Certificates

By default, you only have access to public data. If you also want to view data that is non-public, you must request authorisation and provide a certificate. 

Certificate requirements

  • Must be valid on the date of submission.
  • Must be of type X.509 V3. 
  • Must have PEM or DER-formatted content; the corresponding file extensions are: .pem, .cer, .crt, or .der.
  • Must be issued by a trusted certificate authority.
  • Must be issued on a single domain (described in the CN field), such as https://kvk.nl. Wildcards are not permitted, for example: https://*.kvk.nl.
  • Preferably submit a PKIO certificate. Read more about applying for a PKIO certificate (in Dutch). 
  • Market parties must include their KVK number in the serial number field in the subject line.
  • The Extended Key Usage field should contain the following value: 1.3.6.1.5.5.7.3.2 (client authentication).

Frequently asked questions about certificates

A certificate is your digital proof of identity. With it, you prove that you are who you say you are.

We recommend that you apply for a PKIO certificate. This can be done through a Trust Service Provider (TSP). Read more about applying for a PKIO certificate (in Dutch). 

More information about submitting a certificate is described on the authorization page.

  • The certificate has a public key or signature algorithm which is constrained and not allowed. 
  • It could not be determined if the certificate is revoked.
  • There was a problem while reading the certificate.
  • The OIN is missing in the serial number (subject key). 
  • The certificate is expired. 
  • The certificate is outside its validity period. 
  • The certificate's key usage is invalid. 
  • The certificate's name constraints are violated. 
  • The certificate's policy constraints are violated. 
  • The certificate has an invalid signature. 
  • The certificate's subject name is invalid. 
  • Certificate is not of type X.509. 
  • The certificate is a CA which is not allowed. 
  • The certificate's KVK number does not match our registered KVK number. 
  • The certificate has already been uploaded before. 
  • The certificate does not contain an SKI or AKI. 
  • The certificate does not chain correctly. 
  • No X.509 certificate could be found. 
  • The certificate does not contain the client authentication extension in the extended key usage. 
  • The certificate is not an EV certificate. 
  • The certificate chain does not contain a single client certificate. 
  • The certificate isn't issued by a trusted certificate issuer. 
  • The certificate is not a CA certificate. 
  • The certificate is not yet valid. 
  • The OIN register could not find an organisation based on the KVK number. 
  • The OIN register could not find an active organisation with a matching trade name. 
  • The certificate's path length constraint is violated. 
  • The certificate is revoked. 
  • The certificate identifies itself as a root ca but not as an intermediate ca. 
  • The certificate contains one or more unrecognized critical extensions. 
  • The certificate has a wildcard in the domain. 
  • Please try again later. 
  • The details of the company based on the KVK number can not be retrieved.

Government parties are required to provide a PKIO certificate. Market parties can also choose an EV certificate. However, these will no longer be issued in the near future. Therefore, we recommend choosing a PKIO certificate in advance.

The most common validity period is 1 year, but a certificate can also be valid for 3 years. Check this with your certificate provider.

We do not send notifications when your certificate expires. You are responsible for monitoring this yourself.

You can request the cost of a certificate from your certification provider. Generally, the cost is between €150 and €200 per year.