TLS Certificate Guides

The new “Staat der Nederlanden Private Root CA – G1” certificate chain, that is used by the new api.kvk.nl certificate, is by default not trusted by your application. Therefore, you need to add the new chain to your trust-list. Depending on your application platform or operation system the location of your trust-list may vary. If the new trust chain is not added before September 28th, 2020 20:00 you will no longer be able to connect to api.kvk.nl and KVK API Search & Profile.

For most applications the following certificates have to be trusted by your application in order to communicate with our KVK API-services:

Certificate Type Filename
Staat der Nederlanden Private Root CA - G1 Root CA Staat_der_Nederlanden_Private_Root_CA_-_G1.crt
Staat der Nederlanden Private Services CA Intermediate CA Staat_der_Nederlanden_Private_Services_CA_-_G1.crt
QuoVadis PKIoverheid Private_Services CA Intermediate CA QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt

You can download a zip file containing these certificates here. The api.kvk.nl certificate can be downloaded here.

Below you will find instructions on how to install the certificate chain.

 

Test facility

To check and make sure you have correctly added the new root and intermediate certificates to your system or application you can use http://ssltest.kvk.nl which contains a certificate with the same root and intermediate chain as the new api.kvk.nl certificate.

 

Java

  • Obtain the zip containing the root certificates and the intermediate certificates used by api.kvk.nl. You can download it here.
  • Extract the zip and place it on your file system, for example on ~/apicerts
  • Go to the directory containing the cacerts truststore. You can normaly find the truststore in the lib/security sub folder of your java home folders. In bash shell environments:
    cd $JAVA_HOME/lib/security
  • Import the certificates using the Java keytool tool:
keytool -importcert -alias Staat_der_Nederlanden_Private_Root_CA -keystore cacerts -storepass changeit -file ~/apicerts/Staat_der_Nederlanden_Private_Root_CA_-_G1.crt
keytool -importcert -alias Staat_der_Nederlanden_Private_Services_CA -keystore cacerts -storepass changeit -file ~/apicerts/Staat_der_Nederlanden_Private_Services_CA_-_G1.crt
keytool -importcert -alias QuoVadis_PKIoverheid_Private_Services_CA -keystore cacerts -storepass changeit -file ~/apicerts/QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt
  • Make sure the certifcates are correctly imported using the keytool -list command
    keytool -list -v -keystore ./cacerts -storepass changeit

 

NodeJS

  • Obtain our intermediate and root certificate chain file. You can download it here.
  • Create an environment variable containing the correct path to our intermediate and root certificate chain file eg: NODE_EXTRA_CA_CERTS=./Private_G1_chain.pem
  • Make sure the file specified in the environment variable exists:
    cat $NODE_EXTRA_CA_CERTS
  • You will see the 3 certificate in PEM format, each certificate will start with "-----BEGIN CERTIFICATE-----".

 

PHP

PHP uses your operating systems' trust certificate configuration. Please configure the chosen operating system for your PHP application to trust the root and intermediate certificates we use for api.kvk.nl.

You will find the instructions for the most common operating systems on this page (see the CentOS, Debian and Windows sections).

 

CentOS

  • Obtain the zip containing the root certificates and the intermediate certificates used by api.kvk.nl. You can download it here.

  • Unzip the files in ~/apicerts

  • Install the ca-certificates package:
    sudo yum install ca-certificates

    • Confirm when aksed "Is this ok [y/N]: " by pressing y
  • Enable the dynamic CA configuration feature:
    sudo update-ca-trust force-enable

  • Copy the root certificate file to /etc/pki/ca-trust/source/anchors/
    sudo cp ~/apicerts/* /etc/pki/ca-trust/source/anchors/

  • Check if the following files exist in /etc/pki/ca-trust/source/anchors/:
    QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt
    Staat_der_Nederlanden_Private_Root_CA_-_G1.crt
    Staat_der_Nederlanden_Private_Services_CA_-_G1.crt

  • Update the truststore:
    sudo update-ca-trust extract

  • Test if everything works:
    curl https://ssltest.kvk.nl/

 

