Please find below information related to activities needed as part of the migration to a new version of the PEPPOL PKI Certificate.
For information about the Certificate issuing process please refer to the OpenPEPPOL public spaceĀ forĀ /wiki/spaces/Public/pages/191496224
Background
The decision why this migration is necessary and why it cannot wait until current PKI infrastructure expires is based on several reasons;
- Improved security. The current PKI infrastructure is based on SHA-1 cryptography which not long time ago was announced as not recommended to use due to discovered exploits. The new PKI infrastructure will issue certificates supporting SHA-256 cryptography which currently is the recommended web standard.
- Responsible organization. In current PKI infrastructure the issuing agency organization is "DIGST" (Danish Agency for Digitisation) and it has been requested that this responsibility is migrated to the correct organization.
- Minor improvements. Some smaller changes to the naming convention of the certificates will make it easier to maintain the certificates and also utilize a more cost effective pricing which will not be based on issued certificate but on taken seat.
Process implementation and timeline
Refer to the graph below;
- Up until date T1;
- All APs MUST support current PKI infrastructure. (clarify what 'support' really means for sending/receiving)
- All SMPs MUST support current PKI infrastructure.
- SML MUST support current PKI infrastructure
- PEPPOL Directory MUST support current PKI infrastructure
- After date T1 and until date T2;
- All APs MUST initiate a transaction using ANY of the two available PKI infrastructures.
- All APs MUST support receiving transactions initiated using BOTH current PKI infrastructure AND the new.
- All SMPs MUST support BOTH current PKI infrastructure and the new.
- Before C1;
- All (operational before T1) AP and SMP providers will have been issued certificates from the new PKI infrastructure. (Update: OpenPEPPOL internal deadline)
- After date T2;
- All APs MUST only support new PKI infrastructure.
- All SMPs MUST only support new PKI infrastructure.
T1 = 2018-04-03 00:00:00 (Suggestion Rune: too early)
C1 = 2018-08-15 23:59:59 (Suggestion Sven: 2018-09-15)
T2 = 2018-09-30 23:59:59 (Suggestion Sven: 2018-10-30)
Technical implementation
How to implement this from a technical point of view is dependent on the AP or SMP platform used. There will not be a guideline available for every platform, but the general approach is as follows.
For AP providers;
- Before T1. Prepare your implementation so that it will be able to entrust transactions/signatures using the new PKI infrastructure.
- Between T1 and T2 (and before C1). You will be issued a client certificate from the new PKI infrastructure. Replace the current client certificate with the new one. Remember to update all participants in your SMP with public part of the new certificate.
- After T2. Patch your implementation so it no longer entrusts transactions/signatures using the current (then old) PKI infrastructure.
For SMP providers;
- Between T1 and T2. You will be issued a client certificate from the new PKI infrastructure. Replace the current client certificate with the new one.
The needed CAs are available for download here.
v2: current PKI version.
v3: new PKI version
| Access Point | SMP | PEPPOL Directory | SML | OpenPEPPOL | ||
|---|---|---|---|---|---|---|
| Sending | Receiving | |||||
| After T1 | No action required. |
| No action required. | MUST accept client certificates for both PKI v2 and v3. | ||
| After C1 | No certificates issued for PKI v2. | |||||
| No later than T2 | MUST be able to sign transactions with PKI v3. | No action required. |
| |||
| After T2 | Disable support for receiving transactions signed with PKI v2. | Disable support for SMP client PKI v2 certs. | ||||
How to act as a service provider?
Please refer to this matrix to identify which situation applies to you.
| Provider | In PROD before T1 | In TEST before T1 | In TEST after T1 | Enter TEST after T1 | Certificate expire before T2 | Certificate expire after T2 | Recommendation |
|---|---|---|---|---|---|---|---|
| AP/SMP | YES | - | - | - | YES | You will be prioritized in the process for being issued a NEWPKI certificate before T1. If you still believe you will not have time to install it before end of expiry of OLDPKI certificate then renew OLDPKI certificate and follow matching recommendation for that situation. | |
| AP/SMP | YES | - | - | - | YES | Before C1 you will have been issued a NEWPKI certificate. Make sure to implement this certificate into your platform before T2. | |
| AP/SMP | - | YES | - | - | If you complete your tests and become eligible for a PROD certificate before T1. You will be prioritized in the process for being issued a NEWPKI PROD certificate before T1. | ||
| AP/SMP | - | YES | - | - | If you complete your tests and become eligible for a PROD certificate before T2, you will be issued a NEWPKI PROD certificate. If you fail to complete your tests before T2, you will have to reapply for a NEWPKI TEST certificate. | ||
| AP/SMP | - | YES | - | - | You will use NEWPKI TEST certificate for your testing .You will be issued a NEWPKI PROD certificate when you complete tests and become eligible for a PROD certificate. | ||
* NEWPKI - Refers to the new PKI infrastructure that will become mandatory after T2. * OLDPKI - Refers to the current PKI infrastructure we are about to obsolete. | |||||||