Developer Pages

# Order certificates

Important

To set up DigiD, start with the steps described in the Initial preparations page. Without following those important steps you may experience delays, technical difficulties and/or even unnecessary expenses.

Page contents

# 1. Create a CSR in the Dashboard

To purchase a PKIo certificate, you first need a Certificate Signing Request (CSR). This must be created in the Signicat Dashboard. Signicat will generate a CSR for you based on the information you provide.

To create a CSR in the Signicat Dashboard:

  1. Go to Account management > Certificate Signing Requests (opens new window).
  2. Select Create.
  3. Fill in the fields in the form:
    Information Distinguished Names Description Example
    Common name CN The fully qualified domain name (FQDN) (opens new window) to secure for your integration. *.example.com
    Organisation name O Registered legal name of your organisation. Signicat AS
    Organisation unit OU Internal organisation department/division name IT
    Country C The two-letter ISO country code (opens new window) where your organisation is registered. NL
    Locality L Town, city, village name. Amsterdam
    State or Province ST Province, region, county or state. Noord-Holland
    Subject Alternative Names -
  4. Select Create to create the CSR.
  5. Select Download to download the newly created certificate.

A CSR contains information about your business so the Certificate Authority (CA) can verify your business identity. Below is an example of what CSR certificates look like:

-----BEGIN CERTIFICATE REQUEST-----
...Base64-encoded string...
-----END CERTIFICATE REQUEST-----

# 2. Purchase PKIo certificates

You must configure your DigiD integration with two separate PKIo certificates:

  • One certificate for sandbox
  • One certificate for production

These certificates are used to cryptographically sign the messages between Signicat and the DigiD/Logius network. Note that lead time is around five working days.

Once you have obtained the CSR, you will be able to purchase PKIoverheid certificates (opens new window) which are mandatory for DigiD and eHerkenning. The PKIo certificate type you require is "Private Root CA - G1".

Important

Make sure that:

  1. You only use the CSRs provided by Signicat. If you purchase the certificates independently, your integration will not succeed.
  2. You purchase a PKIoverheid (PKIo) certificate type.
  3. The certificate type is "Private Root CA - G1".

When purchasing a certificate from KPN, you should explicitly ask to use the Signicat CSR you have created in the previous step.

Two certificate providers sell PKIo certificates:

  1. QuoVadis (opens new window)
  2. KPN

You can find more instructions to obtain PKIo certificates on the Logius website - PKIoverheid-certificaat aanvragen (opens new window).

Note

Note that you will need separate certificates for the production and the sandbox environments.

# Upload the PKIo certificates

Once you have received the certificates from the certificate provider, upload the public part of the certificates (which will have the .pem or .cer file extension) to the Signicat Dashboard.

To upload a PKIo certificate to the Signicat Dashboard:

  1. Go to Account management > Signing Certificates (opens new window).
  2. In the Signing Certificates section, select Upload certificate to upload the public part of the certificate from your device.

Alternatively, send them to support@signicat.com or the onboarding manager.

# Next step

3. Setup a DigiD in pre-production
Choose a protocol and configure DigiD in pre-production
Last updated: 02/04/2024 14:00 UTC

Set up DigiD pre-production