Peppol's G3 Certificate Switch: What Changes on 1 April 2026

Q: Why is Peppol changing its certificates?

The [Peppol network](/blog/what-is-peppol) relies on a Public Key Infrastructure (PKI) to authenticate every message exchange between Access Points. Since the network's early days, those certificates have been issued through **DigiCert Managed PKI v8 (MPKI8)**. That platform is being retired by DigiCert, which means Peppol must move to a new certificate authority infrastructure: **DigiCert One Trust Lifecycle (DOTL)**. This is not a minor version bump. The migration from the **G2** certificate chain to the **G3** chain is the largest infrastructure change to hit Peppol since the network was established. It affects every participant in the ecosystem - all 300+ Access Points, Service Metadata Publishers, and by extension the 2.5 million+ registered participants that depend on them across 98 countries. The core reason is straightforward: the old infrastructure is reaching end-of-life, and continuing to rely on it would create security and operational risks. The new DOTL platform brings a modernised certificate lifecycle, but it requires every Service Provider to actively migrate before the cutoff.

Q: What is the migration timeline?

OpenPeppol defined three milestones. **T0 (11 August 2025):** The new G3 root CA chains are published and the DOTL enrolment portal opens. From this date, Access Points can begin requesting G3 certificates and testing them in the Peppol Testbed environment. No disruption to production traffic - G2 certificates continue to work normally. **T1 (11 February 2026):** All Service Providers must support both the G2 and G3 certificate chains simultaneously. This means they must be able to sign and encrypt outgoing messages with their new G3 certificate while still validating incoming messages signed with either G2 or G3. Before T1, every AP must have passed the Peppol Testbed conformance tests to prove dual-chain capability. **T2 (1 April 2026):** All G2 certificates are revoked. DigiCert stops issuing G2 replacements entirely. Any Access Point still running on the old chain is immediately disconnected from the network - it can neither send nor receive messages. There is no grace period beyond this date.

Why is Peppol changing its certificates?

The Peppol network relies on a Public Key Infrastructure (PKI) to authenticate every message exchange between Access Points. Since the network's early days, those certificates have been issued through DigiCert Managed PKI v8 (MPKI8). That platform is being retired by DigiCert, which means Peppol must move to a new certificate authority infrastructure: DigiCert One Trust Lifecycle (DOTL).

This is not a minor version bump. The migration from the G2 certificate chain to the G3 chain is the largest infrastructure change to hit Peppol since the network was established. It affects every participant in the ecosystem - all 300+ Access Points, Service Metadata Publishers, and by extension the 2.5 million+ registered participants that depend on them across 98 countries.

The core reason is straightforward: the old infrastructure is reaching end-of-life, and continuing to rely on it would create security and operational risks. The new DOTL platform brings a modernised certificate lifecycle, but it requires every Service Provider to actively migrate before the cutoff.

What is the migration timeline?

T0: Aug 2025 (G3 available) → T1: 11 Feb 2026 (dual support required) → T2: 1 Apr 2026 (G2 revoked)

OpenPeppol defined three milestones. T0 (11 August 2025): The new G3 root CA chains are published and the DOTL enrolment portal opens. From this date, Access Points can begin requesting G3 certificates and testing them in the Peppol Testbed environment. No disruption to production traffic - G2 certificates continue to work normally.

T1 (11 February 2026): All Service Providers must support both the G2 and G3 certificate chains simultaneously. This means they must be able to sign and encrypt outgoing messages with their new G3 certificate while still validating incoming messages signed with either G2 or G3. Before T1, every AP must have passed the Peppol Testbed conformance tests to prove dual-chain capability.

T2 (1 April 2026): All G2 certificates are revoked. DigiCert stops issuing G2 replacements entirely. Any Access Point still running on the old chain is immediately disconnected from the network - it can neither send nor receive messages. There is no grace period beyond this date.

What must Access Points do?

Each Access Point must replace its existing MPKI8-issued certificates with new ones from the DOTL certificate authority. OpenPeppol offers two enrolment methods: a web-based approach through the DOTL portal, or a CSR-based (Certificate Signing Request) method for organisations that prefer to generate keys locally. Both produce valid G3 certificates.

During the transition window between T0 and T2, Access Points must implement dual-capability. Outgoing messages should be signed with the G3 certificate, but the AP must also validate incoming messages that may still carry G2 signatures from other providers who have not yet completed their switch. This bidirectional tolerance is what keeps the network running smoothly during the migration.

Service Metadata Publishers (SMPs) have their own obligation: metadata records must be re-signed with G3 certificates so that other Access Points can discover and trust them. Conformance testing via the Peppol Testbed is mandatory before any provider can request production-grade G3 certificates.

Does this affect businesses using Peppol?

Businesses that send and receive e-invoices via Peppol do not manage certificates themselves - that is handled entirely by their Access Point provider. So in principle, this migration is invisible to end users. Your invoices will continue to flow as normal, provided your AP completes the switch on time.

The risk, however, is real. If your Access Point provider fails to migrate by 1 April 2026, your e-invoicing traffic stops. No outgoing invoices, no incoming invoices, no workaround. For businesses in countries where Peppol-based e-invoicing is mandatory - Belgium, Singapore, and others - this could mean non-compliance with legal obligations.

Check with your provider directly. Ask whether they have completed G3 conformance testing and whether they hold production G3 certificates. If you are in the process of selecting a new provider through the vendor directory, G3 readiness should be a qualifying criterion.

What other infrastructure changes are happening alongside?

The certificate migration is not happening in isolation. The SML (Service Metadata Locator) - the DNS-based lookup mechanism that allows Access Points to find each other - is also undergoing a change. The legacy method used CNAME DNS records, but as the network has grown to over 2.5 million participants, the number of CNAME entries became unwieldy.

As of 1 February 2026, CNAME lookups were fully deprecated and NAPTR DNS records are now the sole lookup method. NAPTR is better suited to large-scale service discovery and reduces the DNS footprint significantly. Access Points that had not already migrated their SML integration to NAPTR before that date would have experienced lookup failures.

Together, the G3 PKI migration and the NAPTR switch represent a significant modernisation of Peppol's underlying infrastructure. Neither changes how e-invoicing works from a business perspective, but both are essential to keeping the network secure and scalable as adoption accelerates worldwide.