Concept Definition
What is PKI in e-invoicing?
PKI (Public Key Infrastructure) is the framework of policies, procedures, hardware, software, and standards used to create, manage, distribute, and revoke digital certificates and cryptographic keys. In e-invoicing, PKI underpins digital signatures, electronic seals, mutual TLS authentication, and certificate-based identity verification.
What are the key components of a PKI?
A PKI consists of:
- Certificate Authority (CA): Issues and revokes digital certificates after verifying the identity of the certificate holder.
- Registration Authority (RA): Verifies identity on behalf of a CA before certificate issuance.
- Certificate Revocation List (CRL) or OCSP: Mechanisms for checking whether a certificate has been revoked.
- Digital certificate: Binds a public key to an entity identity. Signed by the CA.
- Key pairs: Public key (shareable) and private key (secret) used for signing and verification.
Frequently Asked Questions
- How does PKI support e-invoice integrity?
- The invoice issuer signs the invoice with their private key. The recipient verifies the signature using the issuer's public key from their certificate. The certificate's CA signature confirms the certificate is genuine. This chain provides both integrity and authentication.
- What is a self-signed certificate?
- A self-signed certificate is not issued by a trusted CA; the entity signs its own certificate. Self-signed certificates are not trusted by default in PKI systems and are not acceptable for qualified signatures or Peppol Access Point authentication.