# Order certificates
Important
To set up DigiD, start with the steps described in the Initial preparations page. Without following those important steps you may experience delays, technical difficulties and/or even unnecessary expenses.
Page contents
# 1. Create a CSR in the Dashboard
To purchase a PKIo certificate, you first need a Certificate Signing Request (CSR). This must be created in the Signicat Dashboard. Signicat will generate a CSR for you based on the information you provide.
To create a CSR in the Signicat Dashboard:
- Go to Account management > Certificate Signing Requests (opens new window).
- Select Create.
- Fill in the fields in the form:
Information Distinguished Names Description Example Common name CN
The fully qualified domain name (FQDN) (opens new window) to secure for your integration. *.example.com Organisation name O
Registered legal name of your organisation. Signicat AS Organisation unit OU
Internal organisation department/division name IT Country C
The two-letter ISO country code (opens new window) where your organisation is registered. NL Locality L
Town, city, village name. Amsterdam State or Province ST
Province, region, county or state. Noord-Holland Subject Alternative Names - - Select Create to create the CSR.
- Select Download to download the newly created certificate.
A CSR contains information about your business so the Certificate Authority (CA) can verify your business identity. Below is an example of what CSR certificates look like:
-----BEGIN CERTIFICATE REQUEST-----
...Base64-encoded string...
-----END CERTIFICATE REQUEST-----
# 2. Purchase PKIo certificates
You must configure your DigiD integration with two separate PKIo certificates:
- One certificate for sandbox
- One certificate for production
These certificates are used to cryptographically sign the messages between Signicat and the DigiD/Logius network. Note that lead time is around five working days.
Once you have obtained the CSR, you will be able to purchase PKIoverheid certificates (opens new window) which are mandatory for DigiD and eHerkenning. The PKIo certificate type you require is "Private Root CA - G1".
Important
Make sure that:
- You only use the CSRs provided by Signicat. If you purchase the certificates independently, your integration will not succeed.
- You purchase a PKIoverheid (PKIo) certificate type.
- The certificate type is "Private Root CA - G1".
When purchasing a certificate from KPN, you should explicitly ask to use the Signicat CSR you have created in the previous step.
Two certificate providers sell PKIo certificates:
You can find more instructions to obtain PKIo certificates on the Logius website - PKIoverheid-certificaat aanvragen (opens new window).
Note
Note that you will need separate certificates for the production and the sandbox environments.
# Upload the PKIo certificates
Once you have received the certificates from the certificate provider, upload the public part of the certificates (which will have the .pem
or .cer
file extension) to the Signicat Dashboard.
To upload a PKIo certificate to the Signicat Dashboard:
- Go to Account management > Signing Certificates (opens new window).
- In the Signing Certificates section, select Upload certificate to upload the public part of the certificate from your device.
Alternatively, send them to support@signicat.com or the onboarding manager.