Peppol PKI 2025 - Certificate Authority Migration Plan
1. Glossary
Abbreviations and terms used in this document.
Abbreviation | Meaning |
AP | Peppol Access Point. |
CA | A Certificate Authority (CA) is an entity responsible for issuing and managing digital certificates within a PKI hierarchy. |
Core components | Refers to Peppol core components and namely Service Metadata Locator (SML), Peppol Directory and Peppol Testbed. |
CRL | Certificate Revocation List - a periodically published list of revoked certificates issued by a CA. |
CSR | Certificate Signing Request - a signed file that proves possession of a private key and is sent to a CA to request issuance of a certificate. |
DOTL | The DigiCert One Trust Lifecycle manager PKI platform that OpenPeppol is transitioning to. |
Dual-capability | The ability of a Service Provider or Peppol core component to simultaneously support both the old and new PKI during a transition period. This includes trusting both CA chains and being able to sign, encrypt, and authenticate using certificates from either PKI. |
Exchange transactions | Capability of an Peppol Access Point to both send and receive transactions. |
Intermediate CA | An Intermediate Certificate Authority is a subordinate CA that issues certificates to end entities, inheriting trust from the Root CA. |
MPKI8 | The currently used PKI that will retire on 2026-04-01. |
New certificate | PKI certificate issued from the new PKI platform |
New PKI | The PKI (DigiCert One Trust Lifecycle, DOTL) that will be replacing the old/current PKI. |
OCSP | Online Certificate Status Protocol - a real time protocol for checking whether a certificate is revoked. |
Old certificate | PKI certificate issued from the old PKI platform. |
Old PKI | The currently used PKI (DigiCert MPKI8) that will retire on 2026-04-01. |
PKI | Public Key Infrastructure - the framework of hardware, software, people and policies used to create, manage, distribute, store and revoke digital certificates. |
Production | The production branch of the Peppol Network. |
Root CA | The Root Certificate Authority is the top-most trusted entity in a PKI hierarchy, issuing certificates to Intermediate CAs. |
Service Provider (SP) | An organisation authorised to provide Peppol Services within one or more Peppol Service Domains pursuant to a Peppol Service Provider Agreement. |
SMP | Peppol Service Metadata Publisher. |
T0 | Root- and Intermediate CAs published. New PKI platform ready to issue TEST- AP and SMP certificates. |
T1 | Date when Service Providers must entrust the new PKI platform. New PKI platform ready to issue PROD- AP and SMP certificates. |
T2 | Date when the PKI migration ends (no old certificates in use anymore and old PKI must no longer be entrusted). |
Test | The test branch of the Peppol Network. |
2. Summary
During the second half of 2025, every Peppol Service Provider must replace the certificates it currently uses, which are issued under the current DigiCert Managed PKI v8 (MPKI8) root and intermediate certificate authorities (CAs), with certificates issued under the newly created DigiCert One Trust Lifecycle (DOTL) root and intermediate CAs. After this initial reference, the terms old PKI and new PKI are used throughout this document to keep the wording concise.
DigiCert will retire the old PKI issuance service on 1st of April 2026. From that date no new or replacement certificates can be issued under the old CA chain. Service Providers that have not switched to the new PKI by then will be unable to renew their old certificates and therefore eventually unable to operate on the Peppol Network.
Existing certificates issued under the old PKI remain valid only until the network-wide revocation on 1st April 2026 or their individual expiry date, whichever comes first. DigiCert will continue to publish CRL/OCSP status for them up to that point. Because the new PKI cannot inherit old keys or certificates, every Service Provider must request new certificates under the new PKI CA chain for both the Test- and Production environments.
Based on experience from earlier PKI transitions in the Peppol Network, no production certificates under the new PKI will be issued until a Service Provider has:
Obtained test certificates from the new PKI, and
Proved dual-capability conformance in the Peppol Testbed.
This gate‑keeping milestone ensures that every Service Provider’s technical solution aligns with the new trust model and maintains full interoperability throughout the migration.
