eSEAL Certificate Procurement Guide

The iSHARE Framework requires participants who take part in machine-to-machine (M2M) communication (for instance, the consumption of APIs) to use advanced or qualified eIDAS eSeals (as stated in the admission criteria). This repository explains how qualified and advanced eIDAS eSeals can be purchased and used in the context of the iSHARE Framework. This repo furthermore contains a registration of self-experience with qualified eSeal providers and aims to lower barriers to procure and use eIDAS eSeals.

Choosing the right Certificate Authority and the right issuer

The complete list of all eIDAS-qualified eSeal providers is available from the EU eIDAS trust services browser.

If the link above does not automatically bring you to the list of eIDAS eSeal providers, browse to https://eidas.ec.europa.eu/efda/trust-services/browse/eidas/tls and start your search from there.

Delivery methods of eSeals

Qualified eSeals

An eSeal consists of a public key (certificate) and a private key. For qualified eSeals, the private key is provided in and can only be used through a Qualified Electronic Seal Creation Device (QESCD). These devices come in the form of:

• USB-tokens

• Smartcards

• HSMs (Hardware Security Modules)

If you plan on using a qualified eSeal, make sure that your application can use the QESCD to seal communication (iSHARE JWTs). With qualified eSeals, the private key is never delivered as a file.

Advanced eSeals

Some parties also provide eIDAS advanced eSeals. For these kinds of eSeals, the private key can be delivered as a file, or (better) using Certificate Signing Requests (CSR), where you create the private key yourself and the key never leaves the system.

Make sure you will be able to use the eSeal

Before ordering and paying for a certificate, please make sure that you are able to use the eSeal in your application. This means either using the QESCD to seal (for qualified eSeals) or using the public/private key pair as files to seal (for advanced eSeals). Note that you will need the eSeal to be configured into your application with appropriate security measures as per your organisation's security policy. Alternatively, if you plan to use (Cloud-based) Hardware Security Modules (HSM) or Vaults, please check the provider manual on the best way to request for certificate using the inbuilt mechanisms.

Country/Certificate Authority specific guide

The process to get eSEAL from a specific CA is listed below by the name of the CA. Each CA or user must add their own process documentation, along with country specifics, if applicable, to their own folder

The Netherlands

Generating a CSR when requested by your Certificate Authority

Often, when requesting the certificate in file format (for advanced eSeals), the requestor is required to provide a Certificate Signing Request (CSR) to the issuing CA. This is necessary to keep your private key private and secure, as it must never be shared with others.