Developer Portal
EN/NL
OverviewTLS Certificate
Zoeken APIBasisprofiel APIVestigingsprofiel APINaamgeving API

TLS Certificate guides

The new “Staat der Nederlanden Private Root CA – G1” certificate chain, that is used by the new api.kvk.nl certificate, is by default not trusted by your application. Therefore you need to add the new chain to your trust-list.

Trusted certificates

Root CA
Staat_der_Nederlanden_Private_Root_CA_-_G1.crt
Intermediate CA
Staat_der_Nederlanden_Private_Services_CA_-_G1.crt
Intermediate CA
QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt

Download certificates

Root and intermediate certificates
Download certificates
api.kvk.nl certificate
Download certificate

Test environment

You can use https://ssltest.kvk.nl to test if you have correctly added the new root and intermediate certificates to your system or application. SSLtest uses the same root and intermediate chain as the new api.kvk.nl certificate.

  1. Obtain the zip containing the root certificates and the intermediate certificates used by api.kvk.nl.
  2. Extract the zip and place it on your file system, for example on ~/apicerts.
  3. Go to the directory containing the cacerts truststore. You can normaly find the truststore in the lib/security sub folder of your java home folders. In bash shell environments: cd $JAVA_HOME/lib/security.
  4. Import the certificates using the Java keytool tool:

    keytool -importcert -alias Staat_der_Nederlanden_Private_Root_CA -keystore cacerts -storepass changeit -file ~/apicerts/Staat_der_Nederlanden_Private_Root_CA_-_G1.crt

    keytool -importcert -alias Staat_der_Nederlanden_Private_Services_CA -keystore cacerts -storepass changeit -file ~/apicerts/Staat_der_Nederlanden_Private_Services_CA_-_G1.crt

    keytool -importcert -alias QuoVadis_PKIoverheid_Private_Services_CA -keystore cacerts -storepass changeit -file ~/apicerts/QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt

  5. Make sure the certifcates are correctly imported using the keytool -list command:

    keytool -list -v -keystore ./cacerts -storepass changeit

  1. Obtain our intermediate and root certificate chain file here.
  2. Create an environment variable containing the correct path to our intermediate and root certificate chain file eg:

    NODE_EXTRA_CA_CERTS=./Private_G1_chain.pem

  3. Make sure the file specified in the environment variable exists:

    cat $NODE_EXTRA_CA_CERTS

  4. You will see the 3 certificates in PEM format, each certificate will start with "-----BEGIN CERTIFICATE-----".

PHP uses your operating systems' trust certificate configuration. Please configure the chosen operating system for your PHP application to trust the root and intermediate certificates we use for api.kvk.nl.

Check the CentOS, Debian and Windows sections below for instuctions.

  1. Obtain the zip containing the root certificates and the intermediate certificates used by api.kvk.nl.
  2. Unzip the files in ~/apicerts
  3. Install the ca-certificates package:

    sudo yum install ca-certificates

    - Confirm when aksed "Is this ok [y/N]:" by pressing y
  4. Enable the dynamic CA configuration feature:

    sudo update-ca-trust force-enable

  5. Copy the root certificate file to /etc/pki/ca-trust/source/anchors/

    sudo cp ~/apicerts/* /etc/pki/ca-trust/source/anchors/

  6. Check if the following files exist in /etc/pki/ca-trust/source/anchors/:

    QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt
    Staat_der_Nederlanden_Private_Root_CA_-_G1.crt
    Staat_der_Nederlanden_Private_Services_CA_-_G1.crt

  7. Update the truststore:

    sudo update-ca-trust extract

  8. Test if everything works:

    curl https://ssltest.kvk.nl

  1. Obtain the zip containing the root certificates and the intermediate certificates used by api.kvk.nl.
  2. Unzip the files in ~/apicerts
  3. Copy the crt files to /usr/local/share/ca-certificates/

    sudo cp ~/apicerts/*.crt /usr/local/share/ca-certificates/

  4. Check if the following files exist in /usr/local/share/ca-certificates/:

    QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt
    Staat_der_Nederlanden_Private_Root_CA_-_G1.crt
    Staat_der_Nederlanden_Private_Services_CA_-_G1.crt

