Peppol PKI 2025 - Certificate Authorities

1 Glossary
2 Purpose & Scope
3 Summary
4 PKI Hierarchy Overview
- 4.1 PROD
- 4.2 TEST
5 Certificate Authorities (detailed)
- 5.1 PROD CAs
  - 5.1.1 PROD - Root CA - G3
  - 5.1.2 PROD - Peppol Access Point CA - G3
  - 5.1.3 PROD - Peppol Service Metadata Publisher CA - G3
- 5.2 TEST CAs
  - 5.2.1 TEST - Root CA - G3
  - 5.2.2 TEST - Peppol Access Point CA - G3
  - 5.2.3 TEST - Peppol Service Metadata Publisher CA - G3

Glossary

Abbreviation	Meaning

Abbreviation	Meaning
AP	Access Point
CA	Certificate Authority
G2	Refers to the legacy generation of the Peppol PKI
G3	Refers to the next generation of the Peppol PKI
PKI	Public Key Infrastructure
PROD	Production environment
SMP	Service Metadata Publisher
TEST	Test environment

Purpose & Scope

This page documents the Peppol PKI 2025 hierarchy and the certificate authorities (CAs) that form it. Execution steps for migrating from G2 → G3 are covered in the PKI Migration Plan 2025.

Summary

This table summarises the CAs that are expected to be entrusted as part of the Peppol PKI 2025.

The “In Service” column is the date from when the CA needs to be entrusted in its designated service area.

Legacy G2 CAs remain trusted until a decommission date is announced in the PKI Migration Plan 2025.

Environment	Type	Service	In Service	File	File MD5 hash	SHA256 Certificate Fingerprint

Environment	Type	Service	In Service	File MD5 hash	SHA256 Certificate Fingerprint
PROD	Root CA	-	2026-01-01	`ce7fdd24392f324c56553bdccad4a557`	`B6:07:5B:9F:86:55:E7:56:77:7F:18:2D:14:07:C0:04:94:42:D3:A2:F5:7D:FF:97:81:52:38:28:F3:31:F2:11`
PROD	Intermediate CA	Peppol AP	2026-01-01	`dbead09e15dd17abc04e4b2a34613c20`	`B6:5E:37:5A:58:26:AD:A1:65:17:B2:AA:8A:88:1B:6F:CA:FF:5E:48:E7:55:9B:9E:96:BB:A5:C6:49:21:F9:00`
PROD	Intermediate CA	Peppol SMP	2026-01-01	`e9c0ef135499e0db6e0c3f3b4c83539f`	`D9:E1:74:67:C6:9E:51:FC:4F:5C:52:63:54:2F:C6:8D:2A:BB:A5:DF:AA:E6:2E:87:FB:D6:82:9F:1D:E6:21:C4`
TEST	Root CA	-	2025-07-01	`fde9d752044c674b9a5cfb5a26a4e0f3`	`8B:4E:0E:5D:C7:C8:20:8C:BA:88:ED:EB:FA:D3:1E:06:47:40:D8:96:AB:6E:18:DE:0B:03:38:6F:D2:4B:E7:34`
TEST	Intermediate CA	Peppol AP	2025-07-01	`157c68b5b006098dfb2346211a15bebb`	`D2:44:5A:0F:11:5E:E6:4C:C1:41:A8:49:FE:14:29:27:FE:57:01:B7:D9:B5:8D:3E:6F:53:99:31:62:11:5C:C0`
TEST	Intermediate CA	Peppol SMP	2025-07-01	`602caf96fd0303872ccf9283f965ca6c`	`EB:78:DA:BB:62:2B:BC:70:15:92:F0:85:BC:27:AB:81:7F:E1:C0:D4:75:3A:E8:29:68:2E:81:27:B3:B0:0C:E7`

To verify the SHA256 Certificate Fingerprint the following command can be used (adopt the filename to the actual one):

openssl x509 -in PEPPOL_Root_TEST_CA-G3.pem -noout -sha256 -fingerprint

PKI Hierarchy Overview

The PROD and TEST hierarchy is mirrored so that all production scenarios can be verified using a test setup.

PROD

TEST

Certificate Authorities (detailed)

Detailed summary of each one of the CAs.

