Skip to main content

Order your EU Qualified eSeal PSD2 certificate

An EU Qualified eSeal PSD2 certificate is an eIDAS certificate issued to an organisation and used to meet the requirements of the Payment Services Directive 2 (PSD2). You can get one that applies Qualified electronic seals (QCP-l-qscd) or advanced electronic seals (QCP-l).

The EU Qualified eSeal PSD2 certificate is only available in DigiCert's European instance of CertCentral, where we store your data in our Europe data centers. To learn more about DigiCert privacy policy and data collection, see EU (eIDAS) products

Before you begin

When ordering your EU Qualified eSeal certificate, you must choose your provisioning method and certificate use. The provisioning method refers to where you will store the certificate's private key. The certificate use refers to what you want to use the certificate for.

Key provisioning methods and associated certificate uses

  • Qualified signature/seal creation device (QSCD) key provisioning method

    Certificate uses: Apply Qualified electronic signatures.

    • DigiCert generates the private key on the QSCD hardware token and ships it to you.

    • Use the DigiCert Trust Assistant to initialize the token and install the certificate on it.

  • Certificate signing request (CSR) key provisioning method

    Certificate uses: Apply advanced electronic signatures

    • Submit the CSR with your order. You are responsible for storing the certificate's private key in a secure location.

    • Your CSR must use the RSA algorithm, as the ECC algorithm is not supported. For certificates to remain secure, the CSR must use keys at least 2048 bits in length. Create a CSR (Certificate Signing Request).

    • DigiCert only uses the public key embedded in the CSR to create your certificate. All other fields in the CSR are ignored.

    • DigiCert emails you a copy of your certificate.

Organization validation

Before DigiCert can issue an EU Qualified eSeal certificate, DigiCert must validate the organization. Organization validation is valid for 825 days. See TLS certificate organization validation process.

If you add a new organization or an organization with expired validation, DigiCert completes the organization validation as part of the order process.

Order an EU Qualified eSeal PSD2 certificate

  1. In the CertCentral (Europe) main menu, go to Request a Certificate > EU (EIDAS) > EU Qualified eSeal PSD2.

  2. On the Request EU Qualified eSeal certificate page, in the For menu, select the division to manage the certificate.

    The For menu only appears if your account uses Divisions.

  3. Under Certificate Settings section, select a Certificate validityperiod for the certificate: 1 year, 2 years, 3 years, Custom expiration date, or Custom length.

  4. Select the Key provisioning method for your EU Qualified eSeal certificate.

    • Qualified signature/seal creation device (QSCD)

      Select this option to apply Qualified electronic seals, where your private key and certificate must be stored on a QSCD.

      Then, select a Shipping Method (standard—included in the price or expedited—not included in the price), and under Shipping address, add your shipping information: recipient's name and the address where you want us to send the hardware token.

      Note: DigiCert generates the private key on the QCSD hardware token and ships it to you. After we issue your certificate, return to CertCentral and use the DigiCert Trust Assistant to initialize and install your certificate on your token. More details in the Payment service provider roles and organization validation section below.

    • Provide certificate signing request (CSR)

      Select this option to apply advanced seals, where you submit your CSR and are responsible for securely storing the certificate and its private key.

      To add a CSR, select Upload a CSR or paste your CSR in the box on the request form. Your CSR must include the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags.

  5. Certificate uses

    1. EU Qualified Electronic Seal for PSD2

      Get an eIDAS qualified certificate (QCP-l-qscd) issued to a Payment Service Provider (PSP) organisation and used to apply Qualified Electronic Seals (QSeal) that meet the requirements of the Payment Services Directive 2 (PSD2).

      The only certificate use for the Qualified signature/seal creation device (QSCD) key provisioning method.

    2. Advanced electronic seal

      Get an eIDAS qualified certificate (QCP-l) issued to a Payment Service Provider (PSP) organisation and used to apply advanced electronic seals that meet the requirements of the Payment Services Directive 2 (PSD2).

      The only certificate use for the Provide certificate signing request (CSR) key provisioning method.

