Peppol PKI migration: from G2 to G3, what Access Points need to know

The Public Key Infrastructure (PKI) is one of those invisible but absolutely critical pillars that underpin the entire Peppol network. Without it, the secure exchange of electronic invoices between businesses and public administrations collapses. Yet few market players truly understand the technical and regulatory challenges behind the ongoing migration of OpenPeppol certificates, from G2 to G3.

At Iopole, we are a Peppol Certified Service Provider and a flow operator.

We support our software vendor clients and Peppol Access Points in white label to successfully navigate this transition.

This article details the PKI migration, the implications for Access Points, and how Iopole secures this process for its clients.

Peppol and the PKI

Within Peppol, each Access Point (AP) and Service Metadata Publisher (SMP) authenticates and exchanges messages using X.509 digital certificates. These certificates ensure that:

• Each AP communicates with trusted counterparts.
• AS4 messages (Peppol’s standard secure communication protocol) are neither intercepted nor altered.
• The OpenPeppol compliance chain remains intact, from the sender to the end user.

Each certificate has a hierarchical trust chain: it is issued by an approved authority, and each certificate has a limited validity period as well as specific technical parameters (public key, usages, dates, etc.).

If a Peppol Certified Service Provider does not correctly manage a certificate (for example, it is not installed, the correct chain is not installed, or it is not presented as expected by an AS4 counterpart or by the testbed), then it will not be able to authenticate on the network and will be unable to send or receive documents. This is a strict technical requirement: either you are aligned with the correct OpenPeppol trust chain, or you cannot communicate on the network.

Peppol Certificates

Peppol certificates are not standard TLS certificates. They are issued by a Certification Authority (CA) approved by OpenPeppol and follow a specific trust chain. Certificate issuance is carried out by the certification authority DigiCert.

OpenPeppol then distributes the certificates to Peppol Certified Service Providers that meet the required conditions (see TestBed, discussed below).

Role of certificates:

• AP ↔ AP authentication: each Access Point proves its identity to the network.
• AS4 security: message signing and encryption to guarantee integrity and confidentiality.
• Regulatory compliance: only certificates issued by Peppol allow electronic invoices to be exchanged legally.

PKI Trust Chain

Each certificate relies on a trust anchor (or root certificate) issued by Peppol. The Peppol PKI is therefore hierarchical and controlled, ensuring that every actor in the network is identified and reliable.

From G2 to G3: what really changes

The migration of Peppol certificates is not a simple technical adjustment: it marks a fundamental change in how the network secures and validates exchanges between Access Points.

In practice, OpenPeppol is changing its certificate provider (the Certification Authority – CA) and PKI platform. G2 (legacy) relies on DigiCert Managed PKI v8 (MPKI8), while G3 is based on DigiCert One Trust Lifecycle (DOTL). This change introduces new roots and intermediates, improved certificate management, and a more modern approach to key lifecycle management.

To understand the challenge, it is necessary to compare the current version (G2) with the new generation (G3).

Peppol G2 Certificates

The G2 certificate is currently in use and will remain valid until April 1, 2026. It is issued via the DigiCert MPKI8 platform, which has served as the foundation for several years.

While this platform has worked well, it now presents several limitations:

• Legacy truststore format: less flexible for modern environments.
• Enrollment constraints: some operations still require manual procedures, which are poorly suited to scaling.
• Limited lifecycle management: renewal, revocation, and certificate tracking are less optimized, making it harder to anticipate future transitions.

G2 enabled Peppol to scale effectively, but the platform is reaching its limits in terms of security, scalability, and current regulatory compliance requirements.

Peppol G3 Certificates

The G3 certificate has been available since August 11, 2025. G3 represents a structural evolution. It is issued via DOTL (DigiCert One Trust Lifecycle) and introduces several notable improvements:

• New trust anchor and new intermediates, ensuring a more robust trust chain.
• Modernized keystore formats, compatible with current and future standards (PKCS#12 vs legacy proprietary formats).
• Full certificate lifecycle management. DOTL provides secure enrollment options (offline CSR), automatic renewal, and simplified revocation.
• Cryptographic best practices ➙ Enrollment options based on CSR (Certificate Signing Request) ➙ Ability to generate private keys offline, improving security
• Long-term stability of trust roots ➙ A longer validity period (10 years) for the G3 trust anchor

At the end of the transition period, all Peppol communications must take place via G3.

Peppol PKI Migration Timeline

• Between 02/11 and 04/01, the Peppol infrastructure must support dual capability.
• After 04/01, any Peppol Certified Service Provider that has not migrated will be off-network and non-compliant.

The Testbed: a mandatory step for certificate issuance

The Peppol Testbed is the official centralized testing platform used to validate:

• Technical compliance of an Access Point (AP) with OpenPeppol specifications
• Dual G2 + G3 support during the transition period
• Successful completion as a mandatory prerequisite to request a G3 production certificate

⚠️ A Peppol PKI test certificate must be imported into the browser/keystore to authenticate to the Testbed.

Before receiving a G3 production certificate, each Peppol Certified Service Provider must pass the Peppol Testbed.

Impact for White-Label Peppol Certified Service Providers

The migration from G2 to G3 is not just a certificate change: it is a deep PKI platform shift with concrete implications for all Access Points.

White labeling does not exempt providers from compliance, but Iopole significantly reduces effort and risk.

How Iopole Secures the Migration for Its Clients

This PKI migration is a strong signal from the OpenPeppol network:

• Security and reliability are non-negotiable
• Access Points must anticipate and plan
• Partnering with Iopole allows you to delegate complexity while retaining control

Iopole, as a Peppol Certified Service Provider, ensures this transition is smooth and controlled.

If you are impacted by the Peppol PKI migration or plan to make your software a white-label Peppol Access Point, let’s talk.