Certificate Change Best Practices
This page will help to guide you through the certificate change process.

All certificates have an expiry date. With the MySignicat self-service portal, you are able to manage the certificate changes by yourself. Once the certificate is changed, there will be some effects on each configured ID method that you should be aware of first.
Please read this documentation carefully as there are a lot of factors you have to consider.
Always contact our Technical Support if you are unsure about any action you are about to take.

All certificates need to be purchased using Certificate Signing Request (CSR) files that are generated in the broker. The broker needs the private key of the certificates in order to sign the messages and host the broker.
Therefore, never use your own local CSRs for requesting certificates. Our broker does not accept private keys that were not generated on the HSM (Hardware Secure Module) located in the Signicat infrastructure.

Domain CSR
This is used for browser traffic (SSL/TLS) to and from the broker.
  • Requirements: Any SSL certificate that is trusted by the big browsers by default, will suffice. Mozilla has a clear overview of which certificate CAs they support by default.

Signing CSR
This is used for signing messages that will be sent to the Identity Providers and verifying messages sent to the broker.
  • Requirements: Only certificates given out under "Staat der Nederlanden Private Services CA – G1" are supported. KPN, QuoVadis and Digidentity BV are recognised certificate authorities you can order this certificate from.

When you receive the certificate from your provider, you can load either the leave certificate or the entire chain (one .PEM or .crt) on the same location as you've downloaded the CSR from.
Loading in the certificate won't change anything to the already loaded in and active certificates on the broker. The new certificate will just be added to the list of available certificates to choose from.

Changing the broker certificate impacts all configured IdP's in different ways. This section will describe the effects on each different provider. Follow the steps below with the identity provider(s) you have active in the Identity Broker.

  • Switch the active certificate at any time.
  • Aggregation of eHerkenning/eIDAS service(s) will be automatic.
  • Renew BNk keys after aggregation of services in service catalogue.
Aggregation takes max 30 minutes to be completed. Expect max 30 minutes of downtime.

  • Send broker metadata with only the new certificate to Logius via their Wijzigingsformulier.
  • Monitor your DigiD your connection around the change timeframe.
  • As soon as DigiD does not work anymore (pagina niet gevonden), switch active certificate to the new one.
Please note that Logius can switche certificates before or after the agreed upon timeframe. Downtime depends on how quickly you notice that Logius has changed the metadata.

  • Send broker metadata with only the new certificate to Logius via their change form (wijzigingsformulier).
  • Monitor your DigiD your connection around the change timeframe.
  • As soon as DigiD does not work anymore (pagina niet gevonden), switch active certificate to the new one.
  • Aggregation of eHerkenning/eIDAS service(s) will be automatic.
  • Renew BNk keys after aggregation of services in service catalogue.
Expect eHerkenning/eIDAS downtime of max 1 hour due to DigiD Logius dependency.
Find out more about changing your PKIo certificate in our Frequently Asked Questions.
Copy link
On this page
Overview
Generate CSRs
Load certificate in Broker
Activate new certificate in Broker