Main content

Public Key Infrastructure for the Dutch government

A Public Key Infrastructure (PKI) is a system that provides users of electronic communication services with digital key pairs, consisting of a private and public key. The key pairs are associated with one or more certificates, attesting to the identity or to attributes of the certificate and key holder. In this context, trust is based on a certificate hierarchy. The root certificate is the first certificate in the certificate chain. This root certificate has been signed by a trusted organisation. A well-developed, thorough approach to electronic service provision requires a reliable system that offers the same guarantees currently standard in non-automated services. 

Electronic transactions require:

  • authentication of the identity of the parties concerned
  • a statement of the parties' intentions
  • secure communication between parties

PKIoverheid 

PKIoverheid is the name for the PKI designed for trustworthy electronic communication within and with the Dutch government. To reach this goal a national PKI certificate hierarchy has been realised. This national hierarchy consists of 4 root CAs and multiple domain CAs (sub-CAs) with each issuing Trust Service Providers (TSP) CA certificates. The TSPs are responsible for issuing certificates to end-users.  Logius supports the Dutch Minister of Interior and Kingdom Relations with the management and control of the PKIoverheid system. Each TSP can issue several types of certificates (e.g. authentication, encryption, non-repudiation, service (such as SSL)).

Before being allowed as a TSP in the national PKI hierarchy the TSP needs to prove that it complies with:

  • ETSI EN 319 411-1 (General Requirements for Trust Service Providers issuing certificates) and/or
  • ETSI EN 319 411-2(Requirements for trust service providers issuing EU qualified certificates)
  • Network Security Guidelines (Netsec)
    Additional governmental PKI requirements contained in the Programme of Requirements (PoR, also known as the Certificate Policy, CP)

The Certificate Policy can be found on the website Certificate Policy/Programme of Requirements PKIoverheid. The PKIoverheid root and intermediate CA certificates can be found on the website Overview of PKIoverheid certificates. The Certificate Practice statement of PKIoverheid can be found on the website Certification Practice Statements for the Policy Authority PKIoverheid.

Webtrust

The WebTrust seal has been granted after KPMG conducted an audit of the hierarchical structure of PKIoverheid compared to the international standard. This seal shows that hierarchical structure of PKIoverheid complies with the WebTrust-standaard requirements.

Current changes to the requirements

The PoR PKIoverheid evolves over time due to changing judicial perspectives, updated international standards and advancements in technology. It also adapts to practical experiences with PKI in real-life use. The current changes to the PoR PKIoverheid can be found on the website Certificate Policy/Programme of Requirements PKIoverheid.