  5. Update the trusted certificates:

    sudo update-ca-certificates

  6. Test if everything works:

    curl https://ssltest.kvk.nl

  1. Make sure you're logged in to your Windows Machine using an account with Administrator privileges.
  2. Obtain the zip containing the root certificates and the intermediate certificates used by api.kvk.nl.
  3. Unzip the file somewhere on your Windows file system.
  4. Open mmc (press windows key, start typing mmc) and open mmc.exe
    5. windows mmc.exe
  5. Click on "File" and on "Add the Certificates snap-in to the Console".

    6. Choose "Add/Remove Snap in..."

    windows Add/Remove Snap-in

    Select 'Certificates' from the list with Available snap-ins and clik 'Add>' to add the Certificates Snap-in

    windows Add Certificate Snap-in

    Select 'Computer account', to manage the computer accounts certificates and click 'Next'

    windows Select Computer Account

    Select 'Local computer'

    windows Select Local Computer

    Click 'Finish' to close the 'Add or Remove Snap-ins' dialog

  6. Add the Staat der Nederlanden Private Root CA_-_G1certificate to the Trusted Root Certification Authorities/Certificates section

    7. Expand the Certificates (Local Computer) section and then the Trusted Rooter Certification Authorities section.Click on 'Certificates' to see the trusted root certificates.

    windows Trusted Root Certificates Local Computer

    Right click with your mouse on 'Certificates', choose 'All Taks' and click 'Import'.

    windows Trusted Root Certificates All Tasks Import...

    Click 'Next'

    Select the correct file by clicking 'Browse'

    windows Trusted Root Certificates Browse

    Navigate to the folder where you stored the certificates. Select the file "Staat_der_Nederlanden_Private_Root_CA_-_G1.crt" and click 'Open' to close the file selection dialog.

    windows Navigate To Private Root Certificate

    Click 'Next'

    windows Private Root Certificate Next

    Select 'Place all certificates in the following store' and click 'Next'

    windows Private Root Certificate Place In Store

    Check the information and click 'Finish' to complete the certification import Wizard.

    windows Private Root Certificate Finish

    A dialog will apear with the message : 'The import was successful'

    Make sure the Certificate Staat der Nederlanden Private Root CA_-_G1certificate is listed

    windows Private Root Certificate Check
  7. Add the Staat der Nederlanden Private Services CA_-_G1intermediate certificate

    8. Expand the 'Intermediate Certification Authorities' section and click on 'Certificates'

    windows Intermediate Certification Authorities

    Right click with your mouse on 'Certificates', choose 'All Taks' and click 'Import'.

    windows Intermediate Certification Authorities All Tasks Import...

    Click 'Next'to start the wizard.

    Select the correct file by clicking 'Browse'

    Navigate to the folder where the certificates are stored. Select the file 'Staat_der_Nederlanden_Private_Services_CA_-_G1.crt' file and click 'Open'

    windows Navigate To Intermediate Certificate

    Click 'Next' in the Certification Import Wizard

    windows Intermediate Certificate Next

    Make sure 'Place all certificates in the following store' is selected as below and click 'Next'

    windows Intermediate Certificate Place In Store

    Complete the Wizard by clicking the 'Finish' button

    windows Intermediate Certificate Finish

    A dialog with the message 'The import was successful' will apear.

    Make sure the Staat der Nederlanden Private Services CA_-_G1intermediate certificate is listed in the Intermediate Certificates view

    windows Intermediate Certificate Check
  8. Add the QuoVadis_PKIoverheid_Private_Services_CA_-_G1intermediate certificate

    9. Repeat the steps you did for "Add the Staat der Nederlanden Private Services CA-_G1intermediate certificate" but use the file QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt in stead of Staat_der_Nederlanden_Private_Services_CA_-_G1.crt

    Make sure the QuoVadis PKIoverheid Private Services CA_-_G1 is also listed in the Intermediate Certificates view:

    windows Second Intermediate Certificate Check
  9. Test everything works, by opening the website https://ssltest.kvk.nl with your browser.