2.1 Key Benefits of the New PKI
Benefit | What changes | Why it matters |
Streamlined operations | The new PKI offers a modern API and role-based delegation that were not present on the old PKI. | Less manual work, faster onboarding and lower risk of configuration errors. |
Stronger key security | The new PKI supports CSR-based enrolment, enabling private keys to be generated entirely offline. | Keeps private keys out of the web browser and aligns with industry best practice. Web-based enrolments will still be offered. |
Extended trust anchor | The new PKI Root- and Intermediate CAs are issued with a 10-year validity period. | Provides a stable root of trust and avoids another forced migration in the near future. |
3. Key Milestones
The PKI migration follows three clearly defined milestones with six months between T0 and T1 to give Service Providers predictable change windows:
Milestone | Target date | High-level action |
T0 | 2025-08-11 00:00:00 UTC | Service providers can obtain test certificates from the new PKI. New PKI CA chains are made available. |
T1 | 2026-02-11 00:00:00 UTC | Issuance of new PKI production certificates can begin. Issuance of old PKI production certificates is discontinued. The already issued old PKI certificates remain valid. All Service Providers must have implemented the capability to entrust both new and old CA chains. |
T2 | 2026-04-01 00:00:00 UTC | All valid old PKI certificates are revoked. All Service Providers must entrust only the new CA chain. |
Key rule: No new PKI production certificate shall be issued until the holder has met the following preconditions which must both be fulfilled before T1:
Must have obtained new PKI test certificates and
Must have demonstrated full conformance, as verified by the Peppol Testbed.
Detailed tasks, roles, and fallback measures are elaborated in chapters 4 to 6.
4. Process Implementation
This section sets out the actions required of every Service Provider in each migration phase, and the corresponding obligations for the other core components of the Peppol Network.
4.1 Phase Overview
before T0:
Business as usual under the old PKI.
New PKI CA chains published (for both test and production).
between T0 and T1:
Service Providers must request test certificates from the new PKI.
Service Providers must implement dual-capability support for old and new PKI CA chains. They must prove this capability by passing the relevant test suite of the Peppol Testbed.
Peppol core components (SML, Peppol Directory, Peppol Testbed) must implement dual-capability support for old and new PKI CA chains.
New Service Providers joining after T0 will be issued both the old and new PKI test certificates
New Service Providers joining after T0 will be issued only old PKI production certificates until T1. Before obtaining a production certificate, They must also implement dual-capability and pass the relevant test suite of the Peppol Testbed.
between T1 and T2:
Issuing of production certificates from the new PKI begins.
Service Providers that have passed dual-capability conformance testing at the Peppol Testbed must request and install new PKI production certificates.
All Service Providers must support both old and new PKI CA chains.
Issuing of old PKI production certificates is no longer allowed.
New Service Providers joining after T1 will be issued both old and new PKI test certificates and will have to pass dual-capability conformance testing at the Peppol Testbed before going into production.
New Service Providers joining after T1 will be issued only new PKI production certificates.
after T2:
All issued certificates from the old PKI are revoked at T2.
Old PKI CA chain no longer to be entrusted.
4.2 Access Point (AP) Obligations
Phase | MUST | MAY |
Between T0 and T1 | Sign and encrypt with old PKI only. | Trust new PKI CA chain. |
Between T1 and T2 | Sign and encrypt with old or new PKI. | - |
After T2 | Sign and encrypt with new PKI only. | - |
4.3 Service Metadata Publisher (SMP) Obligations
Phase | MUST | MAY |
Up until T1 | Sign metadata using old PKI only. | - |
Between T1 and T2 | Sign metadata using old or new PKI. | - |
After T2 | Sign metadata using new PKI only. | - |
4.4 Peppol Directory Obligations
Phase | MUST | MAY |
Up until T1 | Authorise authentications using old or new PKI. | - |
Between T1 and T2 | Authorise authentications using old or new PKI. | - |
After T2 | Authorise authentications using new PKI only. | - |
4.5 Service Metadata Locator (SML) Obligations
Phase | MUST | MAY |
Up until T1 | Authorise authentications using old or new PKI. | - |
Between T1 and T2 | Authorise authentications using old or new PKI. | - |
After T2 | Authorise authentications using new PKI only. | - |
4.6 Testbed Obligations
Phase | MUST | MAY |
Up until T1 | Authorise authentications using old or new PKI. | - |
Between T1 and T2 | Authorise authentications using old or new PKI. | - |
After T2 | Authorise authentications using new PKI only. | - |
5. Technical Implementation
How to implement this from a technical point of view is dependent on the AP or SMP implementation used. There will not be a guideline available for every implementation, but the general approach is described in the following sections.
