phoss SMP must cryptographically sign its responses to prove its identity to clients. Signatures use the private key in the SMP keystore. Clients verify the signature against the Peppol PKI certificate chain using the truststore.
SMP keystore
The keystore holds the SMP’s private key and its certificate issued by the Peppol CA (or your own CA for test environments).
smp.keystore.type = pkcs12
smp.keystore.path = keystore/smp.p12
smp.keystore.password = changeit
smp.keystore.key.alias = smp keypair
smp.keystore.key.password = changeit
| Property | Description |
|---|
smp.keystore.type | Keystore format. Accepted values: pkcs12, jks, bcfks. Defaults to jks when not set. |
smp.keystore.path | Path to the keystore file. Can be a classpath resource or an absolute file path. |
smp.keystore.password | Password to open the keystore. |
smp.keystore.key.alias | Alias of the private key entry inside the keystore. |
smp.keystore.key.password | Password for the private key entry. |
The keystore must contain exactly one certificate. The key password and keystore password must be identical. Using different passwords will cause startup failures.
| Format | Extension | Notes |
|---|
pkcs12 | .p12, .pfx | Recommended. Industry standard, widely supported. |
jks | .jks | Java KeyStore. Legacy format; still fully supported. |
bcfks | .bcfks | Bouncy Castle FIPS keystore. Use only when required by your security policy. |
SMP truststore
The truststore contains the Peppol CA root and intermediate certificates used to validate participant certificates when processing inbound requests.
smp.truststore.type = pkcs12
# Pilot (test) environment
smp.truststore.path = truststore/2025/smp-test-truststore.p12
# Production environment
# smp.truststore.path = truststore/2025/smp-prod-truststore.p12
smp.truststore.password = peppol
| Property | Description |
|---|
smp.truststore.type | Truststore format: pkcs12, jks, or bcfks. |
smp.truststore.path | Classpath resource or absolute path to the truststore. The default Peppol truststores are bundled in peppol-commons.jar. |
smp.truststore.password | Password to open the truststore. The bundled Peppol truststores use peppol. |
Bundled Peppol truststores
The peppol-commons library ships two truststores that are available on the classpath:
| Environment | Path |
|---|
| Pilot (test) | truststore/2025/smp-test-truststore.p12 |
| Production | truststore/2025/smp-prod-truststore.p12 |
Always use the pilot truststore in test environments and the production truststore when connecting to the live Peppol network. Mixing them will cause certificate validation failures.
Peppol PKI certificate requirements
To run on the live Peppol network your SMP certificate must:
- Be issued by the Peppol CA for your environment (pilot or production).
- Have the correct SMP subject distinguished name assigned to your SMP.
- Be valid (not expired, not revoked).
Contact your Peppol Authority to obtain an SMP certificate.
Directory client keystore
When the Peppol Directory integration is enabled, the pdclient.* properties configure the TLS client certificate used by the Directory client. By default these mirror the SMP keystore properties using property interpolation.
pdclient.keystore.type = ${smp.keystore.type}
pdclient.keystore.path = ${smp.keystore.path}
pdclient.keystore.password = ${smp.keystore.password}
pdclient.keystore.key.alias = ${smp.keystore.key.alias}
pdclient.keystore.key.password = ${smp.keystore.key.password}
pdclient.truststore.type = ${smp.truststore.type}
pdclient.truststore.path = ${smp.truststore.path}
pdclient.truststore.password = ${smp.truststore.password}
SMP client truststore
The smpclient.* properties configure the truststore used when your SMP server acts as an SMP client (for example, during remote query operations).
smpclient.truststore.type = ${smp.truststore.type}
smpclient.truststore.path = ${smp.truststore.path}
smpclient.truststore.password = ${smp.truststore.password}