Public Key Infrastructure for the Dutch government
A Public Key Infrastructure (PKI) is a system that provides users of electronic communication services with digital key pairs, consisting of a private and public key. The key pairs are associated with one or more certificates, attesting to the identity or to attributes of the certificate and key holder. In this context, trust is based on a certificate hierarchy. The root certificate is the first certificate in the certificate chain. This root certificate has been signed by a trusted organisation. A well-developed, thorough approach to electronic service provision requires a reliable system that offers the same guarantees currently standard in non-automated services. Electronic transactions require:
- authentication of the identity of the parties concerned
- a statement of the parties' intentions
- secure communication between parties
PKIoverheid is the name for the PKI designed for trustworthy electronic communication within and with the Dutch government. To reach this goal a national PKI certificate hierarchy has been realised. This national hierarchy consists of 4 root CAs and multiple domain CAs (sub-CAs) with each issuing Trust Service Providers (TSP) CA certificates. The TSPs are responsible for issuing certificates to end-users. Logius supports the Dutch Minister of Interior and Kingdom Relations with the management and control of the PKIoverheid system. Each TSP can issue several types of certificates (e.g. authentication, encryption, non-repudiation, service (such as SSL)). Before being allowed as a TSP in the national PKI hierarchy the TSP needs to prove that it complies with:
- ETSI EN 319 411-1 (General Requirements for Trust Service Providers issuing certificates) and/or
- ETSI EN 319 411-2(Requirements for trust service providers issuing EU qualified certificates)
- Network Security Guidelines (Netsec)
- additional governmental PKI requirements contained in the Programme of Requirements (also known as the Certificate Policy, CP)
The CP (PvE) can be found at the bottom of this page The PKIoverheid root and intermediate CA certificates can be found on cert.pkioverheid.nl. The Certificate Practice statement of PKIoverheid can be found on cps.pkioverheid.nl.
Download Programme of Requirements
The WebTrust seal has been granted after KPMG conducted an audit of the hierarchical structure of PKIoverheid compared to the international standard. This seal shows that hierarchical structure of PKIoverheid complies with the WebTrust-standaard requirements.
Current changes to the requirements
The Programme of Requirements (PoR) PKIoverheid is not a static document, but something that develops over time. This can be because of changed judicial insights, changes in (international) standards or new technical developments. Change proposals due to practical, real-life use of PKI can also occur. See the current changes.