  6. Additional certificate options

    In the menu, select the signature hash and signing algorithm you want DigiCert to use for your certificate:

    • sha256WithRSA

    • sha256WithRSAPSS

    As a best practice, use the default RSA settings unless you have specific reasons for a different key size or signing algorithm, for example company policy requires an RSASSA-PSS signature.

  7. Payment service provider roles

    Under Payment service provider roles, select the roles that apply to the organization included in the certificate:

    • PSP-AS (account servicing)

      A payment service provider who manages and maintains merchant accounts, ensuring compliance with industry standards

    • PSP-PI (payment initiation)

      A payment service provider who initiates and processes payment transactions on merchants' behalf, ensuring secure and efficient transactions from initiation to settlement

    • PSP-AI (account information)

      A payment service provider who provides merchants with access to their customers' account data, such as transaction history, balance, and account status, and may include services like account aggregation, data analytics, and reporting

    • PSP-IC (issuing of card-based payment instruments)

      A payment service provider who creates and manages payment cards, such as credit or debit cards, on behalf of merchants, and may also include services like card management, cardholder authentication, and fraud detection

  8. Under Certificate details, select Add an organization.

    Add the information about the organization to be included on the certificate.

    Add an existing organization

    1. Select Existing Organization.

    2. In the Organization menu, select the organization and then select Add.

      f you choose an organization not validated for EU (eIDAS) certificates or the organization's validation has expired, DigiCert must validate the organization for EU (eIDAS) validation before issuing your certificate.

    3. DigiCert automatically adds the contacts assigned to the organization. To view the organization and technical contacts, select Show organization contacts.

    Add a new organization

    1. Select New Organization.

    2. Under Certificate details, enter the following information about the organization. This information appears on the certificate:

      Field

      Guidance

      Legal name

      Organization name exactly as it appears in corporate registries, such as local government registration records

      Assumed name (optional)

      Assumed name or doing-business-as name. Adding an assumed name requires additional validation, which may delay organization validation and certificate issuance

      Country

      Country where the organization is legally located

      City (optional)

      Country where the organization is legally located

      State / Province / Region

      State, province, or region where the organization is legally located

    3. Under Organization details, , enter the following information and then select Add. This information is needed to validate the organization and does not appear on the certificate:

      Field

      Guidance

      Address 1

      The address where the organization is legally located

      Address 2 (optional)

      Additional address information, such as a Suite number

      Postal code (optional)

      Postal code where the organization is legally located

      Country code

      Country code for the organization's phone number

      Phone number

      Organization's phone number. DigiCert must call a verified organization phone number to confirm your authority to order a certificate for the organization. DigiCert verifies this phone number against online third-party address listing sources like Google Business. See TLS certificate organization validation process.

  9. Under Contacts, select Add authorized representative.

    Add at least one authorized representative. You can add up to 15.

    Important

    What is an authorized representative and why do I need to add one?

    The authorized representative is in the company registry, represents the organization, and has the authority to approve your EU Qualified eSeal requests. Before DigiCert can issue your certificate, one of the authorized representatives in your request must approve the order.

    DigiCert validates all the authorized representatives in your request. Then, we send them the approval email and wait for one of them to approve your order. Only after one of the representatives approves the order can DigiCert issue your certificate.

    Add an existing authorized representative:

    1. Select Existing contact.

    2. In the Contacts menu, select the contact you want to use as the authorized representative for this request.

      Notice

      If you select a contact who is not an existing authorized representative, we must validate them.

    3. Select Add.

    Add a new authorized representative:

    1. Select New contact.

    2. Enter the contact's first and last name, job title, email address, and phone number.

    3. select Add.

  10. Under Contacts, add the organization contact.

    The organization contact is the person DigiCert contacts when validating the organization and verifying your authority to order a certificate. They may also receive order status updates and domain status updates for the organization.

    When you add a new organization, DigiCert automatically adds the certificate requestor as the organization contact. When you add an existing organization, DigiCert automatically adds the contacts assigned to the organization to the request form.

    To use a different organization contact

    1. Select the delete icon next to the automatically populated organization contact.

    2. Select Add contact.

      If you've already added an organization contact, select Add Organization Contact.

