PKI Infrastructure

On 2018-09-03 OpenPeppol will adopt a new PKI infrastructure and at the same time start the migration process. The new PKI infrastructure does not differ much in comparison with the old infrastructure, the biggest change has been removal of one intermediate CA (for issuing STS certificates) and changing all other CAs to new ones. The new CAs allow improved security (SHA-256) and some minor adjustments have been made to the naming conventions to ease the maintainability of the certificates.

Issuing process

Overview

The issuing process begins with the OpenPeppol member requesting a PKI v3 certificate through the Jira service desk.

Jira Service Desk can be accessed here: https://openpeppol.atlassian.net/servicedesk/customer/portal/1

After the request has been approved by PEPPOL Operations and the responsible PEPPOL Authority an enrollment email and SMS will be sent to the OpenPeppol member.

Detailed enrollment instructions

Once you have obtained the enrollment email containing your assigned 'Service Provider ID' and an SMS with the enrollment code, you are ready to issue the certificate.

The certificate generation is done by the OpenPeppol member using a web browser, please follow the detailed instructions with regards to which web browser is used

For Google Chrome users
For Firefox users; Enrollment with Firefox (version 56)
For Internet Explorer users; Enrollment with Internet Explorer (unoffficially tested with Edge and supposed to work as well)

Certificate chains

After the enrollment process is complete, you will end up with a private key pair. Some implementations might require you to chain this private key pair with the OpenPEPPOL Intermediate CA and Root CA. Whether you actually need a chain of certificates or how you would chain the certificates is out of scope for the migration process, you would need to ask the vendor of your implementation regarding what the expected format of the certificate is to be used in your particular use case. The relevant CAs can be downloaded from section Introduction to the revised PKI Certificate infrastructure and issuing process#Download CAs.

Requirements

The enrollment process for a new certificate (or renewal of an existing certificate) is done online through a web browser. Only a specific subset of an OS/Web browser combination is supported according to the following table (there might be other combinations that works but they are officially not supported).

Supported OS/Web Browser combinations:

Operating Systems	Web Browsers
Windows 7 Enterprise edition SP1 (32-bit and 64-bit)	Internet Explorer 8 (32-bit), Internet Explorer 9 (32-bit), Internet Explorer 10 (32-bit), Internet Explorer 11* Firefox 56
Windows 8.1 (32-bit and 64-bit)	Internet Explorer 11* Firefox 56
Windows 10/11 (32-bit and 64-bit)	Google Chrome Firefox 56
Mac OS X El Capitan (10.11)	Safari 10.1.2 Firefox 56
Mac OS X Sierra (10.12)	Safari 10.1.2 Firefox 56
	* The renewal plug-in is not supported in Internet Explorer 11 if Enhanced Protection Mode (EPM) is enabled. EPM is disabled by default in Internet Explorer 11. ** Edge mode is not supported

Download CAs

The following CAs are used for issuing the certificates, please refer to the PKI Infrastructure section for more information.

Purpose	Type	Service	Download	MD5
PROD	Root CA	ALL	Peppol_Root_CA.cer	5E790BD599581E4F58E4CCD81505933D
PROD	Intermediate CA	Access Point	Peppol_AccessPoint_CA.cer	3C0972B5EC08248892A11E655498D9B3
PROD	Intermediate CA	Service Metadata Publisher	Peppol_ServiceMetadataPublisher_CA.cer	93933897B9A126D318367695CDD77A90
TEST	Root CA	ALL	Peppol_Test_Root_CA.cer	1F0C10BAE3A59DD48C9DD624C51FAF56
TEST	Intermediate CA	Access Point	Peppol_Test_AccessPoint_CA.cer	8ECF5B50E3274ED3126E62E7667B278E
TEST	Intermediate CA	Service Metadata Publisher	Peppol_Test_ServiceMetadataPublisher_CA.cer	DB95900B57E8DE590C1C7D5BFF348B73

__PRESENT__PRESENT