Current changes

The Programme of Requirements (PoR) PKIoverheid is not a static document, but something that develops over time. This can be because of changed judicial insights, changes in (international) standards or new technical developments. Change proposals due to practical, real-life use of PKI can also occur.

Change proposals that have been submitted to and approved by PKIoverheid will be published here. The changes will be included in the next regular update of the Programme of Requirements.

Required by the 29th of august 2019

Is declared applicable to parts 3e t/m 3f. The requirement is:

The serial number of a certificate MUST comply with the following requirements:

  1. The value of the serial number MUST NOT be 0 (zero)
  2. The value of the serial number MUST NOT be negative
  3. The value of the serial number MUST be unique for each certificate issued by a given TSP CA
  4. The serial number SHALL have a minimum lenght of 96 bits (12 octets)
  5. The serial number SHALL contain at least 64 bits of random data
  6. The random date MUST be generated by a CSPRNG (Cryptographically Secure Pseudorandom Number Generator).

The serial number MUST NOT longer than 160 bits (20 octets).

Additional Requirement. Was applicable to parts 3a to 3d and 3g to 3i, but because of the change it is only applicable to parts 3g to 3i.

Is declared applicable to parts 3e to 3f. The requirement is:

TSPs MUST inform their subscribers at least once every 6 months that, in accordance with the subsciber agreeement, certificates will be revoked because of the conditions and within the timespan defined in the Baseline Requirements section 4.9.1.1.

Required by the 1st of november 2019

Becomes applicable to the parts 3e to 3f. The requirement is:

Private keys that are used by a certificate holder and issued under the responsibility of this CP MUST NOT be used for more than two (2) years. The certificates, which are issued under the responsibility of this CP, MUST NOT be valid for more than 397 days.

In the case of certificate replacement where the previous certificate is to be revoked because of an issue listed in section 4.9.1.1. of the Baseline Requirements the private key MUST NOT be reused by the TSP, unless the revocation is caused by a violation of subsection 7 (Certificate not issued in accordance with these Requirements or the CA Certificate Policy or Certification Practice Statement)

Becomes applicable to the parts 3e to 3f. The requirement is:

A CA MUST be able to reissue all valid, non-expired certificates within 5 days, provided that the subscriber provides all the required information in a timely fashion.


“providing all required information” by the subscriber is understood by the PA to be any and all data that is required by the TSP to process and supply the certificate like (domain)validation information and Certificate Signing Request (CSR)

To help the subscribers supply the required information in a timely fashion the TSP can take, for example, the following measures:

  • Put in place a customer portal that facilitates and speeds up the application process
  • Periodically revalidation the (domain) validation data so that the needed information is fresh and available for quick action when needed

(Partial) automation of the certificate application via an API (for example, RFC8555)