Introduction to the revised PKI Certificate infrastructure and issuing process


PKI Infrastructure

On 2018-09-03 OpenPeppol will adopt a new PKI infrastructure and at the same time start the migration process. The new PKI infrastructure does not differ much in comparison with the old infrastructure, the biggest change has been removal of one intermediate CA (for issuing STS certificates) and changing all other CAs to new ones. The new CAs allow improved security (SHA-256) and some minor adjustments have been made to the naming conventions to ease the maintainability of the certificates.

Issuing process


The issuing process begins with the OpenPeppol member requesting a PKI v3 certificate through the Jira service desk.

Jira Service Desk can be accessed here:

After the request has been approved by PEPPOL Operations and the responsible PEPPOL Authority an enrollment email and SMS will be sent to the OpenPeppol member.

Detailed enrollment instructions

Once you have obtained the enrollment email containing your assigned 'Service Provider ID' and an SMS with the enrollment code, you are ready to issue the certificate.

The certificate generation is done by the OpenPeppol member using a web browser, please follow the detailed instructions with regards to which web browser is used

Certificate chains

After the enrollment process is complete you will end up with a private key pair. Some implementations might require you to chain this private key pair with the OpenPEPPOL Intermediate CA and Root CA. Whether you actually need a chain of certificates or how you would chain the certificates is out of scope for the migration process, you would need to ask the vendor of your implementation regarding what the expected format of the certificate is to be used in your particular use case. The relevant CAs can be downloaded from section Download CAs.


The enrollment process for a new certificate (or renewal of an existing certificate) is done online through a web browser. Only a specific subset of an OS/Web browser combination is supported according to the following table (there might be other combinations that works but they are officially not supported).

Supported OS/Web Browser combinations:

Operating SystemsWeb Browsers
Windows 7 Enterprise edition SP1 (32-bit and 64-bit)

Internet Explorer 8 (32-bit), Internet Explorer 9 (32-bit), Internet Explorer 10 (32-bit), Internet Explorer 11*

Firefox 56

Windows 8.1 (32-bit and 64-bit)

Internet Explorer 11*

Firefox 56

Windows 10 (32-bit and 64-bit)

Internet Explorer 11* **

Firefox 56

Mac OS X El Capitan (10.11)

Safari 10.1.2

Firefox 56

Mac OS X Sierra (10.12)

Safari 10.1.2

Firefox 56

* The renewal plug-in is not supported in Internet Explorer 11 if Enhanced Protection Mode (EPM) is enabled. EPM is disabled by default in Internet Explorer 11.

** Edge mode is not supported

Download CAs

The following CAs are used for issuing the certificates, please refer to the PKI Infrastructure section for more information.

PRODRoot CAALLPeppol_Root_CA.cer
PRODIntermediate CAAccess PointPeppol_AccessPoint_CA.cer
PRODIntermediate CAService Metadata PublisherPeppol_ServiceMetadataPublisher_CA.cer
TESTRoot CAALLPeppol_Test_Root_CA.cer
TESTIntermediate CAAccess PointPeppol_Test_AccessPoint_CA.cer
TESTIntermediate CAService Metadata PublisherPeppol_Test_ServiceMetadataPublisher_CA.cer