    3. In the Add Contact window, in the Contact Type menu, select Organization Contact.

    4. Add the contact:

      • Select Existing Contact. In the Contacts menu, select a contact.

      • Select New Contact, enter the contact's first and last name, job title, email address, and phone number.

    5. Select Add.

  11. Under Contacts, add the technical contact.

    DigiCert may contact the technical contact for inquiries regarding certificate orders for the organization. The technical contact may receive certificate lifecycle emails: certificate issued, reissued, and expiring.

    When adding an existing organization, DigiCert automatically adds the contacts assigned to that organization.

    To use a different technical contact

    1. Select the delete icon next to the automatically populated technical contact.

    2. Select Add contact.

      If you've already added an organization contact, select Add Technical Contact.

    3. In the Add Contact window, in the Contact Type menu, select Technical Contact.

    4. Add the contact:

      • Select Existing Contact. In the Contacts menu, select a contact

      • Select New Contact, enter the contact's first and last name, job title, email address, and phone number.

    5. Select Add.

  12. Under Additional emails (optional), enter the email addresses of the people you want to receive certificate issuance, expiring certificate, and expiring order notifications.

    Use a comma to separate addresses or enter them on separate lines. These recipients don't manage the order. They only receive certificate-related emails.

  13. Under Additional order options, enter a renewal message if required.

    Notice

    Comments and renewal messages are not included in the certificate.

  14. Under Payment information, select a payment method.

  15. Read the Master Services Agreement and the Qualified Certificate Terms of Use and select the following options to continue:

    • I have read and agree with the Master Services Agreement.

    • I have read and agree with the Qualified Certificate Terms of Use that apply to the eIDAS, PKIoverheid, or Swiss Qualified Certificate requested.

  16. Select Submit request.

CertCentral opens the certificate's Order # details page, where you can see the status of your certificate order.

Payment service provider roles and organization validation

Before we can issue your certificate, these tasks must be completed:

  1. Confirm Payment service provider roles

    DigiCert must confirm the Payment service provider roles to be included on your EU Qualified eSeal PSD2 certificate. For PSD2 certificates, DigiCert takes additional steps to verify specific attributes including name of the National Competent Authority (NCA), the PSD2 Authorisation Number or other recognized identifier, and PSD2 roles. These details are confirmed by DigiCert using authentic information from the NCA.

  2. Complete organization validation

    DigiCert must validate and authenticate your authority to order a certificate for the organization on your certificate order. To do this, we will call a verified phone number to speak with someone who represents you, the certificate requestor, such as the organization or technical contact.

    To get organization consent for your certificate order:

    • ·Answer the organization/validation phone call (preferred method)*.

      • After you submit your certificate order, ensure that the organization contact, technical contact, and company receptionist know you’ve ordered an EU Qualified eSeal PSD2 certificate.

      • Let them know DigiCert will call a verified phone number to speak with one of them to complete organization validation/authentication.

      • This phone call usually takes place within 24 hours of the order being placed.

    • Respond to the organization consent message.

      • If the DigiCert validation agent can’t reach someone who represents you at the verified phone number, they will leave a message with a call-back phone number and a verification code.

      • Make sure that the organization or technical contact responds to the message and provides the verification code.

Certificate issuance

After validation is complete, DigiCert issues your certificate.

  • For a QSCD (Qualified Electronic Seal) certificate: DigiCert creates the private key on the hardware token and ships it to you. On the certificate's order details page, you can track the QSCD token shipment.

    After receiving the QSCD and getting the PIN, return to CertCentral and download and install the DigiCert Trust Assistant. Use the DigiCert Trust Assistant to unlock and install the certificate on the QSCD token.

    Why do I need to install DigiCert Trust Assistant?

    The DigiCert Trust Assistant verifies that the public key in your certificate matches the private key in your QSCD token. If the keys don't match, the DigiCert Trust Assistant does not install the certificate on the token. See DigiCert Trust Assistant.

  • For a CSR (Advanced electronic seal) certificate: DigiCert emails you a copy of your certificate. You can also download a copy from CertCentral.

    You can only use your certificate when installed on the computer where you generated the CSR and securely stored your private key.

In this section: