# Order certificates
These steps apply to both eHerkenning and DigiD.
Important
To start connecting to the Signicat Broker, please start with the steps as described on this page. Without following these important steps you may experience delays, technical difficulties and/or even unnecessary expenses.
To set up your broker environment, Signicat requires a subdomain reserved through DNS for the use of the Signicat Broker. This will enable you to make use of the different identity providers. The order of steps are as follows:
- Create a Certificate Signing Request in the Dashboard.
- Purchase PKIo certificates using Certificate Signing Requests (CSRs).
- Invitation to set up your Signicat account.
# Create a Certificate Signing Request in the Dashboard
To purchase a PKIo certificate, you first need a Certificate Signing Request (CSR). This must be created in the Signicat Dashboard. Signicat will generate a CSR for you based on the information you provide.
To create a CSR in the Signicat Dashboard:
- Go to Account management > Certificate Signing Requests (opens new window).
- Select Create.
- Fill in the fields in the form:
Information Distinguished Names Description Example Common name CNThe fully qualified domain name (FQDN) (opens new window) to secure for your integration. *.example.com Organisation name ORegistered legal name of your organisation. Signicat AS Organisation unit OUInternal organisation department/division name IT Country CThe two-letter ISO country code (opens new window) where your organisation is registered. NL Locality LTown, city, village name. Amsterdam State or Province STProvince, region, county or state. Noord-Holland Subject Alternative Names - - Select Create to create the CSR.
- Select Download to download the newly created certificate.
A CSR contains information about your business so the Certificate Authority (CA) can verify your business identity. Below is an example of what CSR certificates look like:
-----BEGIN CERTIFICATE REQUEST-----
...Base64-encoded string...
-----END CERTIFICATE REQUEST-----
# Purchase PKIo certificates
Once you have obtained the CSR, you will be able to purchase PKIoverheid certificates (opens new window) which are mandatory for DigiD and eHerkenning. The PKIo certificate type you require is "Private Root CA - G1".
Important
Make sure that:
- You only use the CSRs provided by Signicat. If you purchase the certificates independently, your integration will not succeed.
- You purchase a PKIoverheid (PKIo) certificate type.
- The certificate type is "Private Root CA - G1".
When purchasing a certificate from KPN, you should explicitly ask to use the Signicat CSR you have created in the previous step.
Two certificate providers sell PKIo certificates:
You can find more instructions to obtain PKIo certificates on the Logius website - PKIoverheid-certificaat aanvragen (opens new window).
Note
Note that you will need separate certificates for the production and the sandbox environments.
# Upload the PKIo certificates
Once you have received the certificates from the certificate provider, upload the public part of the certificates (which will have the .pem or .cer file extension) to the Signicat Dashboard.
To upload a PKIo certificate to the Signicat Dashboard:
- Go to Account management > Signing Certificates (opens new window).
- In the Signing Certificates section, select Upload certificate to upload the public part of the certificate from your device.
Alternatively, send them to support@signicat.com or the onboarding manager.
# Invitation to set up your Signicat account
Once your Signicat environment has been set up, you will receive a notification from our Support team and an invitation to start setting up your account.
In case any of the steps mentioned above are unclear, please email us at support@signicat.com or call +31 (0)88 01 20 210.