/
Peppol PKI 2025 - Issuing and Enrolment Process

Peppol PKI 2025 - Issuing and Enrolment Process

Glossary

Abbreviation

Meaning

Abbreviation

Meaning

AP

Access Point

CA

Certificate Authority

CSR

Certificate Signing Request

DOTL

Acronym of the new PKI platform

G2

Refers to the legacy generation of the Peppol PKI (from 2018)

G3

Refers to the next generation of the Peppol PKI (from 2025)

MPKI8

Acronym of the legacy PKI platform

PKI

Public Key Infrastructure

PKCS#12

Archive format bundling certificate and private key

PROD

Production environment

Seat ID

A 6-digit sequence that uniquely identifies a service provider on the Peppol network. Also prefixed with 3 characters that indicates the responsible Peppol Authority of the service provider, e.g. “PSE000055”.

SMP

Service Metadata Publisher

TEST

Test environment

Testbed

A Peppol core service that is used to verify Peppol AS4 and Peppol SMP compliance.

Purpose & Scope

During the second half of 2025 every OpenPeppol service provider must migrate from the legacy DigiCert MPKI8 G2 trust chain to the new DigiCert One Trust Lifecycle G3 chain.  

This page focuses only on the certificate enrolment steps, i.e. how to request and download your new G3 certificates for TEST and/or PROD.  

It cross-references two companion pages for the bigger picture:

Out of scope

This document does not cover any instructions in terms how to configure the private key-pair in your application. This document does not show how to export, convert or chain the private key-pair. Such details are considered to be implementation specific and for support the service providers are encouraged to ask their software vendor.

Requesting a certificate

Certificates are requested through the Peppol Service desk available at the following URL:

At the form you will need to specify the following details related to the certificate:

  • Certificate Purpose - Indicates whether you are requesting a certificate of TEST/ PROD or both.

  • Certificate Type - Indicates in what service the certificate will be used, e.g. AP for Access Point.

  • Certificate Version - During the migration period it will be possible to request both old (G2) certificates and as well new (G3) certificates, this field indicates the generation.

  • Certificate Enrolment Method - For the new (G3) certificates it will be possible to chose between two enrolment methods, either Web Based Enrolment (through the web browser) or CSR Based Enrolment. For old (G2) certificates, while they are still in scope, only Web Based Enrolment is supported.

Prerequisites

Before requesting a certificate, be sure to met the following prerequisites.

TEST

To request a test certificate the following prerequisites must be met:

  • Provide a signed Peppol Service Provider agreement (or a signed Peppol Member Form if you don’t have a signed agreement yet).

  • Provide a Business Registration document that is not older than 3 months.

PROD

To request a production certificate the following prerequisites must be met:

  • Provide a signed Peppol Service Provider agreement.

  • Provide a Business Registration document that is not older than 3 months.

  • No outstanding member fees.

  • Passed the relevant test suite in the Peppol Testbed.

  • Additional prerequisites might be in scope in case service provider have signed with a Peppol Authority with additional requirements.

Process

After you have requested your certificate the following will happen.

  1. Review - The request will be reviewed by OpenPeppol Operating Office to ensure all prerequisites are met.

  2. Peppol Authority Approval - For service providers that have signed with a Peppol Authority, they will also need to review the request.

  3. Issuing - The certificate is issued by OpenPeppol Operating Office PKI administrator. The requester will obtain:

    1. An email specifying the assigned SeatID and an enrolment URL that points at the DigiCert Trust Lifecycle platform (at hostname one.nl.digicert.com).

    2. An SMS with the enrolment code, that is needed to unlock the enrolment process.

  4. Validity - Once the issuing has completed and the enrolment been sent, you will have 10 days to complete the enrolment. Failure to complete the enrolment within this time will result in the enrolment code expiring and you will need to reach out to the OpenPeppol Service Desk and request a reset of your enrolment code.

Enrolment

The new (G3) PKI gives the option to enrol for the certificate using either “Web Based Enrolment” or “CSR Based Enrolment” method. For the old (G2) PKI it was only possible to enrol for certificates using the “Web Based Enrolment” method.

Web Based Enrolment

The issuing of the private key-pair will happen in the web browser. It is important to emphasize that the generation occurs client side in the web browser and never leaves the browser. Nevertheless this can in some cases be interpreted as a less secure way of issuing the private key pair since it needs to happen on a computer that is connected to the Internet and web browser capable. The benefit is that the approach is much easier to complete and that the end user will end up with a generated private key-pair contained in a PKCS#12-keystore.

  1. An email will be sent that contains an enrolment URL, click this link to reach the DigiCert platform:

    image-20250712-151526.png

  2. Start with authenticating yourself by providing your assigned Seat ID and the enrolment code (that has been sent to you in an SMS):

    image-20250712-144051.png

     

  3. At the next step, verify that the expected certificate type is in scope:

    image-20250712-144206.png

     

  4. At the next step, once again verify that all details are correct:

    image-20250712-144320.png

     

  5. Now you are ready to obtain a copy of you generated key-pair. Make sure to first copy the password (the download button does not get activated until you have done so) then download the key-pair, that is delivered in a PKCS#12 keystore. Please keep in mind that we have no possibility to retrieve the password, if you for some reason did not note it down properly we will need to revoke the certificate and request a new one:

    image-20250712-144939.png

     

  6. After you have obtained the PKCS#12 keystore the following actions are recommended:

    1. Update the password.

    2. Make sure to name the alias of the key-pair entry appropriately (if your application requires this).

    3. You might need to extract the key-pair in other formats, enquire with your software vendor if your application has specific requirements.

    4. Store the keystore securely. There is no possibility to retrieve the key-pair if it for some reason becomes corrupted or loss of password.

CSR Based Enrolment

This method allows you to generate the private key-pair on an offline computer so the private key never leaves that environment. You then create a Certificate Signing Request (CSR) from the private key and upload the CSR in the DigiCert portal.

Private key requirements (for CSR enrolment)

  • Algorithm: RSA

  • Key-size: 2048-bit

  • Subject / SAN / Extensions: The values will be overridden by the CA.

  • Validity: Not applicable, a private key does not include a validity period. Validity is set by the CA in the issued certificate.

This is a more advanced form of generating the key-pair. OpenPeppol Service Desk have limited ability to guide you through this process, if in doubt then probably the web based enrolment is a better fit for you.

A minimalistic example below demonstrates how to generate a private key:

# 2048-bit RSA, encrypted at rest with AES-256 openssl genpkey \ -algorithm RSA \ -pkeyopt 'rsa_keygen_bits:2048' \ -aes256 \ -out private-key.pem

A CSR can now be obtained from the private key (there is no need to provide the full subject since these value will be replaced by the CA):

# Minimal subject; CA will replace subject/SAN/X.509 fields per profile openssl req -new -sha256 \ -key private-key.pem \ -subj "/" \ -out private_key.csr

  1. You will need to have a local private key and generate a CSR before starting the enrolment.

  2. An email will be sent that contains an enrolment URL, click this link to reach the DigiCert platform:

    image-20250712-151410.png

  3. Start with authenticating yourself by providing your assigned Seat ID and the enrolment code (that has been sent to you in an SMS):Start with authenticating yourself by providing your assigned Seat ID and the enrolment code (that has been sent to you in an SMS):

     

    image-20250712-151653.png

     

  4. Enter your CSR and click “Submit”:

    image-20250712-151903.png

     

  5. A signed certificate in PKCS#7 format is returned:

    image-20250712-152051.png

     

  6. The returned signed certificate can now be bundled with the private key in order to create the appropriate keystore.