On 2018-09-03 OpenPeppol will adopt a new PKI infrastructure and at the same time start the migration process. The new PKI infrastructure does not differ much in comparison with the old infrastructure, the biggest change has been removal of one intermediate CA (for issuing STS certificates) and changing all other CAs to new ones. The new CAs allow improved security (SHA-256) and some minor adjustments have been made to the naming conventions to ease the maintainability of the certificates.
The issuing process begins with the OpenPeppol member requesting a PKI v3 certificate through the Jira service desk.
Jira Service Desk can be accessed here: https://openpeppol.atlassian.net/servicedesk/customer/portal/1
After the request has been approved by PEPPOL Operations and the responsible PEPPOL Authority an enrollment email and SMS will be sent to the OpenPeppol member.
Detailed enrollment instructions
Once you have obtained the enrollment email containing your assigned 'Service Provider ID' and an SMS with the enrollment code, you are ready to issue the certificate.
The certificate generation is done by the OpenPeppol member using a web browser, please follow the detailed instructions with regards to which web browser is used
After the enrollment process is complete you will end up with a private key pair. Some implementations might require you to chain this private key pair with the OpenPEPPOL Intermediate CA and Root CA. Whether you actually need a chain of certificates or how you would chain the certificates is out of scope for the migration process, you would need to ask the vendor of your implementation regarding what the expected format of the certificate is to be used in your particular use case. The relevant CAs can be downloaded from section Download CAs.
The enrollment process for a new certificate (or renewal of an existing certificate) is done online through a web browser. Only a specific subset of an OS/Web browser combination is supported according to the following table (there might be other combinations that works but they are officially not supported).
Supported OS/Web Browser combinations:
|Operating Systems||Web Browsers|
|Windows 7 Enterprise edition SP1 (32-bit and 64-bit)|
Internet Explorer 8 (32-bit), Internet Explorer 9 (32-bit), Internet Explorer 10 (32-bit), Internet Explorer 11*
|Windows 8.1 (32-bit and 64-bit)|
Internet Explorer 11*
|Windows 10 (32-bit and 64-bit)|
Internet Explorer 11* **
|Mac OS X El Capitan (10.11)|
|Mac OS X Sierra (10.12)|
* The renewal plug-in is not supported in Internet Explorer 11 if Enhanced Protection Mode (EPM) is enabled. EPM is disabled by default in Internet Explorer 11.
** Edge mode is not supported
The following CAs are used for issuing the certificates, please refer to the PKI Infrastructure section for more information.