Page Comparison

Please find below information related to activities needed as part of the migration to a new version of the PEPPOL PKI Certificate.

For information about the Certificate issuing process please refer to the OpenPEPPOL public space and section /wiki/spaces/Public/pages/191496224

The short version

The OpenPeppol network eDelivery Network is migrating to a new PKI infrastructure.

• After 2018-09-03 00:00:00 all Access Points Point Providers in the network MUST entrust both be able to support both the current PKI infrastructure v2 certificates and the new PKI infrastructurev3 certificates. Transactions can still be sent using ANY EITHER v2 or v3 PKI infrastructurecertificates.
• After 2018-11-30 23:59:59 all Access Points Point Providers in the network MUST only send and receive transactions using the new PKI infrastructure.

Background

...

• v3 certificates.
• The required Root and Intermediate CAs are available now for download here. 
• You are encouraged to start enrolling for a PKI v3 certificate from mid-April 2018 in preparation for the September migration. The new PKI v3 certificates can be requested from PEPPOL Jira Service desk here: https://openpeppol.atlassian.net/servicedesk/customer/portal/1

Background

The migration is necessary and can not wait until the current PKI certificates expire, due to the following:

• Improved security. The current PKI infrastructure is based on SHA-1 cryptography, which was recently announced as not recommended for use, due to discovered exploits. The new PKI infrastructure will be based on certificates supporting SHA-256 cryptography which currently is the recommended web standard. 
• Responsible organization. In the current PKI infrastructure, the issuing agency organization is "DIGST" (Danish Agency for Digitisation) and a request has been made to move this responsibility to the appropriate organization (OpenPEPPOL AISBL).
• Minor improvements. Some smaller changes to the naming conventions will make it easier to maintain the certificates and also to utilize a more cost effective pricing model which will be based on the member level rather than on the individual certificates.

...

1. After C1 the operational office of OpenPeppol will commence issuing of PKI v3 certificates.
2. Up until date T1;
   1. All APs MUST be able to exchange transactions using the PKI v2 certificates. 
   2. All SMPs MUST support PKI v2 certificates.
   3. SML MUST support PKI v2 certificates.
   4. PEPPOL Directory MUST support PKI v2 certificates.
3. After date T1 and until date T2;
   1. All APs MUST be able to initiate a transaction (send) using ANY of the two available PKI certificates (v2 or v3).
   2. All APs MUST be able to support receiving transactions initiated using BOTH available PKI certificates (v2 and v3).
   3. All SMPs MUST support BOTH available PKI certificates (v2 and v3).
4. Before C2;
   1. All (operational before T1) AP and SMP providers will have been issued certificates from the PKI v3 infrastructure (this is an internal OpenPeppol deadline).
5. After date T2;
   1. All APs MUST only exchange transactions using PKI v3 certificates.
   2. All SMPs MUST only support PKI v3 certificates.

C1 = 2018-04-18 16 00:00:00

T1 = 2018-09-03 00:00:00

C2 = 2018-10-31 23:59:59

...

1. Between T1 and T2. You will be issued a client certificate from the PKI v3 infrastructure. Replace the current client certificate with the new one. (we need to add more documentation here, there is a process for this part of the migration that has been documented by CEF)You will need to migrate the v2 SMP certificate in the SML to the v3 SMP certificate, the process for migrating the certificate has been digitalised and the official documentation of supported operations by the SML is available here. To migrate you will need to call interface UC12 - PrepareChangeCertificate.
   

The needed Root and Intermediate CAs are available for download here. 

...