This article outlines the details of the PEPPOL PKI. It shows how the PKI is structured and where it is used.

Introduction to the PEPPOL PKI (v2)

All PEPPOL PKI v2 will revoked on November 30th 2018, as new certificate are rolled out! Read details below.

The PEPPOL PKI (Public Key Infrastructure) is an integral part of the PEPPOL security model. It consists of two separate trees - one for pilot/test usage and one for production usage. See the following image for a fully fledged view of the complete PEPPOL PKI.

PEPPOL PKI v2 structure

In the above image you see two root certificates - the pilot root and the production root. These are the issuing certificates for the "AP Root" (AccessPoint), the "SMP Root" (Service Metadata Publisher) and the "STS Root" (Secure Token Service - unused!). Each AP and SMP certificate used in practice is based on the respective AP or SMP ROOT certificate (see the red boxes ).

OpenPEPPOL PKI v3 - Migration 2018

During 2018 all PEPPOL certificates must be replaced, because the underlying root certificate is about to expire in January 2020. The new PKI is called "OpenPEPPOL PKI v3" and the root certificates are valid from 2018 to 2028. The structure is very similar to the old one, but the STS CA is not present any more. So this is how it looks like:

PEPPOL PKI v3 structure

The migration process is planned as follows:

  • Done
    February 2018: the new root certificates are available for download in Confluence and from GitHub
    Complete JKS files with all of the new root certificates are available at https://github.com/phax/peppol-commons/tree/master/peppol-commons/src/main/resources/truststore. The recommended one is complete-truststore.jks as it contains all certificates - both for PKI v2 and PKI v3.
  • Started
    16 April 2018: the certificate issuing process will begin and members are urged to request their PKI v3 certificate
  • Information
    31 August 2018: OpenPEPPOL will no longer issue the old certificate types
  • Important
    3 September 2018: the new certificates can be used in production
  • Attention
    30 November 2018: the old (PKI v2) certificates will be revoked and cannot be used in the PEPPOL eDelivery Network anymore

For details and further information, please see the DRAFT - Introduction to the revised PKI Certificate infrastructure and issuing process and the PKI Certificate Migration 2018 pages.

The following list contains the migration status of the different software components I'm aware of. Please send additional information to me, so I can add it here.

  • PEPPOL Directory done: Supports both PKIs in parallel - both in test and production.
  • phoss SMP done: version 5.0.4 and later do support both PKI v2 and PKI v3 in parallel.

Certificate usage in PEPPOL

This section tries to give a rough overview where certificates are used for what purpose.

  • SMP Server
    • Uses the PEPPOL SMP certificate to sign responses to SignedServiceMetadata requests (as in http://smp.example.org/{participantID}/services/{docTypeID})
    • Uses the PEPPOL SMP certificate as a client certificate when communicating with the SML (for service group creation and deletion)
    • Requires the public part of the PEPPOL AP certificate for usage in the public endpoints (the information that is queried from the outside).
    • Optionally uses the PEPPOL SMP certificate as a client certificate when communicating with the PEPPOL Directory (for business card updates and deletions)
  • SMP Client
    • Verifies that the response from the SMP server was signed by a valid PEPPOL SMP certificate
  • AP Server (receiving documents)
    • Requires an SSL certificate for https usage. This SSL certificate is NOT issued by PEPPOL but must be issued by a trusted third party. This SSL certificate should not be self-signed!
    • Verifies that the incoming document was signed with a PEPPOL AP certificate.
  • AP Client (sending documents)
    • Signs the AS2 message with the PEPPOL AP certificate. Includes the public part of the certificate into the AS2 message.
  • SMK/SML
    • The SMK requires requests to contain an SMP Pilot Certificate to perform writing operations
    • The SML requires requests to contain an SMP Production Certificate to perform writing operations
  • PEPPOL Directory
    • The test PEPPOL Directory requires requests to contain an SMP Pilot Certificate to perform writing operations
    • The production PEPPOL Directory requires requests to contain an SMP Production Certificate to perform writing operations
You must be logged in to post a comment!