Skip to main content

Order your EU Qualified eSeal PSD2 certificate

CertCentral Europe: Learn how to order an EU Qualified eSeal PSD2 certificate

An EU Qualified eSeal PDS2 certificate is an eIDAS certificate is issued to an organisation and used to meet the requirements of the Payment Services Directive 2 (PSD2). You can get one that applies Qualified electronic seals (QCP-l-qscd) or advanced electronic seals (QCP-l).

The EU Qualified eSeal PDS2 certificate is only available in DigiCert's European instance of CertCentral, where we store your data in our Europe data centers. To learn more about DigiCert privacy policy and data collection, see EU (eIDAS) products.

Before you begin

Key provisioning methods and associated certificate uses

When ordering your EU Qualified eSeal PDS2 certificate, you must choose your provisioning method and certificate use. The provisioning method refers to where you will store the certificate's private key. The certificate use refers to what you want to use the certificate for.

  • Qualified signature/seal creation device (QSCD) key provisioning method

    Certificate uses: Apply Qualified electronic signatures.

    • DigiCert generates the private key on the QCSD hardware token and ships it to you.

    • Use the DigiCert Trust Assistant to initialize your token and install your certificate on it. See Certificate issuance below.

  • Certificate signing request (CSR) key provisioning method

    Certificate uses: Apply advanced electronic signatures

    • Submit the CSR with your order. You are responsible for storing the certificate's private key in a secure location.

    • Your CSR must use the RSA algorithm, as the ECC algorithm is not supported. For certificates to remain secure, the CSR must use keys at least 2048 bits in length. Learn how to Create a CSR (Certificate Signing Request).

    • We only use the public key embedded in the CSR to create your certificate. All other fields in the CSR are ignored.

    • DigiCert emails you a copy of your certificate.

Organization validation

Before DigiCert can issue an EU Qualified eSeal PDS2 certificate, we must validate the organization. Organization validation is valid for 825 days. See How do we validate your organization.

If you add a new organization or an organization with expired validation, DigiCert will complete the organization validation as part of the order process.

Order an EU Qualified eSeal PSD2 certificate

  1. In CertCentral, in the left menu, go to Request a Certificate > EU (EIDAS) > EU Qualified eSeal PSD2.

  2. On the Request an EU Qualified eSeal PSD2 certificate page, in the For menu, select the division to manage the certificate.

    The For menu only appears if your account uses Divisions.

  3. Certificate validity

    In the Certificate Settings section, under Certificate validity, select a validity period for the certificate: 1 year, 2 years, 3 years, Custom expiration date, or Custom length.

  4. Key provisioning method

    Select the key provisioning method for your EU Qualified eSeal PSD2 certificate.

    The provisioning method refers to where you will store the certificate and its private key. The provisioning method determines what you can use the certificate for.

    • Qualified signature/seal creation device (QSCD)

      Select this option to apply Qualified electronic seals, where your private key and certificate must be stored on a QSCD.

      Then, select a Shipping Method (standard—included in the price or expedited—not included in the price), and under Shipping address, add your shipping information: recipient's name and the address where you want us to send the hardware token.

      Note: DigiCert generates the private key on the QCSD hardware token and ships it to you. After we issue your certificate, return to CertCentral and use the DigiCert Trust Assistant to initialize and install your certificate on your token. More details in the What's next section below.

    • Provide certificate signing request (CSR)

      Select this option to apply advanced seals, where you submit your CSR and are responsible for securely storing the certificate and its private key.

      To add a CSR, select Upload a CSR or paste your CSR in the box on the request form. Your CSR must include the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags.

  5. Certificate uses

    1. EU Qualified Electronic Seal for PSD2

      Get an eIDAS qualified certificate (QCP-l-qscd) issued to a Payment Service Provider (PSP) organisation and used to apply Qualified Electronic Seals (QSeal) that meet the requirements of the Payment Services Directive 2 (PSD2).

      The only certificate use for the Qualified signature/seal creation device (QSCD) key provisioning method.

    2. Advanced electronic seal

      Get an eIDAS qualified certificate (QCP-l) issued to a Payment Service Provider (PSP) organisation and used to apply advanced electronic seals that meet the requirements of the Payment Services Directive 2 (PSD2).

      The only certificate use for the Provide certificate signing request (CSR) key provisioning method.

  6. Additional certificate options

    Signature Hash

    By default, DigiCert issues RSA certificates with a SHA-256 signature hash and RSA signing algorithm. We recommend using the default RSA settings unless you have specific reasons for using a different key size or signing algorithm (for example, company policy requires an RSASSA-PSS signature).

