PKIoverheid stops issuing publicly trusted SSL certificates

5 October 2021

At the beginning of August this year, Logius, the ICT management organization of the Dutch government, announced that it would stop offering publicly trusted SSL certificates by this year. These certificates are used by government organizations, but also, for example, in healthcare and by energy companies and transporters, for website identification and setting up a secure TLS connection.

What is PKIoverheid?

PKIoverheid is the 'Public Key Infrastructure' (PKI) of the Dutch government, this is a system of agreements for issuing and managing digital certificates. PKIoverheid is managed by Logius. The PKIoverheid service includes the provision of digital certificates for various applications, such as non-public certificates for security between systems such as Digipoort, and digital signatures on smart cards for securely logging into systems and placing electronic signatures on documents. Another well-known application are the so-called professional certificates; digital signatures used by certified professionals such as accountants, debt collectors and notaries.

In addition, trusted SSL certificates are issued by browsers for the security of public websites, for example digital counters, public internet services and web shops. The frequently used website digid.nl also uses this type of certificate. The certificates are not issued by Logius itself, but by parties certified by PKIoverheid such as KPN and Digidentity.

What exactly will change and why?

The PKIoverheid services will be continued, only they will stop issuing publicly trusted SSL certificates at the beginning of December. The current root certificate, the 'Staat der Nederlanden EV Root CA' expires on December 8, 2022, and it has been decided not to replace it. The issuing intermediate certificates will expire on 6 December 2022.

Logius gives several reasons for discontinuing this part. This service was once started to boost the security of websites when it was still in its infancy. In the meantime, this has been taken up so well by various market parties that they can do this better and more cheaply with a full focus. The fact that only market parties take care of these services is also common in all surrounding countries. Besides this, in 2019 and 2020 there were a number of incidents in the field of public SSL certificates, which made it necessary to renew these certificates under a different root certificate to ensure security. This reinforced the basic principle that the provision of this service can now be done better by specialized market parties.

What are the alternatives?

Until December 6 this year it is still possible to request PKIoverheid SSL certificates with a term of one year from the well-known suppliers. After this date this will no longer be possible, and you will have to switch to a different type of certificate. Logically, this means that the obligation to use PKIoverheid certificates for certain applications lapses.

At the request of Logius, the NCSC (National Cyber ​​Security Centre) has written an advice about the possibilities after the disappearance of the public PKI government certificates. This advice describes the necessary steps for the transition, such as a method to inventorize the certificates to be replaced within an organization to the different alternatives in terms of certificates and the considerations when selecting a new supplier.

But what is a good alternative? Commercial CAs issue certificates with different levels of validation, with different checks before issuance.

  • Extended Validation (EV) SSL is the highest validation level, the checks and reliability of this are comparable to PKIoverheid SSL.
  • A comparable option is the relatively new Qualified Website Authentication Certificate (QWAC). These certificates are issued under the eIDAS regulation by qualified certificate issuers.
  • Not all applications will require the highest level of validation. For non-public connections, for example, Domain Validation SSL is sufficient.
  • For connections that use OIN for identification, you can switch to private SSL certificates that have space for the OIN. Please note that these certificates are not publicly trusted by browsers.

Xolphin supplies Sectigo SSL certificates at all validation levels, including the QWAC. Compared to PKIoverheid SSL, Sectigo certificates at Xolphin have a number of advantages: the application process is considerably simpler and can be handled completely online, the delivery time is very short and the price is a lot lower. The root certificate is supported worldwide, while the service is local and Dutch. Extensive management tools are available for more control over certificate management.

Would you like to know more about the alternatives mentioned or do you need help with the transition? Please feel free to contact us, we will be happy to help you.

point up