Introduction to the revised PKI Certificate infrastructure and issuing process

 

PKI Infrastructure

On 2018-09-03 OpenPeppol will adopt a new PKI infrastructure and at the same time start the migration process. The new PKI infrastructure does not differ much in comparison with the old infrastructure, the biggest change has been removal of one intermediate CA (for issuing STS certificates) and changing all other CAs to new ones. The new CAs allow improved security (SHA-256) and some minor adjustments have been made to the naming conventions to ease the maintainability of the certificates.

Issuing process

Overview

The issuing process begins with the OpenPeppol member requesting a PKI v3 certificate through the Jira service desk.

Jira Service Desk can be accessed here: https://openpeppol.atlassian.net/servicedesk/customer/portal/1

After the request has been approved by PEPPOL Operations and the responsible PEPPOL Authority an enrollment email and SMS will be sent to the OpenPeppol member.

Detailed enrollment instructions

Once you have obtained the enrollment email containing your assigned 'Service Provider ID' and an SMS with the enrollment code, you are ready to issue the certificate.

The certificate generation is done by the OpenPeppol member using a web browser, please follow the detailed instructions with regards to which web browser is used

Certificate chains

After the enrollment process is complete you will end up with a private key pair. Some implementations might require you to chain this private key pair with the OpenPEPPOL Intermediate CA and Root CA. Whether you actually need a chain of certificates or how you would chain the certificates is out of scope for the migration process, you would need to ask the vendor of your implementation regarding what the expected format of the certificate is to be used in your particular use case. The relevant CAs can be downloaded from section Download CAs.

Requirements

The enrollment process for a new certificate (or renewal of an existing certificate) is done online through a web browser. Only a specific subset of an OS/Web browser combination is supported according to the following table (there might be other combinations that works but they are officially not supported).

Supported OS/Web Browser combinations:

Operating SystemsWeb Browsers
Windows 7 Enterprise edition SP1 (32-bit and 64-bit)

Internet Explorer 8 (32-bit), Internet Explorer 9 (32-bit), Internet Explorer 10 (32-bit), Internet Explorer 11*

Firefox 56


Windows 8.1 (32-bit and 64-bit)

Internet Explorer 11*

Firefox 56

Windows 10 (32-bit and 64-bit)

Internet Explorer 11* **

Firefox 56

Mac OS X El Capitan (10.11)

Safari 10.1.2

Firefox 56

Mac OS X Sierra (10.12)

Safari 10.1.2

Firefox 56


* The renewal plug-in is not supported in Internet Explorer 11 if Enhanced Protection Mode (EPM) is enabled. EPM is disabled by default in Internet Explorer 11.

** Edge mode is not supported


Download CAs

The following CAs are used for issuing the certificates, please refer to the PKI Infrastructure section for more information.

PurposeTypeServiceDownloadMD5
PRODRoot CAALLPeppol_Root_CA.cer
5E790BD599581E4F58E4CCD81505933D
PRODIntermediate CAAccess PointPeppol_AccessPoint_CA.cer
3C0972B5EC08248892A11E655498D9B3
PRODIntermediate CAService Metadata PublisherPeppol_ServiceMetadataPublisher_CA.cer
93933897B9A126D318367695CDD77A90
TESTRoot CAALLPeppol_Test_Root_CA.cer
1F0C10BAE3A59DD48C9DD624C51FAF56
TESTIntermediate CAAccess PointPeppol_Test_AccessPoint_CA.cer
8ECF5B50E3274ED3126E62E7667B278E
TESTIntermediate CAService Metadata PublisherPeppol_Test_ServiceMetadataPublisher_CA.cer
DB95900B57E8DE590C1C7D5BFF348B73