PROD CAs

PROD - Root CA - G3

Filename:             PEPPOL_Root_CA-G3.pem
MD5 File Hash:        ce7fdd24392f324c56553bdccad4a557
SHA256 Fingerprint:   B6:07:5B:9F:86:55:E7:56:77:7F:18:2D:14:07:C0:04:94:42:D3:A2:F5:7D:FF:97:81:52:38:28:F3:31:F2:11

Issuer:                 C=BE, O=OpenPEPPOL AISBL, CN=PEPPOL Root CA - G3
Common Name:            PEPPOL Root CA - G3
Organization:           OpenPEPPOL AISBL
Organization Unit:      
Country / Region:       BE
State:                  
Locality:               
Signature Algorithm:    sha256WithRSA
Valid from:             January 14, 2025 19:01:10
Valid to:               January 14, 2035 18:59:40
Serial number:          22C4013475D4B7E0972B9CD7633ADD244AFC01C0
OCSP URL:               None
CRL URL:                None
Key Usage:              Digital Signature, Certificate Sign, CRL Sign
Basic Constraints:      CA:TRUE
Subject Key Identifier: CC:EE:8C:EC:A2:92:9E:49:BB:5F:84:3F:B6:69:24:46:55:7E:AD:66

PROD - Peppol Access Point CA - G3

Filename:             PEPPOL_ACCESS_POINT_CA-G3.pem
MD5 File Hash:        dbead09e15dd17abc04e4b2a34613c20
SHA256 Fingerprint:   B6:5E:37:5A:58:26:AD:A1:65:17:B2:AA:8A:88:1B:6F:CA:FF:5E:48:E7:55:9B:9E:96:BB:A5:C6:49:21:F9:00

Issuer:                 C=BE, O=OpenPEPPOL AISBL, CN=PEPPOL Root CA - G3
Common Name:            PEPPOL ACCESS POINT CA - G3
Organization:           OpenPEPPOL AISBL
Organization Unit:      None
Country / Region:       BE
State:                  None
Locality:               None
Signature Algorithm:    sha256WithRSA
Valid from:             January 14, 2025 19:04:51
Valid to:               January 13, 2035 18:59:40
Serial number:          331F6542DB4398F91A14EFA798B28EF39BF49EFA
OCSP URL:               http://ocsp.one.nl.digicert.com
CRL URL:                http://crl.one.nl.digicert.com/PEPPOLRootCA-G3.crl
Key Usage:              Digital Signature, Certificate Sign, CRL Sign
Basic Constraints:      CA:TRUE, pathlen:1
Subject Key Identifier: FC:32:56:48:AB:CB:C1:B8:F9:83:9A:2F:80:0B:28:CC:F7:FF:EA:D1

PROD - Peppol Service Metadata Publisher CA - G3

Filename:             PEPPOL_SERVICE_METADATA_PUBLISHER_CA-G3.pem
MD5 File Hash:        e9c0ef135499e0db6e0c3f3b4c83539f
SHA256 Fingerprint:   D9:E1:74:67:C6:9E:51:FC:4F:5C:52:63:54:2F:C6:8D:2A:BB:A5:DF:AA:E6:2E:87:FB:D6:82:9F:1D:E6:21:C4

Issuer:                 C=BE, O=OpenPEPPOL AISBL, CN=PEPPOL Root CA - G3
Common Name:            PEPPOL SERVICE METADATA PUBLISHER CA - G3
Organization:           OpenPEPPOL AISBL
Organization Unit:      None
Country / Region:       BE
State:                  None
Locality:               None
Signature Algorithm:    sha256WithRSA
Valid from:             January 14, 2025 19:10:48
Valid to:               January 13, 2035 18:59:40
Serial number:          4B475A54F3187AB330E5508A7C9170C179E8ABA1
OCSP URL:               http://ocsp.one.nl.digicert.com
CRL URL:                http://crl.one.nl.digicert.com/PEPPOLRootCA-G3.crl
Key Usage:              Digital Signature, Certificate Sign, CRL Sign
Basic Constraints:      CA:TRUE, pathlen:1
Subject Key Identifier: 1D:DC:C2:85:5C:56:83:CD:E8:08:C7:FA:92:93:43:C5:E1:F6:8E:D1

