# Certificate Change Best Practices

# Overview

All certificates have an expiry date. With the MySignicat self-service portal, you are able to manage the certificate changes by yourself. Once the certificate is changed, there will be some effects on each configured ID method that you should be aware of first.

Please read this documentation carefully as there are a lot of factors you have to consider.

TIP

Always contact our Technical Support if you are unsure about any action you are about to take.

# Generate CSRs

All certificates need to be purchased using Certificate Signing Request (CSR) files that are generated in the broker. The broker needs the private key of the certificates in order to sign the messages and host the broker.

Therefore, never use your own local CSRs for requesting certificates. Our broker does not accept private keys that were not generated on the HSM (Hardware Secure Module) located in the Signicat infrastructure.

# Domain CSR

Domain CSR

This is used for browser traffic (SSL/TLS) to and from the broker.

# Signing CSR

Signing CSR

This is used for signing messages that will be sent to the Identity Providers and verifying messages sent to the broker.

  • Requirements: Only certificates given out under "Staat der Nederlanden Private Services CA – G1" are supported. KPN, QuoVadis and Digidentity BV are recognised certificate authorities you can order this certificate from.

# Load certificate in Broker

When you receive the certificate from your provider, you can load either the leave certificate or the entire chain (one .PEM or .crt) on the same location as you've downloaded the CSR from.

Loading in the certificate won't change anything to the already loaded in and active certificates on the broker. The new certificate will just be added to the list of available certificates to choose from.

# Activate new certificate in Broker

Changing the signing certificate impacts all configured IdP's in different ways. This section describes the effects on each different provider. Follow the steps below with the identity provider(s) you have active in the Identity Broker.

# Only eHerkenning/eIDAS

  • Switch the active certificate at any time.
  • Aggregation of eHerkenning/eIDAS service(s) will be automatic.
  • Renew BNk keys after aggregation of services in service catalogue.

TIP

Aggregation takes max 30 minutes to be completed. Expect max 30 minutes of downtime.

# Only DigiD

  • Send broker metadata with only the new certificate to Logius via their Wijzigingsformulier (opens new window).
  • Monitor your DigiD your connection around the change timeframe.
  • As soon as DigiD does not work anymore (pagina niet gevonden), switch active certificate to the new one.

TIP

Please note that Logius can switche certificates before or after the agreed upon timeframe. Downtime depends on how quickly you notice that Logius has changed the metadata.

# Both eHerkenning/eIDAS and DigiD

  • Send broker metadata with only the new certificate to Logius via their change form (opens new window) (wijzigingsformulier).
  • Monitor your DigiD your connection around the change timeframe.
  • As soon as DigiD does not work anymore (pagina niet gevonden), switch active certificate to the new one.
  • Aggregation of eHerkenning/eIDAS service(s) will be automatic.
  • Renew BNk keys after aggregation of services in service catalogue.

TIP

Expect eHerkenning/eIDAS downtime of max 1 hour due to DigiD Logius dependency.

TIP

Find out more about changing your PKIo certificate in our Frequently Asked Questions.

Last updated: 4/3/23, 7:22:16 PM UTC