# August 2024: Change of signing and TLS certificate for eh.signicat.nl

The certificates for eh.signicat.nl will expire in August 2024. This concerns both the certificates that we use at the eHerkenningsmakelaar for signing eHerkenning messages (pre-production and production), and for TLS for securing server communication.

# Broker Certificate for signing of messages

We will activate the new certificates on August 24th and August 27th.

  • Pre-production: 2024-08-24, between 09:00 - 09:30

  • Production: 2024-08-27 between 09:00 - 09:30

Note

This is a signing certificate for the SAML connection. You can already download the new metadata from our Direct Connection to eHerkenning Broker page. Signicat will perform the rollover on the dates above.

The TLS server certificate changes at another time, please see section below.

In order to use this, you as a service provider or your technical supplier will have to load the new broker metadata. Some service providers will do this automatically, others will not. You should check this carefully or load it manually.

If your application can handle multiple certificates in the metadata and you automatically read them from our metadata endpoints, you do not need to do anything.

If you do not automatically read the metadata, you must manually read the metadata before the dates mentioned. However, if your application cannot handle multiple certificates in the metadata, you must read-in the new certificate at the time of the rollover itself.

Also test whether it works via a login with eHerkenning in your application.

# eHerkenning Broker TLS certificate for secure messaging

We will activate the new certificate on August 7th and August 14th. For most service providers this will go unnoticed unless you need to adapt your trust-store. The issuer of the TLS certificates will not change.

  • Pre-production: 2024-08-07, between 09:00 - 09:30

  • Production: 2024-08-14, between 09:00 - 09:30

Note

This is the TLS server certificate. The signing certificate for the SAML connection changes at a different moment, please see section above.

For the Artifact Binding, your system must make a back-channel call to our eHerkenning broker. For this backchannel call, the TLS server certificate changes.

It is therefore important that your trust-store contains the issuer of the TLS server certificate. Some service providers have set their connection strictly and only trust the leaf TLS certificate. In this case, you will have to trust the new TLS leaf certificate.

The names of the certificates are:

  • eh.pre.signicat.nl.crt (preprod)
  • eh.signicat.nl.crt (prod)

The certificates for both pre-production and production are issued by "Sectigo RSA Domain Validation Secure Server CA".

You can download them here directly:

# Questions?

If you have any further questions, contact Signicat's Technical Support at technicalsupport@signicat.com.

Last updated: 7/29/24, 9:34:46 AM UTC