# Certificates in Identity Broker


To start connecting to the Signicat Identity Broker, please start with the steps as described on this page. Without following these important steps you may experience delays, technical difficulties and/or even unnecessary expenses.

In order to set up your Broker environment, Signicat requires a subdomain reserved through DNS for the use of the Signicat Identity Broker. This will enable you to make use of the different identity providers. The order of steps are as follows:

  1. Get a Certificate Signing Request (CSR) from Signicat.
  2. Purchase PKIo certificates using Certificate Signing Requests (CSRs).
  3. Invitation to set up your MySignicat account.

# Get Certificate Signing Request from Signicat

To purchase a PKIo certificate, the first thing you will need is a CSR. This must be provided to you by Signicat.

In order for Signicat to generate a CSR for you, the following information is required:

  1. The desired subdomain name you want to host the MySignicat environment (Signicat Identity Broker) on.
  2. Company information (OIN or Chamber of Commerce number).

# Purchase PKIo certificates

The Signicat Technical Support team will generate a CSR for you based on the information you have provided. Once you have received the CSR, you will now be able to purchase PKIoverheid certificates (opens new window) which are mandatory for DigiD and eHerkenning. The PKIo certificate type you require is "Private Services CA G1".

Please ensure that

  1. You do not independently purchase the certificates. Only use of the CSRs provided by Signicat.
  2. You do not purchase any other kind of certificate than PKIoverheid (PKIo).
  3. The certificate type is "Private Services CA G1".

Important: When ordering from KPN, please explicitly ask them to make use of the CSR we have provided.

It is important to remember that self-signed certificates, Let's Encrypt certificates, and the likes, are not allowed. We require PKIo certificates and the level of assurance they provide. There are two certificate providers that sell PKIo certificates:

  1. QuoVadis (opens new window)
  2. KPN

You will require a certificate for both the production and the pre-production environments. The number of certificates you must purchase in total, however, depends on the eID method being used. DigiD, which is more strict than most, requires certificates for:

  • the (sub)domain that is used to host the application on your end, and,
  • the subdomain that is used to host the Identity Broker on our end.

Once you have received the certificates from the certificate provider, send the public part of the certificates (which will have the .pem or .cer file extension) to Signicat Technical Support <technicalsupport@signicat.com>.

# Invitation to MySignicat account

Once your Signicat Identity Broker environment has been set up, you will receive a notification from our Technical Support team and an invitation to start configuring your MySignicat account.

# Continue with configuration


You can find more information on certificates in our Frequently Asked Questions section:

  1. Setting up an eHerkenning connection
  2. Questions about your connection

In case any of the steps mentioned above are unclear, please email Technical Support <technicalsupport@signicat.com> or call + 31 (0)88 012 0210.

Last updated: 5/26/23, 4:10:45 PM UTC