    In the menu, select the signature hash and signing algorithm you want DigiCert to use for your certificate:

    • sha256WithRSA

    • sha256WithRSAPSS

  7. Payment service provider roles

    Under Payment service provider roles, select the roles that apply to the organization included in the certificate:

    • PSP-AS (account servicing)

      A payment service provider who manages and maintains merchant accounts, ensuring compliance with industry standards

    • PSP-PI (payment initiation)

      A payment service provider who initiates and processes payment transactions on merchants' behalf, ensuring secure and efficient transactions from initiation to settlement

    • PSP-AI (account information)

      A payment service provider who provides merchants with access to their customers' account data, such as transaction history, balance, and account status, and may include services like account aggregation, data analytics, and reporting

    • PSP-IC (issuing of card-based payment instruments)

      A payment service provider who creates and manages payment cards, such as credit or debit cards, on behalf of merchants, and may also include services like card management, cardholder authentication, and fraud detection

  8. Certificate details

    Add the information about the organization to be included on the certificate. The organization is the holder of the certificate. Specific information about the organization will be included on the certificate.

    Add organization

    You can add an existing organization from your account or a new organization. If you add a new organization, it gets added to your account.

    Under Certificate details, select Add an organization. In the Add organization window, complete the following task as needed:

    1. Add an existing organization

      1. Select Existing Organization.

      2. In the Organization menu, select the organization and then select Add.

        If you choose an organization not validated for EU (eIDAS) certificates or the organization's validation has expired, DigiCert must validate the organization for EU (eIDAS) validation before we issue your certificate.

      3. Organization and technical contacts

        DigiCert automatically adds the contacts assigned to the organization to the request form. To see the organization and technical contacts, select Show organization contacts.

    2. Add a new organization

      1. Select New Organization.

      2. Certificate details

        This information appears on the certificate. Under Certificate details, enter the following information as needed:

        Legal name

        Organization name exactly as it appears in corporate registries, such as local government registration records.

        Assumed name (optional)

        Assumed name or doing business as name.

        Note: Adding an assumed name requires additional validation, which may delay organization validation and certificate issuance.

        Country

        Country where the organization is legally located.

        City (optional)

        City where the organization is legally located.

        You do not have to include a city. You can leave this box empty.

        State / Province / Region

        State, province, region where the organization is legally located.

      3. Organization details

        This information is needed to validate the organization and will not appear on the certificate.

        Under Organization details, enter the following information as needed and then select Add.

        Address 1

        The address where the organization is legally located.

        Address 2 (optional)

        Additional address in formation, such as a Suite #.

        Postal code (optional)

        Postal code where the organization is legally located.

        Country code

        Country code for the organization's phone number

        Phone number

        Organization's phone number.

        Note: DigiCert must call a verified organization phone number to confirm your authority to order a certificate for the organization. We verify this phone number against online third-party address listing sources like Google Business.

        Learn how we confirm your authority.

  9. Contacts – Authorized Representative

    You can add an existing authorized representative or a new one. You must add at least one authorized representative to your certificate request. However, you can add up to 15.

    重要

    What is an authorized representative and why do I need to add one?

    The authorized representative is in the company registry, represents the organization, and has the authority to approve your EU Qualified eSeal PSD2 requests. Before DigiCert can issue your certificate, one of the authorized representatives in your request must approve the order.

    DigiCert validates all the authorized representatives in your request. Then, we send them the approval email and wait for one of them to approve your order. Only after one of the representatives approves the order can DigiCert issue your certificate.

    Under Contacts, select Add authorized representative. In the Add authorized representative window, complete the following task as needed:

    1. Add an existing authorized representative

      1. Select Existing contact.

      2. In the Contacts menu, select the contact you want to use as the authorized representative for this request.

        Note: If you select a contact who is not an existing authorized representative, we must validate them.

      3. Select Add.

    2. Add a new authorized representative

      1. Select New contact.

      2. Enter the contact's first and last name, job title, email address, and phone number, and then select Add.

  10. Contacts – Organization Contact

    The organization contact is the person we contact when validating the organization and verifying your authority to order a DigiCert certificate for the organization. They may also receive the following notifications: Order status updates for certificates requested for their organization and Domain status updates for domains associated with their organization.

    When you add a new organization, DigiCert automatically adds the certificate requestor as the organization contact. When you add an existing organization, DigiCert automatically adds the contacts assigned to the organization to the request form.

    To use a different organization contact

    1. To delete the existing organization contact that is populated automatically for you, select the trashcan image.

    2. Select Add contact.

      If you've already added an organization contact, select Add Organization Contact.

    3. In the Add Contact window, in the Contact Type menu, select Organization Contact.

    4. Add the contact:

      1. Add an existing contact

        Select Existing Contact. In the Contacts menu, select a contact and then select Add.

