Message IconCustomer SupportUser IconContact SalesLock IconLogin
The Arratech logo
Message IconCustomer SupportUser IconContact SalesLock IconLogin
Get StartedGet Demo

Peppol PKI Migration - what you need to know

Peppol PKI Migration
CompliancePeppol
Hans Christian B PedersenHans Christian B Pedersen
Hans BergHans Berg
Robin Anderson BoströmRobin Anderson Boström

Background

The OpenPeppol PKI migration is a breaking change meaning that it introduces a new Public Key Infrastructure (PKI) that is not compatible with the current setup. It also means that Service Providers that are not in compliance will not be able to act as a Service Provider on the Peppol Network.

The migration is a major technical transition in which the Peppol network is moving from its current G2 PKI certificate authority (CA) chains to the newer G3 PKI CA chains. The migration aims to enhance security, ensure long-term validity of certificates, and maintain trust in digital transactions. There are mandatory deadlines and dual-support periods designed to ensure network continuity.

Migration Timeline

Key dates:

  • T0 (New CA chains published): August 11, 2025 — new G3 root CA chains made available.
  • T1 (Full dual-capability required): February 11, 2026 — Service Providers must support both G2 (current) and G3 (new) CA chains and have test or production G3 certificates.
  • T2 (Old certificates revoked): April 1, 2026 — all G2 certificates (test & production) will be revoked and no longer trusted.

What’s Changing?

  • Providers must support dual CA chains (both G2 and G3) during the transition phase, to ensure backward compatibility.
  • New G3 production certificates are only issued once Service Providers have passed dual-capability testing in the Peppol Testbed and meet all prerequisites.
  • After T2, software and truststores must only trust G3 CA chains; G2 chains will no longer be valid or renewed.
“The PKI migration represents a significant investment of time, resources, and technical expertise”

How to Prepare :

  1. Review Pre-Requisites
    • You need a signed Peppol Service Provider Agreement.
    • Valid business registration documents, no outstanding fees, compliance with local Peppol Authority requirements.
  2. Obtain Certificates
    • Download G3 root and intermediate CA chains from OpenPeppol resources.
    • Request new G3 production certificates once dual-capability is proven.
  3. Integrate into Systems
    • Update truststores (repositories of trusted public CA certificates), ensuring they include both G2 and G3 during the dual period.
    • Update keystores where necessary (for private key + certificate usage).
  4. Test & Validate
    • If you’re using SMPs like phoss-SMP or your own AP implementation, ensure that your Access Point and SMP the software version are updated to support G3.
    • Use the Peppol Testbed to run dual-capability conformance tests.
  5. Retire Old PKI Aftercut-over
    • On or after April 1, 2026 (T2), remove old G2 roots from truststores; cease issuing or renewing old-PKI certificates.
OpenPeppol PKI migration is a mandatory migration
Lightbulb Glowing

The Smarter path through PKI migration

For organizations hosting and operating a Peppol Access Point, the PKI migration represents a significant investment of time, resources, and technical expertise. Updating truststores, managing certificate enrollments, maintaining dual compatibility, and passing conformance testing all add complexity and risk and could lead to service interruptions after the T2 cut-over. Instead of investing heavily in infrastructure upgrades, consider instead migrating directly to Arratech’s Peppol Access Point and SMP solutions. We handle the PKI migration on your behalf, ensuring uninterrupted connectivity to the Peppol Network at all times. In short: don’t migrate to PKI G3, migrate to Arratech and gain peace of mind, reduced operational overhead, and guaranteed compliance.

Get in touch today and learn how we can support you:

GET A DEMO

Get Updates

FAQs Hero Image

FAQs

What happens if service providers miss the T2 deadline?

After T2 (April 1, 2026), old certificates will be revoked. Missing the T2 deadline risks that old certificates will not be trusted, which could block document exchange and the creation of participants in the SML.

Is the migration only about changing certificates, or also spec changes?

The migration is about the CA chains and certificate trust (PKI). There are no large specification changes tied to this migration itself, though certificate lifecycle, usage, and enrollment methods are affected.

During the dual period, which CA chain should be used for signing/encryption?

You must support both old (G2) and new (G3) CA chains. That implies your Access Point can both sign/encrypt (when generating outgoing messages) and validate/trust incoming messages under either chain until T2. SMPs must be able to sign metadata and update the SML using G2 or G3 CA chains.

What is the Peppol Testbed, and how is it used in this migration?

The Peppol Testbed is a testing environment where Service Providers can verify their dual capability before moving to production. Passing the testbed certification is required for obtaining production G3 certificates.

What are truststore and keystore, and how do they differ?

Truststore is where you store public certificates you trust (like CA root certificates). Keystore is where you store private keys and their associated certificate chain for your own endpoints. Both are involved in PKI configuration.

How is private key handling changing, if at all?

With G3, there are two enrolment methods: Web-Based Enrolment (where key-pair is generated in browser) and CSR-Based Enrolment. The old G2 only allowed Web-Based.

What if my old G2 certificate expires before T2?

You can renew the old certificate (if still valid under old PKI) until T1. But after T2, renewals are no longer permitted. So plan to migrate early.

I am a new service provider. What should I do to comply with my Access Point and SMP?

Until T2 your Access Point and SMP need to support both G2 and G3.

Glossary

Peppol

A secure, open network that enables Business-to-Government (B2G) and Business-to-Business (B2B) electronic document exchange. Peppol isn’t a portal or a single service — it’s a framework of standards and governance that allows any organization to send and receive business documents (such as invoices, orders, or shipping notices) through their chosen Peppol-accredited Service Provider, eliminating the limits of closed, proprietary networks (https://peppol.org/about/for-end-users/)

PKI

Public Key Infrastructure, is a framework of processes and technologies used to manage digital certificates that authenticate users, devices, and services, ensuring secure and trusted communication within the network, (https://peppol.helger.com/public/menuitem-docs-peppol-pki) .

OpenPeppol

A non-profit international association that governs the Peppol network, developing and maintaining specifications for electronic procurement and invoicing (https://peppol.org/)

Glossary Hero Image
More Stories
Three people discussing what certified vs accredited Peppol Service provider mean
Peppol Certified vs Accredited Service Providers, Why the Difference Matters
Blog Post
Flags from the world representing Peppol authorities
Understanding how Peppol Authorities Shape Peppol
Blog Post
Peppol Explained Hero
The Peppol Network - Explained
Blog Post
Discover all stories