Peppol PKI 2025 - Guide to PKI Migration to Generation 3
Background
OpenPeppol’s PKI certificate provider, Digicert, is changing platform thus the old certificates that are issued are going to be invalid. Peppol must move to the new platform, and all certificates that Access Points (APs) and Service Metadata Providers (SMPs) use in the Peppol Network must be replaced with the new G3 versions.
Glossary
Abbreviation | Meaning |
|---|---|
G2 certificate | The current certificate in use in production that will be retired |
G3 certificate | The new type of certificates that replaces the G2 certificates |
Test Suite | List of tests that Service Provider (SP) needs to pass to qualify for G3 certificate |
Complete PKI Migration | Test Suite that tests the capabilities of sending using G3 certificate and receiving from both G2 and G3. |
Submission PKI Migration | Test Suite that tests sending capabilities of an AP using G3 certificates |
Dual-Reception PKI Migration | A Test Suite that verifies that the AP can receive from other APs using either G2 or G3 certificates, while it continues operating on a G2 certificate. |
SMP G3 | Test Suite testing Service Metadata Provider (SMP) capabilities using G3 certificates |
Schedule – how much time is there to act?
OpenPeppol has already started issuing G3 test certificates since 11.08.2025. Service Providers can apply for G3 test certificate through the Service Desk. Those who have not done so already must request them now.
It is mandatory to apply for the test certificate and perform the tests as soon as possible to avoid creatig a bottleneck in the certificate issuance process. This applies both the original G3 certificate but also the future renewal process as many Service Providers are updating their certificates close to same time.
Note that:
From 25th February 2026 OpenPeppol will need to start to issue G3 production certificates
At this date all Access Points must be able to receive with both types of certificates (G2 and G3) at the same time, because, after that date, G3 production certificates will start to be issued and the incoming messages may be signed with either an old certificate or a new one.
From April 1st 2026 OpenPeppol will be unable to issue G2 certificates and all G2 certificates existing at that date will be expired.
Anyone who wants to renew certificates after that date can only get G3 certificate, so they must have migrated their AP sending capability and their SMP to use G3 certificates.
In order to have a G3 production certificate issud, Service Providers must have passed the Complete PKI Migration Test Suite
Access Point - What Service Providers need to do
Service Providers must apply for a new G3 test certificate and run one of the two migration Test Suites. Which one, depends on whether you are limiting yourself to sending only or have both send and receive capabilities.
Access Point has both send and receive capabilities
Most Access Points send and receive documents on behalf of their end userss.
These Access Points must pass the “Complete PKI Migration” Test Suite in testing by 25th February 2026 to qualify for G3 production certificate. This Test Suite is found in Testbed Path: “PKI Migration Testing” and from there “Complete PKI Migration Test Suite (running with G3)”
If there are time constraints preventing the running of complete test suite before February 11th a Service Provider can split the task by running “Dual-Reception PKI migration (running on G2)” test suite by 25th February 2026 to verify that they are able to receive messages from both the old (G2) and the new (G3) certificate. This Test Suite can be found in Testbed path: “PKI Migration Testing” and from there “Dual-Reception PKI Migration (running on G2)”
Service Provider still must pass the “Complete PKI Migration” test suite to be qualified for G3 certificate and be operational after April 1st 2025.
Access Point that does not receive, only sends
If an Access Point is only sending and does not have any receiving capabilities. The Service Provider must at least pass the “Submission PKI Migration (running on G3)” Test Suite for the Access Point. This is found in Testbed path: “PKI Migration Testing” and from there “Submission PKI Migration (running on G3)”
SMP - What Service Providers need to do
If a Service Provider is running a SMP service in the Peppol Network, they need to apply for a G3 SMP Test certificate.
To qualify for a G3 Production SMP certificate the Service Provider needs to pass the “SMP Test suite (running with SMP G3)” Test Suite for the SMP using G3 SMP certificate. This is found in Testbed path “PKI Migration testing” and from there “SMP Test suite (running with SMP G3)”
Practical steps to proceed
These are the steps needed to get the test certificate and run the test suites
Apply for G3 test certificate
Got to Peppol Service Desk “PKI Certificate Request” page for G3 certificates ( https://openpeppol.atlassian.net/servicedesk/customer/portal/1/group/1/create/73 ) and fill in the details to apply for a G3 Test Certificate.
Remember to include Business registration document and your signed Peppol Provider Agreement as attachment.
Run the test suites
Getting started:
Import a G3 Peppol PKI test AP certificate into your browser
Go to the testbed portal: https://www.testbed.peppol.org/
Choose “PKI Migration Testing” from the Testbed’s landing page
Choose “Complete PKI Migration (running on G3)”, or if you are sending only; “Submission PKI Migration (running on G3)”
Run the test suite
After a successful test run you can move on to applying for Production G3 certificates
Detailed Documentation on the tests
To assist Service Providers with the tests, the following documents are available:
The “PKI Complete Migration environment description” document provides a more detailed description of the available test cases.
The “PKI Complete Migration user guide” document provides a guide on how to use each test suite user interface, as well as the key steps in carrying out the various test cases.
These documents are available in each test suite under the tab ‘Documentation’.
For sending only Service Providers the corresponding documents are:
Apply for the G3 Production certificates
After completing the Test Suites successfully log in to the Peppol Service Desk ( https://openpeppol.atlassian.net/servicedesk/customer/portal/1/group/1/create/73 )
And apply for the G3 production certificate.
You can do that before the issuing starts.
OpenPeppol will start to issue the certificates after 25th February 2026
Install production certificates
Install the production certificate to your production servers earliest 25th February 2026
Infrastructure providers
Operating Office has made some adjustments on how Infrastructure providers can acquire the certificates for all their customers in one go instead of separately for each of them.
What is an Infrastructure Provider?
Infrastructure Provider is a company that offers the technical capability for a Peppol member to run an Access Point and/or SMP instance using the members certificate. The Infrastructure Provider provides hosting setups that are identical except for the certificate the instance is using.
As the technical setups across the different Access Point and SMP instances are identical except for the certificate used, there is little use to run the test suites towards all the instances separately.
As an Infrastructure Provider, how to get certificates for my customers.
As an Infrastructure Provider you can contact OpenPeppol Service Desk ( https://openpeppol.atlassian.net/servicedesk/customer/portal/1 ).
In the request you provide a list of seatIDs of all your customers that have identical technical setup and one seatID that has successfully run Test Suite on your setup. This will qualify all the other seatIDs you listed in the request as passed.