Skip to main content

Order certificates

Important

To set up DigiD, start with the steps described in the Initial preparations page. Without following those important steps you may experience delays, technical difficulties and/or even unnecessary expenses.

1. Create a CSR in the Dashboard

To purchase a PKIo certificate, you first need a Certificate Signing Request (CSR). This must be created in the Signicat Dashboard. Signicat will generate a CSR for you based on the information you provide.

To create a CSR in the Signicat Dashboard:

  1. Go to Account management > Certificate Signing Requests.
  2. Select Create.
  3. Fill in the fields in the form:
    InformationDistinguished NamesDescriptionExample
    Common nameCNThe fully qualified domain name (FQDN) to secure for your integration.*.example.com
    Organisation nameORegistered legal name of your organisation.Signicat AS
    Organisation unitOUInternal organisation department/division nameIT
    CountryCThe two-letter ISO country code where your organisation is registered.NL
    LocalityLTown, city, village name.Amsterdam
    State or ProvinceSTProvince, region, county or state.Noord-Holland
    Subject Alternative Names-
  4. Select Create to create the CSR.
  5. Select Download to download the newly created certificate.

A CSR contains information about your business so the Certificate Authority (CA) can verify your business identity. Below is an example of what CSR certificates look like:

-----BEGIN CERTIFICATE REQUEST-----
...Base64-encoded string...
-----END CERTIFICATE REQUEST-----

2. Purchase PKIo certificates

You must configure your DigiD integration with two separate PKIo certificates:

  • One certificate for sandbox
  • One certificate for production

These certificates are used to cryptographically sign the messages between Signicat and the DigiD/Logius network. Note that lead time is around five working days.

Once you have obtained the CSR, you will be able to purchase PKIoverheid certificates which are mandatory for DigiD and eHerkenning. The PKIo certificate type you require is "Private Root CA - G1".

Important

Make sure that:

  1. You only use the CSRs provided by Signicat. If you purchase the certificates independently, your integration will not succeed.
  2. You purchase a PKIoverheid (PKIo) certificate type.
  3. The certificate type is "Private Root CA - G1".

When purchasing a certificate from KPN, you should explicitly ask to use the Signicat CSR you have created in the previous step.

Two certificate providers sell PKIo certificates:

  1. QuoVadis
  2. KPN

You can find more instructions to obtain PKIo certificates on the Logius website - PKIoverheid-certificaat aanvragen.

Note

Note that you will need separate certificates for the production and the sandbox environments.

Upload the PKIo certificates

Once you have received the certificates from the certificate provider, upload the public part of the certificates (which will have the .pem or .cer file extension) to the Signicat Dashboard.

To upload a PKIo certificate to the Signicat Dashboard:

  1. Go to Account management > Signing Certificates.
  2. In the Signing Certificates section, select Upload certificate to upload the public part of the certificate from your device.

Alternatively, you can either:

Next step