TLS Certificate Guides
The new “Staat der Nederlanden Private Root CA – G1” certificate chain, that is used by the new api.kvk.nl certificate, is by default not trusted by your application. Therefore, you need to add the new chain to your trust-list. Depending on your application platform or operation system the location of your trust-list may vary. If the new trust chain is not added before September 28th, 2020 20:00 you will no longer be able to connect to api.kvk.nl and KVK API Search & Profile.
For most applications the following certificates have to be trusted by your application in order to communicate with our KVK API-services:
| Certificate | Type | Filename |
|---|---|---|
| Staat der Nederlanden Private Root CA - G1 | Root CA | Staat_der_Nederlanden_Private_Root_CA_-_G1.crt |
| Staat der Nederlanden Private Services CA | Intermediate CA | Staat_der_Nederlanden_Private_Services_CA_-_G1.crt |
| QuoVadis PKIoverheid Private_Services CA | Intermediate CA | QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt |
You can download a zip file containing these certificates here. The api.kvk.nl certificate can be downloaded here.
Below you will find instructions on how to install the certificate chain.
Test facility
To check and make sure you have correctly added the new root and intermediate certificates to your system or application you can use http://ssltest.kvk.nl which contains a certificate with the same root and intermediate chain as the new api.kvk.nl certificate.
Java
- Obtain the zip containing the root certificates and the intermediate certificates used by api.kvk.nl. You can download it here.
-
Extract the zip and place it on your file system, for example on
~/apicerts
-
Go to the directory containing the cacerts truststore. You can normaly find the truststore in the
lib/securitysub folder of your java home folders. In bash shell environments:
cd $JAVA_HOME/lib/security
- Import the certificates using the Java keytool tool:
keytool -importcert -alias Staat_der_Nederlanden_Private_Root_CA -keystore cacerts -storepass changeit -file ~/apicerts/Staat_der_Nederlanden_Private_Root_CA_-_G1.crt
keytool -importcert -alias Staat_der_Nederlanden_Private_Services_CA -keystore cacerts -storepass changeit -file ~/apicerts/Staat_der_Nederlanden_Private_Services_CA_-_G1.crt
keytool -importcert -alias QuoVadis_PKIoverheid_Private_Services_CA -keystore cacerts -storepass changeit -file ~/apicerts/QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt
-
Make sure the certifcates are correctly imported using the keytool -list command
keytool -list -v -keystore ./cacerts -storepass changeit
NodeJS
- Obtain our intermediate and root certificate chain file. You can download it here.
-
Create an environment variable containing the correct path to our intermediate and root certificate chain file eg:
NODE_EXTRA_CA_CERTS=./Private_G1_chain.pem
-
Make sure the file specified in the environment variable exists:
cat $NODE_EXTRA_CA_CERTS
- You will see the 3 certificate in PEM format, each certificate will start with "-----BEGIN CERTIFICATE-----".
PHP
PHP uses your operating systems' trust certificate configuration. Please configure the chosen operating system for your PHP application to trust the root and intermediate certificates we use for api.kvk.nl.
You will find the instructions for the most common operating systems on this page (see the CentOS, Debian and Windows sections).
CentOS
-
Obtain the zip containing the root certificates and the intermediate certificates used by api.kvk.nl. You can download it here.
-
Unzip the files in
~/apicerts -
Install the ca-certificates package:
sudo yum install ca-certificates-
Confirm when aksed "Is this ok [y/N]: " by pressing
y
-
Confirm when aksed "Is this ok [y/N]: " by pressing
-
Enable the dynamic CA configuration feature:
sudo update-ca-trust force-enable -
Copy the root certificate file to /etc/pki/ca-trust/source/anchors/
sudo cp ~/apicerts/* /etc/pki/ca-trust/source/anchors/ -
Check if the following files exist in /etc/pki/ca-trust/source/anchors/:
QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt
Staat_der_Nederlanden_Private_Root_CA_-_G1.crt
Staat_der_Nederlanden_Private_Services_CA_-_G1.crt -
Update the truststore:
sudo update-ca-trust extract -
Test if everything works:
curl https://ssltest.kvk.nl/
Debian
- Obtain the zip containing the root certificates and the intermediate certificates used by api.kvk.nl. You can download it here.