      2. Add a new contact

        Select New Contact, enter the contact's first and last name, job title, email address, and phone number, and then select Add.

  11. Contacts – Technical Contact

    The technical contact is someone we may contact for inquiries regarding certificate orders for the organization. They may receive the certificate lifecycle-related emails: certificate issued, reissued, and expiring.

    When adding an existing organization, DigiCert automatically adds the contacts assigned to the organization to the request form.

    To use a different technical contact

    1. To delete the existing technical contact that is populated automatically for you, select the trashcan image.

    2. Select Add contact.

      If you've already added an organization contact, select Add Technical Contact.

    3. In the Add Contact window, in the Contact Type menu, select Technical Contact.

    4. Add the contact:

      1. Add an existing contact

        Select Existing Contact. In the Contacts menu, select a contact and then select Add.

      2. Add a new contact

        Select New Contact, enter the contact's first and last name, job title, email address, and phone number, and then select Add.

  12. Additional emails (optional)

    Enter the email addresses of the people you want to receive the certificate issuance, expiring certificate, and expiring order notifications. Use a comma to separate addresses or enter them on separate lines.

    These recipients don't manage the order. They only receive all the certificate-related emails.

  13. Additional order options – Order Specific Renewal Message

    To create a renewal message for this certificate, enter a renewal message with information that might be relevant to the certificate’s renewal.

    Comments and renewal messages are not included in the certificate.

  14. Select payment method

    Under Payment information, select a payment method to pay for the certificate.

  15. Master Services Agreement and Qualified Certificate Terms of Use

    Read the Master Services Agreement and the Qualified Certificate Terms of Use and select the following options to continue:

    • I have read and agree with the Master Services Agreement.

    • I have read and agree with the Qualified Certificate Terms of Use that apply to the eIDAS, PKIoverheid, or Swiss Qualified Certificate requested.

  16. Select Submit request.

What's next

CertCentral takes you to the certificate’s Order # details page, where you can see the status of your certificate order.

Payment service provider roles and organization validation

Before we can issue your certificate, these tasks must be completed:

  1. Confirm Payment service provider roles

    DigiCert must confirm the Payment service provider roles to be included on your EU Qualified eSeal PSD2 certificate. For PSD2 certificates, DigiCert takes additional steps to verify specific attributes including name of the National Competent Authority (NCA), the PSD2 Authorisation Number or other recognized identifier, and PSD2 roles. These details are confirmed by DigiCert using authentic information from the NCA.

  2. Complete organization validation

    DigiCert must validate and authenticate your authority to order a certificate for the organization on your certificate order. To do this, we will call a verified phone number to speak with someone who represents you, the certificate requestor, such as the organization or technical contact.

    To get organization consent for your certificate order:

    • ·Answer the organization/validation phone call (preferred method)*.

      • After you submit your certificate order, ensure that the organization contact, technical contact, and company receptionist know you’ve ordered an EU Qualified eSeal PSD2 certificate.

      • Let them know DigiCert will call a verified phone number to speak with one of them to complete organization validation/authentication.

      • This phone call usually takes place within 24 hours of the order being placed.

    • Respond to the organization consent message.

      • If the DigiCert validation agent can’t reach someone who represents you at the verified phone number, they will leave a message with a call-back phone number and a verification code.

      • Make sure that the organization or technical contact responds to the message and provides the verification code.

Certificate issuance

Once the validation process is complete, we will issue your certificate.

  • eIDAS Qualified certificate (QCP-n-qscd) to apply a Qualified Electronic Signature (QES)

    If you ordered an eIDAS Qualified certificate (QCP-n-qscd) to apply a Qualified electronic signature (QES), we create the private key on the hardware token and ship it to you. On your certificate's order details page, you can track your QSCD token shipment.

    After receiving your qualified signature/seal creation device (QSCD) and getting the PIN for it, return to CertCentral and download and install the DigiCert Trust Assistant. You must use the DigiCert Trust Assistant to unlock and install the certificate on your QSCD token.

    Why do I need to install DigiCert Trust Assistant?

    The DigiCert Trust Assistant ensures that the public key in your certificate matches the private key in your QSCD token. If the keys don’t match, DigiCert Trust Assistant won’t install the certificate on the token, adding another layer of security to your certificate process. Learn more about the DigiCert Trust Assistant.

  • Advanced certificate: Apply advanced electronic signature

    If you ordered an eIDAS Qualified certificate (QCP-n) to apply an advanced electronic signature, we email you a copy of your certificate. You can also download a copy of the certificate from CertCentral.

    Note: You can only use your certificate when installed on the computer/device where you generated the CSR and securely stored your private key.