Peppol PKI Migration 2025 – From MPKI8 to DOTL
The Peppol community is entering a major transition in 2025 H2, as every Peppol Service Provider must migrate from:
🔑 DigiCert Managed PKI v8 (MPKI8) CA chain → to DigiCert One Trust Lifecycle (DOTL) CA chain
What This Means
📌All existing MPKI8 certificates must be replaced with DOTL certificates.
📌OpenPeppol will issue production certificates under DOTL only after Service Providers:
✅ Obtain a test certificate from DOTL
✅ Successfully demonstrate dual-capability (MPKI8 & DOTL) conformance in the Peppol Testbed
Key Migration Timelines
📌 T0 (11 Aug 2025 onward)
✅DOTL CA chain available
✅Service Providers can obtain DOTL test certificates
📌 T1 (11 Feb 2026 - 6-months transition period)
✅Mandatory dual capability (support both MPKI8 & DOTL)
📌 T2 (1 Apr 2026)
✅MPKI8 certificates revoked
✅DOTL becomes the only trusted CA chain
Oxalis Support
⚙️ Oxalis-NG v1.2.0 → Dual-capability (MPKI8 & DOTL)
👉 More details in Oxalis-NG WIKI: https://github.com/OxalisCommunity/oxalis-ng/wiki/Peppol-PKI-2025-%E2%80%90-MPKI8-to-DOTL
⚙️ Oxalis 7.2.0 and Oxalis-AS4 7.2.0 → Dual-capability (MPKI8 & DOTL)
👉 More details in Oxalis WIKI: https://github.com/OxalisCommunity/oxalis/wiki/Peppol-PKI-2025-%E2%80%90-MPKI8-to-DOTL
References & Guidance
🔗 Peppol PKI 2025 – Parent Page – Peppol PKI 2025 - 1. OpenPEPPOL Members Area - Confluence
🔗 Dedicated Migration Guideline – Peppol PKI 2025 - Dedicated Migration Guideline - 1. OpenPEPPOL Members Area - Confluence
🔗 Certificate Authority Migration Plan – Peppol PKI 2025 - Certificate Authority Migration Plan - 1. OpenPEPPOL Members Area - Confluence
🔗 Certificate Authorities – Peppol PKI 2025 - Certificate Authorities - 1. OpenPEPPOL Members Area - Confluence
🔗 Issuing & Enrolment Process – Peppol PKI 2025 - Issuing and Enrolment Process - 1. OpenPEPPOL Members Area - Confluence
🎥 Webinar: Peppol PKI 2025 – Peppol PKI 2025 - Webinar - 1. OpenPEPPOL Members Area - Confluence
⚡ This migration is time critical. Service Providers should plan ahead, enable dual capability early, and ensure seamless conformance testing before production rollout.