Certificates

By default, you only have access to public data. If you also want to view data that is non-public, you must request authorisation and provide a certificate.

1. Request authorization

Read more about requesting authorization.

2. Submit a certificate

Once authorization has been granted, you can submit a certificate.

Log in to My Developer Portal.
Click on the "API-key" block.
Here you will find an overview of the granted authorizations and an option to upload a certificate.
Upload a certificate that meets the correct requirements.
Is the certificate approved? Then you can immediately view non-public and/or protected data.

Frequently asked questions about certificates

Why do I need to upload a certificate?

A certificate is your digital proof of identity. With it, you prove that you are who you say you are.

What kind of certificate do I need to upload?

Government bodies are required to provide a PKIO (Public Key Infrastructure for the Government) certificate. Are you not part of the government? You can still provide a PKIO certificate. OR an EV (Extended Validation) certificate. However, because the latter will soon no longer be issued, we recommend choosing a PKIO certificate.

Within PKIO, there are two options:

Personal certificate.
Server certificate.

Choose the server certificate, which is an organizational-level certificate rather than a personal one.

Where can I request a certificate?

A Trust Service Provider (TSP) is an organization that issues and manages trusted digital certificates and services. PKIO certificates may only be issued by TSPs that have been approved by the government.

How does it work?

Choose a certificate from a TSP.
Create a CSR (Certificate Signing Request) on your server. This is an encrypted request containing, among other things, your domain name, organization details, your public key, and a digital signature of your private key.
Send the CSR and your company details to the TSP.
The TSP verifies that the company details are correct, that the request is valid, that you are authorized, and that you have chosen the correct certificate type.
You receive the certificate from the TSP. Place it on your server or in your application.
Log in to My Developer Portal and upload the certificate.

Approved TSPs

You can request a certificate from the TSPs listed below.

Digidentity - More explanation can be found in the online manual
KPN (in Dutch) - Choose the Digipoort Private server certificate
DigiCert - More explanation can be found in the online manual (in Dutch)

Contact the TSP

Is the application process a bit too technical for you? Then we recommend contacting the TSP. They can help you with the application and installation of the certificate.

Indicate that you need a PKIoverheid server certificate for machine-to-machine communication (mutal TLS) with the KVK API for access to protected data (such as UBO data).

What requirements must the certificate meet?

Must be valid on the date of submission.
Must be of type X.509 V3.
Must have PEM or DER-formatted content; the corresponding file extensions are: .pem, .cer, .crt, or .der.
Must be issued by a trusted certificate authority (see question 'Where can I request a certificate?').
Must be issued on a single domain (described in the CN field), such as https://kvk.nl. Wildcards are not permitted, for example: https://*.kvk.nl.
Preferably submit a PKIO certificate and type server (see question 'What kind of certificate do I need to upload?').
Market parties must include their KVK number in the serial number field in the subject line.
The Extended Key Usage field should contain the following value: 1.3.6.1.5.5.7.3.2 (client authentication).

What error messages can I receive when uploading a certificate?

The certificate has a public key or signature algorithm which is constrained and not allowed.
It could not be determined if the certificate is revoked.
There was a problem while reading the certificate.
The OIN is missing in the serial number (subject key).
The certificate is expired.
The certificate is outside its validity period.
The certificate's key usage is invalid.
The certificate's name constraints are violated.
The certificate's policy constraints are violated.
The certificate has an invalid signature.
The certificate's subject name is invalid.
Certificate is not of type X.509.
The certificate is a CA which is not allowed.
The certificate's KVK number does not match our registered KVK number.
The certificate has already been uploaded before.
The certificate does not contain an SKI or AKI.
The certificate does not chain correctly.
No X.509 certificate could be found.
The certificate does not contain the client authentication extension in the extended key usage.
The certificate is not an EV certificate.
The certificate chain does not contain a single client certificate.
The certificate isn't issued by a trusted certificate issuer.
The certificate is not a CA certificate.
The certificate is not yet valid.
The OIN register could not find an organisation based on the KVK number.
The OIN register could not find an active organisation with a matching trade name.
The certificate's path length constraint is violated.
The certificate is revoked.
The certificate identifies itself as a root ca but not as an intermediate ca.
The certificate contains one or more unrecognized critical extensions.
The certificate has a wildcard in the domain.
Please try again later.
The details of the company based on the KVK number can not be retrieved.

How long is a certificate valid?

The most common validity period is 1 year, but a certificate can also be valid for 3 years. Check this with your certificate provider.

How do I know when my certificate expires?

We do not send notifications when your certificate expires. You are responsible for monitoring this yourself.

How much does a certificate cost?

You can request the cost of a certificate from your certification provider. Generally, the cost is between € 200 and € 300 per year.