TEST CAs

TEST - Root CA - G3

Filename:             PEPPOL_Root_TEST_CA-G3.pem
MD5 File Hash:        fde9d752044c674b9a5cfb5a26a4e0f3
SHA256 Fingerprint:   8B:4E:0E:5D:C7:C8:20:8C:BA:88:ED:EB:FA:D3:1E:06:47:40:D8:96:AB:6E:18:DE:0B:03:38:6F:D2:4B:E7:34

Issuer:                 C=BE, O=OpenPEPPOL AISBL, OU=FOR TEST ONLY, CN=PEPPOL Root TEST CA - G3
Common Name:            PEPPOL Root TEST CA - G3
Organization:           OpenPEPPOL AISBL
Organization Unit:      FOR TEST ONLY
Country / Region:       BE
State:                  None
Locality:               None
Signature Algorithm:    sha256WithRSA
Valid from:             January 14, 2025 18:49:55
Valid to:               January 14, 2035 18:47:39
Serial number:          617E487C47F71E24EF891DD094693CE85E85051E
OCSP URL:               None
CRL URL:                None
Key Usage:              Digital Signature, Certificate Sign, CRL Sign
Basic Constraints:      CA:TRUE
Subject Key Identifier: 6E:54:8D:E4:12:2E:BB:FE:20:68:CC:3F:57:B8:50:05:6E:5E:7C:C4

TEST - Peppol Access Point CA - G3

Filename:             PEPPOL_ACCESS_POINT_TEST_CA-G3.pem
MD5 File Hash:        157c68b5b006098dfb2346211a15bebb
SHA256 Fingerprint:   D2:44:5A:0F:11:5E:E6:4C:C1:41:A8:49:FE:14:29:27:FE:57:01:B7:D9:B5:8D:3E:6F:53:99:31:62:11:5C:C0

Issuer:                 C=BE, O=OpenPEPPOL AISBL, OU=FOR TEST ONLY, CN=PEPPOL Root TEST CA - G3
Common Name:            PEPPOL ACCESS POINT TEST CA - G3
Organization:           OpenPEPPOL AISBL
Organization Unit:      FOR TEST ONLY
Country / Region:       BE
State:                  None
Locality:               None
Signature Algorithm:    sha256WithRSA
Valid from:             January 14, 2025 18:53:02
Valid to:               January 13, 2035 18:47:39
Serial number:          6F186FE4393249F2158E572631C71BDE8840E774
OCSP URL:               http://ocsp.one.nl.digicert.com
CRL URL:                http://crl.one.nl.digicert.com/PEPPOLRootTESTCA-G3.crl
Key Usage:              Digital Signature, Certificate Sign, CRL Sign
Basic Constraints:      CA:TRUE, pathlen:1
Subject Key Identifier: B3:CC:44:EF:76:AF:81:C9:DF:F3:5F:A5:9E:88:71:AD:9F:A0:F7:70

TEST - Peppol Service Metadata Publisher CA - G3

Filename:             PEPPOL_SERVICE_METADATA_PUBLISHER_TEST_CA-G3.pem
MD5 File Hash:        602caf96fd0303872ccf9283f965ca6c
SHA256 Fingerprint:   EB:78:DA:BB:62:2B:BC:70:15:92:F0:85:BC:27:AB:81:7F:E1:C0:D4:75:3A:E8:29:68:2E:81:27:B3:B0:0C:E7

Issuer:                 C=BE, O=OpenPEPPOL AISBL, OU=FOR TEST ONLY, CN=PEPPOL Root TEST CA - G3
Common Name:            PEPPOL SERVICE METADATA PUBLISHER TEST CA - G3
Organization:           OpenPEPPOL AISBL
Organization Unit:      FOR TEST ONLY
Country / Region:       BE
State:                  None
Locality:               None
Signature Algorithm:    sha256WithRSA
Valid from:             January 14, 2025 18:58:38
Valid to:               January 13, 2035 18:47:39
Serial number:          692058C4551F4556DD1535C23293EC78084B4197
OCSP URL:               http://ocsp.one.nl.digicert.com
CRL URL:                http://crl.one.nl.digicert.com/PEPPOLRootTESTCA-G3.crl
Key Usage:              Digital Signature, Certificate Sign, CRL Sign
Basic Constraints:      CA:TRUE, pathlen:1
Subject Key Identifier: 57:D8:4F:38:97:6C:D5:4B:97:47:E4:1D:32:BF:68:9B:05:A4:48:6B