Debian

  • Obtain the zip containing the root certificates and the intermediate certificates used by api.kvk.nl. You can download it here.
  • Unzip the files in ~/apicerts
  • Copy the crt files to /usr/local/share/ca-certificates/
    sudo cp ~/apicerts/*.crt /usr/local/share/ca-certificates/

  • Check if the following files exist in /usr/local/share/ca-certificates/:
    QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt
    Staat_der_Nederlanden_Private_Root_CA_-_G1.crt
    Staat_der_Nederlanden_Private_Services_CA_-_G1.crt

  • Update the trusted certificates:
    sudo update-ca-certificates

  • Test everything works:
    curl https://ssltest.kvk.nl/

 

Windows

  • Make sure you're logged in to your Windows Machine using an account with Administrator privileges.

  • Obtain the zip containing the root certificates and the intermediate certificates used by api.kvk.nl. You can download it here.

  • Unzip the file somewhere on your Windows file system

  • Open mmc (press windows key, start typing mmc) and open mmc.exe

    image-20200910093100633

  • Click on "File" and on "Add the Certificates snap-in to the Console".

    Choose "Add/Remove Snap in..."

    image-20200910093328138

Select 'Certificates' from the list with Available snap-ins and clik 'Add>' to add the Certificates Snap-in

image-20200910093444648

Select 'Computer account', to manage the computer accounts certificates and click 'Next'

image-20200910101243067

Select 'Local computer'

image-20200910093534016

Click 'Finish' to close the 'Add or Remove Snap-ins' dialog

 

  • Add the Staat der Nederlanden Private Root CA_-_G1certificate to the Trusted Root Certification Authorities/Certificates section

Expand the Certificates (Local Computer) section and then the Trusted Rooter Certification Authorities section.Click on 'Certificates' to see the trusted root certificates.

image-20200910093719501

Right click with your mouse on 'Certificates', choose 'All Taks' and click 'Import'.
    
        
    

Click 'Next'

Select the correct file by clicking 'Browse'

image-20200910094316335

Navigate to the folder where you stored the certificates. Select the file "Staat_der_Nederlanden_Private_Root_CA_-_G1.crt" and click 'Open' to close the file selection dialog.


	

​ Click 'Next' 


	

    

Select 'Place all certificates in the following store' and click 'Next'

image-20200910094522966

Check the information and click 'Finish' to complete the certification import Wizard.

image-20200910094547644

A dialog will apear with the message : 'The import was successfull'

Make sure the Certificate Staat der Nederlanden Private Root CA_-_G1certificate is listed

image-20200910094636810

  • Add the Staat der Nederlanden Private Services CA_-_G1intermediate certificate

Expand the 'Intermediate Certification Authorities' section and click on 'Certificates'

 image-20200910094704102


	
Right click with your mouse on 'Certificates', choose 'All Taks' and click 'Import'.
    
 

Click 'Next'to start the wizard.

Select the correct file by clicking 'Browse'

Navigate to the folder where the certificates are stored. Select the file 'Staat_der_Nederlanden_Private_Services_CA_-_G1.crt' file and click 'Open'
    

image-20200910094821719

Click 'Next' in the Certification Import Wizard

image-20200910094925357

Make sure 'Place all certificates in the following store' is selected as below and click 'Next'

image-20200910094955616

Complete the Wizard by clicking the 'Finish' button

image-20200910095014727

A dialog with the message 'The import was successful' will apear.

Make sure the Staat der Nederlanden Private Services CA_-_G1intermediate certificate is listed in the Intermediate Certificates view

image-20200910103934763

  • Add the Staat der Nederlanden Private Services CA_-G1intermediate certificate

Repeat the steps you did for "Add the Staat der Nederlanden Private Services CA-_G1intermediate certificate" but use the file QuoVadis_PKIoverheid_Private_Services_CA_-_G1.crt in stead of Staat_der_Nederlanden_Private_Services_CA_-_G1.crt

Make sure the QuoVadis PKIoverheid Private Services CA_-_G1 is also listed in the Intermediate Certificates view:

image-20200910104323841

image-20200910095531148