Peppol PKI Migration - what you need to know
Background
The OpenPeppol PKI migration is a breaking change meaning that it introduces a new Public Key Infrastructure (PKI) that is not compatible with the current setup. It also means that Service Providers that are not in compliance will not be able to act as a Service Provider on the Peppol Network.
The migration is a major technical transition in which the Peppol network is moving from its current G2 PKI certificate authority (CA) chains to the newer G3 PKI CA chains. The migration aims to enhance security, ensure long-term validity of certificates, and maintain trust in digital transactions. There are mandatory deadlines and dual-support periods designed to ensure network continuity.
Key dates:
- T0 (New CA chains published): August 11, 2025 — new G3 root CA chains made available.
- T1 (Full dual-capability required): February 11, 2026 — Service Providers must support both G2 (current) and G3 (new) CA chains and have test or production G3 certificates.
- T2 (Old certificates revoked): April 1, 2026 — all G2 certificates (test & production) will be revoked and no longer trusted.
What’s Changing?
- Providers must support dual CA chains (both G2 and G3) during the transition phase, to ensure backward compatibility.
- New G3 production certificates are only issued once Service Providers have passed dual-capability testing in the Peppol Testbed and meet all prerequisites.
- After T2, software and truststores must only trust G3 CA chains; G2 chains will no longer be valid or renewed.
“The PKI migration represents a significant investment of time, resources, and technical expertise”
How to Prepare :
- Review Pre-Requisites
- You need a signed Peppol Service Provider Agreement.
- Valid business registration documents, no outstanding fees, compliance with local Peppol Authority requirements.
- Obtain Certificates
- Download G3 root and intermediate CA chains from OpenPeppol resources.
- Request new G3 production certificates once dual-capability is proven.
- Integrate into Systems
- Update truststores (repositories of trusted public CA certificates), ensuring they include both G2 and G3 during the dual period.
- Update keystores where necessary (for private key + certificate usage).
- Test & Validate
- If you’re using SMPs like phoss-SMP or your own AP implementation, ensure that your Access Point and SMP the software version are updated to support G3.
- Use the Peppol Testbed to run dual-capability conformance tests.
- Retire Old PKI Aftercut-over
- On or after April 1, 2026 (T2), remove old G2 roots from truststores; cease issuing or renewing old-PKI certificates.
OpenPeppol PKI migration is a mandatory migration
The Smarter path through PKI migration
For organizations hosting and operating a Peppol Access Point, the PKI migration represents a significant investment of time, resources, and technical expertise. Updating truststores, managing certificate enrollments, maintaining dual compatibility, and passing conformance testing all add complexity and risk and could lead to service interruptions after the T2 cut-over. Instead of investing heavily in infrastructure upgrades, consider instead migrating directly to Arratech’s Peppol Access Point and SMP solutions. We handle the PKI migration on your behalf, ensuring uninterrupted connectivity to the Peppol Network at all times. In short: don’t migrate to PKI G3, migrate to Arratech and gain peace of mind, reduced operational overhead, and guaranteed compliance.
Get in touch today and learn how we can support you:
FAQs
After T2 (April 1, 2026), old certificates will be revoked. Missing the T2 deadline risks that old certificates will not be trusted, which could block document exchange and the creation of participants in the SML.
The migration is about the CA chains and certificate trust (PKI). There are no large specification changes tied to this migration itself, though certificate lifecycle, usage, and enrollment methods are affected.
You must support both old (G2) and new (G3) CA chains. That implies your Access Point can both sign/encrypt (when generating outgoing messages) and validate/trust incoming messages under either chain until T2. SMPs must be able to sign metadata and update the SML using G2 or G3 CA chains.
The Peppol Testbed is a testing environment where Service Providers can verify their dual capability before moving to production. Passing the testbed certification is required for obtaining production G3 certificates.
Truststore is where you store public certificates you trust (like CA root certificates). Keystore is where you store private keys and their associated certificate chain for your own endpoints. Both are involved in PKI configuration.
With G3, there are two enrolment methods: Web-Based Enrolment (where key-pair is generated in browser) and CSR-Based Enrolment. The old G2 only allowed Web-Based.
You can renew the old certificate (if still valid under old PKI) until T1. But after T2, renewals are no longer permitted. So plan to migrate early.
Until T2 your Access Point and SMP need to support both G2 and G3.
Glossary
A secure, open network that enables Business-to-Government (B2G) and Business-to-Business (B2B) electronic document exchange. Peppol isn’t a portal or a single service — it’s a framework of standards and governance that allows any organization to send and receive business documents (such as invoices, orders, or shipping notices) through their chosen Peppol-accredited Service Provider, eliminating the limits of closed, proprietary networks (https://peppol.org/about/for-end-users/)
Public Key Infrastructure, is a framework of processes and technologies used to manage digital certificates that authenticate users, devices, and services, ensuring secure and trusted communication within the network, (https://peppol.helger.com/public/menuitem-docs-peppol-pki) .
A non-profit international association that governs the Peppol network, developing and maintaining specifications for electronic procurement and invoicing (https://peppol.org/)
More Stories
The Peppol network is often described as a “four-corner model”, but what does that actually mean in practice? This article breaks down the Peppol transport model in a simple way, showing how electronic invoices move securely from sender to receiver through trusted Access Points. Learn how the Peppol infrastructure enables reliable document exchange without complex one-to-one integrations, and why the model has become the foundation for modern e-invoicing across Europe and beyond.
EN 16931 is being updated ERP providers and software vendors in the Peppol network need to be ready.
The revised EU e-invoicing standard is expected mid-2026, bringing stricter validation rules, expanded data requirements, and new implications for Peppol and e-invoicing platforms. Read the blog to understand what’s changing and how to prepare.
The UK’s mandatory e-invoicing mandate starts on 1 April 2029, but software vendors need to prepare now. Businesses that invoice UK companies should assess Peppol readiness, Access Point and SMP infrastructure, and build-vs-buy options well ahead of compliance deadlines.
Ready for a simple connection to the future of e-Invoicing?
Join the next generation of e-Invoicing infrastructure from Arratech.
Cut costs, stay compliant, and integrate effortlessly.