J.P. Morgan Host-to-Host File Transmission

J.P. Morgan Host-to-Host has changed Certificate Authorities from Entrust to DigiCert.  All new new certificates will now be issued by DigiCert.  This will include new DigiCert Root and Intermediate certificates.

Our SSL certificate for the AS2, HTTPS, NDM protocols will be replaced in 2Q2025, as the old certificates will expire.  The new certificates will be available for download on our H2H SSL Support. Please note that DigiCert will be the new Certificate Authority issuing these certificates (previously Entrust).

Beginning in 2Q2025, all transport authentication keys and certificates must have a finite validity period of 1 year or less. For SSH keys, we will install renewal keys for a 1 year usage period.

Beginning in 1Q2026, CTR ciphers for SSH protocol will no longer be supported. This timeline was extended from the originally communicated date of June 21, 2025. For more information please visit our H2H SSH Support page.

Our PGP key will be replaced in 3Q2025. The new key will be available for download from our H2H PGP Support page.

• All keys used with file transmission must expire in 2 years or less. All expiring keys must be renewed with unique and newly created keys and not previously used. There are no exceptions to this policy.
• Beginning in 2Q2025 all transport authentication keys and certificates must expire in 1 year or less.

• Transport Layer Security version 1.2 (TLSv1.2) is the minimum standard for communication session encryption for the following applications and protocols:
  • Applicability Statement 2 (AS2)
  • Hypertext Transfer Protocol Secure (HTTPS)
  • File Transport Protocol Secure (FTPS) – No longer supported for new setups
  • NDM via IBM® Sterling Connect:Direct® with Secure+®
• The Administrative Procedures for Certificates include the following standards:
  • All certificates and keys must have a finite validity period of two years or less.
    • Beginning in 2Q2025, all certificates and keys used for transport authentication must have a finite validity period of 1 year or less.
  • No certificate shall be accepted unless it adheres, at minimum, to the following cryptographic specification:
    • Message digest: SHA-256, AES256
    • Asymmetric algorithm: RSA, DSS (DSS is not supported for SSH protocols).
    • Asymmetric algorithm key length: 2048 bits or more.
    • Elliptical curve algorithms are not supported at this time.
  • Elliptical curve algorithms are not supported at this time.