5.1 AP Provider checklist
From T0 promptly request new PKI test certificate.
Before T1 import new PKI CA chain into application trust store.
Before T1 replace old PKI test certificate with new PKI test certificate in non-production environment. Make sure to update test SMP entries to reflect this change. Run and complete Peppol Testbed AP migration conformance tests.
After T1 (and passed Peppol Testbed AP migration conformance tests) request new PKI production certificate.
Before T2 swap old PKI production certificate to new PKI production certificate (in production environment). Make sure to update SMP entries to reflect this change.
After T2 remove old PKI CA chain from trust store.
5.2 SMP Provider checklist
From T0 promptly request new PKI test certificate.
Before T1 replace old PKI test certificate with new PKI test certificate in non-production environment. Run and complete Peppol Testbed SMP migration conformance tests.
After T1 (and passed Peppol Testbed SMP migration conformance tests) request new PKI production certificate.
Before T2 swap old PKI production certificate to new PKI production certificate (in production environment).
Migrate the authorisation certificate in the SML (so that the new PKI production certificate will be accepted by the SML) by using the UC12 Prepare Change Certificate operation at the SML.After T2 remove old PKI CA chain from trust store.
6. Edge Cases
These sections captures scenarios that affect only a subset of Service Providers yet require explicit treatment to keep the migration on schedule and the network stable.
6.1 Old PKI certificates expiring near migration milestones
If you are a currently operating Service Provider with issued certificates (whether test or production) from the old PKI then this is how you are expected to act.
Old PKI certificate expiry | Expected action |
Before T0 | Business as usual. Make sure to renew your old PKI certificate before the expiry. |
Between T0 and T1 | Business as usual. Make sure to renew your old PKI certificate before the certificate expiry. |
Between T1 and T2 | You will be allowed to renew your old PKI certificate up until T1. |
After T2 | You are expected to complete the migration by T2 and will therefore not be allowed to renew your old PKI certificate. |
6.2 Onboarding of Service Providers during migration
If you are a new Service Provider that will be onboarding during the migration, then these are the recommended actions for you.
Onboarding at | Expected action |
Before T0 | Business as usual. You will be issued certificates from the old PKI. You will also be expected to follow through the migration to the new PKI. |
Between T0 and T1 | You can choose from these options: |
After T1 | You will be issued certificates from the new PKI and follow through the migration. |
7. Useful Resources
This section summarises resources that might be necessary for you to leverage during the migration.
7.1 PKI CA Chains
The old PKI CA chains are documented and available for download at:
The new PKI CA chains are documented and available for download at:
7.2 Request for certificates (and issuing/enrolment process)
All certificate requests, whether for new certificates or renewals or for new or old PKI are raised through the Peppol Service Desk available at:
Furthermore the issuing and enrolment process for the new PKI is documented at the following resource:
7.3 Dedicated Migration Guidelines
OpenPeppol will publish a set of implementation neutral guides that complement this migration plan. These documents will explain how to execute critical steps while keeping normative what and when in this document.
Illustrative, non-exhaustive topics:
· Replacing the SMP authorisation certificate in the SML via the UC12 –PrepareChangeCertificate operation.
· Requesting (and issuing) AP and SMP certificates in the new PKI portal.
· Verifying dual-capability conformance (old and new PKI) in the Peppol Testbed.
· A continuously updated FAQ answering common questions that arise during the migration period.