-
Unzip the files in
~/apicerts -
Copy the crt files to
/usr/local/share/ca-certificates/
sudo cp ~/apicerts/*.crt /usr/local/share/ca-certificates/ -
Check if the following files exist in /usr/local/share/ca-certificates/:
QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt
Staat_der_Nederlanden_Private_Root_CA_-_G1.crt
Staat_der_Nederlanden_Private_Services_CA_-_G1.crt -
Update the trusted certificates:
sudo update-ca-certificates -
Test everything works:
curl https://ssltest.kvk.nl/
Windows
-
Make sure you're logged in to your Windows Machine using an account with Administrator privileges.
-
Obtain the zip containing the root certificates and the intermediate certificates used by api.kvk.nl. You can download it here.
-
Unzip the file somewhere on your Windows file system
-
Open mmc (press windows key, start typing mmc) and open mmc.exe
-
Click on "File" and on "Add the Certificates snap-in to the Console".
Choose "Add/Remove Snap in..."
Select 'Certificates' from the list with Available snap-ins and clik 'Add>' to add the Certificates Snap-in
Select 'Computer account', to manage the computer accounts certificates and click 'Next'
Select 'Local computer'
Click 'Finish' to close the 'Add or Remove Snap-ins' dialog
- Add the Staat der Nederlanden Private Root CA_-_G1certificate to the Trusted Root Certification Authorities/Certificates section
Expand the Certificates (Local Computer) section and then the Trusted Rooter Certification Authorities section.Click on 'Certificates' to see the trusted root certificates.
Right click with your mouse on 'Certificates', choose 'All Taks' and click 'Import'.
Click 'Next'
Select the correct file by clicking 'Browse'
Navigate to the folder where you stored the certificates. Select the file "Staat_der_Nederlanden_Private_Root_CA_-_G1.crt" and click 'Open' to close the file selection dialog.
Click 'Next'
Select 'Place all certificates in the following store' and click 'Next'
Check the information and click 'Finish' to complete the certification import Wizard.
A dialog will apear with the message : 'The import was successfull'
Make sure the Certificate Staat der Nederlanden Private Root CA_-_G1certificate is listed
- Add the Staat der Nederlanden Private Services CA_-_G1intermediate certificate
Expand the 'Intermediate Certification Authorities' section and click on 'Certificates'
Right click with your mouse on 'Certificates', choose 'All Taks' and click 'Import'.
Click 'Next'to start the wizard.
Select the correct file by clicking 'Browse'
Navigate to the folder where the certificates are stored. Select the file 'Staat_der_Nederlanden_Private_Services_CA_-_G1.crt' file and click 'Open'
Click 'Next' in the Certification Import Wizard
Make sure 'Place all certificates in the following store' is selected as below and click 'Next'
Complete the Wizard by clicking the 'Finish' button
A dialog with the message 'The import was successful' will apear.
Make sure the Staat der Nederlanden Private Services CA_-_G1intermediate certificate is listed in the Intermediate Certificates view
- Add the Staat der Nederlanden Private Services CA_-G1intermediate certificate
Repeat the steps you did for "Add the Staat der Nederlanden Private Services CA-_G1intermediate certificate" but use the file QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt in stead of Staat_der_Nederlanden_Private_Services_CA_-_G1.crt
Make sure the QuoVadis PKIoverheid Private Services CA_-_G1 is also listed in the Intermediate Certificates view:
- Test everything works, by opening the website https://ssltest.kvk.nl/ with your browser.
.png "Logo_withPayoff"){kind=logo}