Background
In the project-gf Docker image, we add custom CA certificates to support PKIoverheid Private certificates used by LSP parties. Recently, AORTA-GtK switched their OAuth2 issuer from a Sectigo public certificate to a PKIoverheid Private Services certificate (see commit d646c43). This was reflected in the ca-certificates bundle we ship.
The policy tension
The Nuts convention is:
- OAuth2 / authorization endpoints → public certificate (so non-Nuts issuers/holders/verifiers can resolve DID documents without needing to trust PKIo roots)
- Data endpoints → PKIoverheid Private certificate
AORTA-GtK now uses a PKIo Private cert on their OAuth2 issuer, which deviates from this convention. This probably happened due to miscommunication somewhere.
Update: it appears AORTA-GtK is actually still using the Sectigo certificate on at least one endpoint: https://ontmedmij-inlog.vzvz.nl/aortagtk/token/v1/00002727. So the situation may be mixed — some endpoints on PKIo Private, some still on Sectigo public. This makes it unclear whether the switch is complete or intentional, and warrants confirmation from AORTA-GtK about which certificate will be used on which endpoints going forward.
Short-term workaround
For LSPxNuts/project-gf: add the relevant PKIo Private CA certificates to the Docker image (already done in d646c43). Since at least one endpoint still uses Sectigo, we need to keep both CA chains in the image for now.
Suggested follow-up
Align on and enforce the certificate policy:
- OAuth2 / discovery endpoints should use publicly trusted certificates so that parties outside the Nuts network can interact without PKIo trust anchors.
- Confirm with AORTA-GtK which certificate is used on which endpoint, and whether the PKIo Private cert on the OAuth2 issuer is intentional or a misconfiguration.
- Communicate this requirement clearly to LSP parties (e.g. AORTA-GtK) so they can correct the certificate on their OAuth2 issuer.
- Evaluate whether our Docker image should continue to bundle PKIo Private CAs long-term, or whether this should remain an exceptional workaround.
Background
In the project-gf Docker image, we add custom CA certificates to support PKIoverheid Private certificates used by LSP parties. Recently, AORTA-GtK switched their OAuth2 issuer from a Sectigo public certificate to a PKIoverheid Private Services certificate (see commit d646c43). This was reflected in the ca-certificates bundle we ship.
The policy tension
The Nuts convention is:
AORTA-GtK now uses a PKIo Private cert on their OAuth2 issuer, which deviates from this convention. This probably happened due to miscommunication somewhere.
Update: it appears AORTA-GtK is actually still using the Sectigo certificate on at least one endpoint:
https://ontmedmij-inlog.vzvz.nl/aortagtk/token/v1/00002727. So the situation may be mixed — some endpoints on PKIo Private, some still on Sectigo public. This makes it unclear whether the switch is complete or intentional, and warrants confirmation from AORTA-GtK about which certificate will be used on which endpoints going forward.Short-term workaround
For LSPxNuts/project-gf: add the relevant PKIo Private CA certificates to the Docker image (already done in d646c43). Since at least one endpoint still uses Sectigo, we need to keep both CA chains in the image for now.
Suggested follow-up
Align on and enforce the certificate policy: