Skip to main content

Order certificates

Important

To set up DigiD, you first need to start with the steps described in the Initial preparations page. Without following those important steps you may experience delays, technical difficulties or even unnecessary expenses.

1. Create a CSR in the Dashboard

A Certificate Signing Request (CSR) contains identifying information about your organisation. When applying for a PKIo certificate, you need to create a CSR and share it with a Certificate Authority (CA). Doing this allows the CA to verify your business and issue a PKIo certificate.

You can create a CSR in the Signicat Dashboard. To do this:

  1. Go to Account management > Signing Certificates.
  2. In Certificate Signing Requests, select Create.
  3. Fill in the fields in the form:
  4. Select Create to generate the Certificate Signing Request (CSR) based on the information you submitted.
  5. Select Download to download the newly created CSR.

A CSR is represented as a Base64 encoded string:

-----BEGIN CERTIFICATE REQUEST-----
...Base64-encoded string...
-----END CERTIFICATE REQUEST-----

Remember that you need to share the CSR with the Certificate Authority (CA) when you apply for a PKIo certificate, as explained in the next step below.

2. Purchase PKIo certificates

What are PKIo certificates?

PKIo certificates are Public Key Infrastructure (PKI) certificates used to cryptographically sign messages between Signicat and the network infrastructure of Logius.

Learn more about PKIo certificates at https://cert.pkioverheid.nl/ and https://www.logius.nl/english/pkioverheid.

PKIo certificates are required to connect to DigiD, DigiD CombiConnect or eHerkenning. To integrate successfully, you need to purchase and configure two separate certificates:

  1. One PKIo certificate for sandbox (preproduction)
  2. One PKIo certificate for production
Lead time

Note that obtaining a new PKIo certificate may take up to five working days.

Supported PKIo certificate types

The PKIo certificates must be of one of these types:

  • Staat der Nederlanden - G4 Root Priv G-Other - 2024 (until 2039)
    • G4 Intm Priv G-Other LP - 2024 (recommended)
  • Staat der Nederlanden Private Root CA - G1 (until 2028)
    • Staat der Nederlanden Private Services CA - G1
  • Staat der Nederlanden Root CA - G3 (until 2028)
    • Staat der Nederlanden Organization Services CA - 2023
    • Staat der Nederlanden Organisatie Services CA - G3

You can purchase PKIo certificates from any of the following certificate providers:

  1. QuoVadis
  2. KPN
Purchase checklist

When purchasing PKIo certificates, make sure that:

  1. You only use the Certificate Signing Request (CSR) obtained in the Signicat Dashboard. If you purchase the certificates independently or without the CSR, your integration will fail.
  2. You purchase two separate PKIoverheid (PKIo) certificates: one for the sandbox environment and one for the production environment.
  3. The type of PKIo certificate is one of the Supported PKIo certificate types.

When purchasing a certificate from a provider, you should explicitly ask to use the CSR you generated in the Signicat Dashboard.

You can find more instructions to guide you with purchasing PKIo certificates from a trusted provider on the Logius website at PKIoverheid-certificaat aanvragen.

New regulations

The importance of certificates is increasing and regulations around certificates are changing. Learn more about the new generation of PKIo certificates.

3. Upload PKIo certificates in the Dashboard

Once you have purchased and received the PKIo certificates from a certificate provider, you need to upload the public part of the certificates (.pem or .cer file extension) to the Signicat Dashboard.

To upload a PKIo certificate to the Signicat Dashboard, do the following:

  1. Navigate to Account management > Signing Certificates.
  2. In the Signing Certificates section, select Upload certificate to upload the PKIo certificate from your device.

Alternatively, you can send us the new PKIo certificate either by creating a support ticket in the Signicat Dashboard or by contacting your onboarding manager.

Certificate activation time

Please allow up to 4 hours for the certificates to become active and ready for use. If you require expedited processing, contact us by creating a support ticket in the Signicat Dashboard and request priority handling.

Where to find PKIo certificates in the Signicat Dashboard

When you upload a PKIo certificate, you store the (public) PKIo certificate in the Signicat Dashboard infrastructure. To view your certificates, do the following:

  1. Go to Signicat Dashboard > Products > eID Hub.
  2. In the left-side menu, navigate to Advanced > Certificates.
  3. Here, you can review your active certificates and access more details, such as issuer and validity window.
Renewing expiring certificates

When your PKIo certificate is about to expire, you need to renew your certificate and communicate the changes to Logius. Learn how to renew your certificates in the How to renew PKIo certificates guide.

Next step

To continue your integration, proceed to the guide below:

3. Setup a DigiD in pre-production
Choose a protocol and configure DigiD in pre-production
On this page