDACTED–ä±~´F0
	`†He� i0	*†H†÷
	1	*†H†÷
0	*†H†÷
	1
REDACTED/	*†H†÷
	1" ¤¦rm—\Ó:°qÇ
žEXµã~èÅ1ᶥ2Öö0
	*†H†÷
�‚�#Xæhý7SzŽîèþñï`_{nŠmKÀnÉ2´gk¼K¨¹ÍmE¡”ÍæµT-”oN%ô€¸üiò[vÃú*Ð5£Ps¼'<LçTZ¡Czþ2ã?Ÿy¤ß~YÜQÕ5E7þv»/ÄÈE› Å–Iã%l•“ZCÉîx[|ûö=Õà!»»*§ôԏ7¤’a–Ùqïn?Êùo_dn×e8Í»¥ó­ã›ò«wr>ÒÌ<ܪÌk €ˆÿO¸Èn=U¯AûKªJã7F{Tn
…oÏ—™‰
EaÖ}P^‘O›ºÑO§h…œ§~ÞêµyD�ôž‹,½žðTä/1*������
------7F351D7B2DF82DAA639F0F4BAF1126B2--

You can also decode the MDN signature using the opensslExternal LinkThis link leads to an external website and will open in a new tab command line tool.

Using a binary safe editor, save the above MDN segment to a file. Only save the binary data, starting after the blank line, and do not include any of the header or footer tags. Then run this command on the binary signature file:

openssl asn1parse -i -in /path/to/signature_file.bin --inform DER

The output will show the details of the certificate that was used to sign the MDN, which you can provide to your trading partner to help them identify and correct this issue.

Certificate Purpose

The signing of AS2 messages and MDN receipts uses X.509 CertificatesExternal LinkThis link leads to an external website and will open in a new tab. The structure of these certificates includes fields that specify the purpose that the certificate can be used for.

AS2 allows the use of various types of these certificates including, for example, self-signed certificates. Each of your trading partners will have their own certificate standards and so partner certificates will vary in their configuration.

We provide an option for you to specify the MDN validation level, which provides different levels of validation against these different types of signing certificate.

You can use the following command to display a certificate's purpose: 

openssl x509 -in /path/to/as2_partner.pem -noout -purpose

Get Instant Access to Files.com

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.