Certification Practice Statements for the Policy Authority PKIoverheid

This Certification Practice Statement (CPS) describes the practices for the core Public Key Infrastructure (PKI) services of PKIoverheid Root Certificates (Level 1) and Intermediate Certificates (Level 2). It provides Trust Service Providers (TSPs), subscribers and relying parties with information regarding the procedures and measures taken in respect to these practices.

The collection of PKI hierarchies under Staat der Nederlanden root certificates, and the framework governing its policies, is collectively referred to as PKIoverheid. The Dutch Ministry of Internal Affairs and Kingdom Relations has assigned supervision of the PKIoverheid policies to the PKIoverheid Policy Authority (PA) at Logius.

TSPs operate their own core PKI services for the management of their own PKIoverheid issuing certificates (Level 3) and issuance of PKIoverheid certificates to subscribers. This is done within the boundaries of applicable requirements as set out by the PA PKIoverheid, found in the PKIoverheid Programme of Requirements (PoR). The PKIoverheid PoR can be regarded as a CP for PKIoverheid TSPs. General PKIoverheid practices can be found in this PoR but for practices specific to each TSP their respective CPS documents should be consulted.

Hence, the allocation of practices between TSPs and the PA can be summarised as follows: - Registration Service: operated by TSPs and described in their own CPS documentation in accordance with the Programme of Requirements - Generation Service: operated by both TSPs and PA - Dissemination Service: operated by both TSPs and PA - Subject Device Provisioning Service: operated by TSPs and described in their own CPS documentation in accordance with the Programme of Requirements - Revocation Management Service: operated by both TSPs and PA - Revocation Status Service: operated by both TSPs and PA

This CPS is formatted in accordance with Request for Comment (RFC) 3647 (in full: “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework” in which X.509 refers to “X Series Recommendation on Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks”) of the Internet Engineering Task Force (IETF).

The names of the root certificates contain common PKI abbreviations. G1, G2, G3, and G4 stand for first, second, third, and fourth generation respectively, and CA stands for a Certification Authority. A listing of all Level 1, 2 and 3 certificates published can be found on https://cert.pkioverheid.nl.

Current version

The current version of the CPS can be found below.

Historical versions

Historical versions of the CPS can be found below. These documents are provided to be compliant with Section 3.3 of the Mozilla Root Store Policy (MRSP) which states:

7. CA operators SHALL maintain links to all historic versions of each CP and CPS (or CP/CPS) from the creation of included CA certificates, regardless of changes in ownership or control of such CA certificates, until the entire CA certificate hierarchies (i.e. end entity certificates, intermediate CA certificates, and cross-certificates) operated in accordance with such documents are no longer trusted by the Mozilla root store. For CA certificates that were included in Mozilla's root store before December 31, 2022, the CA Operator shall maintain links in their online repositories to all reasonably available historic versions of CPs and CPSes (or CP/CPSes) from creation of the included CA certificates.

All documents below are semi-automated exports of documents signed off by Logius legal representatives. Version 5.0 of the CPS is the first CPS which unifies the four separate PKIoverheid root CPSs into one single document. Versions 4.6 and below of these documents were not designed taking into account the *Web Content Accessibility Guidelines- (WCAG), however several WCAG optimizations were scripted into the export proces to improve accessibility. However, full compliance with the WCAG means having to change the textual contents as well, which goes against the purpose of making these documents available with authentic contents for audit purposes. Because these documents are of no administrative purpose anymore, as well as changing them going against the purpose of making them available in the first place, these documents will remain non-compliant with the WCAG. However, people running into problems with accessibility regarding any of these documents can contact the PKIoverheid team using the contact link below. When contacted, the team will provide the desired information in a suitable format. Any accessibility enhancements made this way will be retrofitted on this website for future visitors, as long as they do not involve actual text updates.

Exported on: 2025-07-14.