# Certificate Change Best Practices
# Overview
All certificates have an expiry date. With the MySignicat self-service portal, you are able to manage the certificate changes by yourself. Once the certificate is changed, there will be some effects on each configured ID method that you should be aware of first.
Please read this documentation carefully as there are a lot of factors you have to consider.
TIP
Always contact our Technical Support if you are unsure about any action you are about to take.
# Generate CSRs
All certificates need to be purchased using Certificate Signing Request (CSR) files that are generated in the broker. The broker needs the private key of the certificates in order to sign the messages and host the broker.
Therefore, never use your own local CSRs for requesting certificates. Our broker does not accept private keys that were not generated on the HSM (Hardware Secure Module) located in the Signicat infrastructure.
# Domain CSR
This is used for browser traffic (SSL/TLS) to and from the broker.
- Requirements: Any SSL certificate that is trusted by the big browsers by default, will suffice. Mozilla has a clear overview (opens new window) of which certificate CAs they support by default.
# Signing CSR
This is used for signing messages that will be sent to the Identity Providers and verifying messages sent to the broker.
- Requirements: Only certificates given out under "Staat der Nederlanden Private Services CA – G1" are supported. KPN, QuoVadis and Digidentity BV are recognised certificate authorities you can order this certificate from.
# Load certificate in Broker
When you receive the certificate from your provider, you can load either the leave certificate or the entire chain (one .PEM or .crt) on the same location as you've downloaded the CSR from.
Loading in the certificate won't change anything to the already loaded in and active certificates on the broker. The new certificate will just be added to the list of available certificates to choose from.
# Activate new certificate in Broker
Changing the signing certificate impacts all configured IdP's in different ways. This section describes the effects on each different provider. Follow the steps below with the identity provider(s) you have active in the Identity Broker.
# Only eHerkenning/eIDAS
- Switch the active certificate at any time.
- Aggregation of eHerkenning/eIDAS service(s) will be automatic.
- Renew BNk keys after aggregation of services in service catalogue.
TIP
Aggregation takes max 30 minutes to be completed. Expect max 30 minutes of downtime.
# Only DigiD
- Send broker metadata with only the new certificate to Logius via their Wijzigingsformulier (opens new window).
- Monitor your DigiD your connection around the change timeframe.
- As soon as DigiD does not work anymore (pagina niet gevonden), switch active certificate to the new one.
TIP
Please note that Logius can switche certificates before or after the agreed upon timeframe. Downtime depends on how quickly you notice that Logius has changed the metadata.
# Both eHerkenning/eIDAS and DigiD
- Send broker metadata with only the new certificate to Logius via their change form (opens new window) (wijzigingsformulier).
- Monitor your DigiD your connection around the change timeframe.
- As soon as DigiD does not work anymore (pagina niet gevonden), switch active certificate to the new one.
- Aggregation of eHerkenning/eIDAS service(s) will be automatic.
- Renew BNk keys after aggregation of services in service catalogue.
TIP
Expect eHerkenning/eIDAS downtime of max 1 hour due to DigiD Logius dependency.
TIP
Find out more about changing your PKIo certificate in our Frequently Asked Questions.