Peppol PKI Migration 2025

[phax]

So, OpenPeppol officially released the details on the PKI migration: https://openpeppol.atlassian.net/wiki/x/A4Aa7Q

• Start date (T0) is today (August 11th, 2025)
• Until T1 (February 11th, 2026) all Service Providers need to grab new G3 test certificates and make sure their solutions are compliant
• At T2 (April 1st, 2026) all the old G2 certificates (test and production) will be revoked.

What does that effectively mean for phase4 users:

1. Update at least to v3.2.2 or v4.0.0 - this is required to support the new G3 PKI out of the box
2. Update the truststore configuration (the files are included in the phase4 distribution):
   • Peppol Test Network:
     • Old path: truststore/2018/pilot-truststore.jks (type JKS)
     • New path: truststore/2025/ap-test-truststore.p12 (type PKCS12)
   • Peppol Production Network:
     • Old path: truststore/2018/prod-truststore.jks (type JKS)
     • New path: truststore/2025/ap-prod-truststore.p12 (type PKCS12)
3. Make sure to restart the application, as usually the keystore is not dynamically refreshed

Note 1: The "2025" default truststores contain both the G2 as well as the G3 CAs. Once the G2 certificates are no longer usable, they will be automatically removed when you update to a later version of phoss SMP.

Note 2: If you are using truststore/2018/complete-truststore.jks - this is considered insecure. No such truststore exists for the G3 PKI. Please choose one of the above ones, depending on the network stage you are using.

Note 3: Don't forget to update the truststore type configuration property as well and use PKCS12

Note 4: The password for all mentioned predefined truststores is peppol (case-sensitive)

[tonytram]

Hi Philip,
We are at version 4.0.1 of Phase4. We are still using old G2 certificate for PROD. Currently, everything is working fine with NAPTR and CNAME lookup.
My question is: with new Peppol certificate G3, our system will work out of the box without any changes (unless replacing AP G2 old cert with the AP G3 new one)

Thank you for your great work.
Best regards,
Tony

[phax]

Hi Tony. Everyone is using G2 in production at the moment. The switch starts on February 11th for all SPs.
And yes, it will work with G3 certificate out of the box, as long as you configured the truststore properly (see above)