Order a certificate – foreign business

This page applies to businesses without a Norwegian organisation number, or a NUF (Norwegian-registered foreign business) without a Norwegian representative who can administer the integration via Samarbeidsportalen (which requires logging in with MinID).

For these businesses, an eSeal certificate issued by a CA that is on the EU trusted lists (EUTL) is required.

If you encounter unfamiliar terms such as eSeal, TSP, QSCD or soft token, see Terms further down.

Which certificate you need

You need a business certificate that can create an advanced electronic seal (eSeal, Advanced Electronic Seal/AdESeal) as defined by eIDAS. Three requirements must be met:

The certificate can be used to create at least an advanced eSeal.
The issuer's CA certificate is listed as an active trust service in one of the national trusted lists in the EU (EUTL).
Note: an issuer can have several CA certificates, and it is not guaranteed that all are listed on the EUTL. This must therefore be verified for the specific product.
The private key can be held as a soft token. You provide the public key via a CSR, or you receive a .p12/.pfx file. There is no requirement that the key must reside in dedicated hardware.

The certificate must contain an organisation identifier (organizationIdentifier in the certificate's Subject). This is the value that Maskinporten (and Norwegian Customs) uses to identify your business. The value itself typically comes from the information you provide in the order, and is confirmed when the business is identified.

An advanced eSeal is sufficient for Maskinporten. A qualified eSeal is also fine if the key is delivered as a soft token. See also What you should not order.

See also the source documentation from Digdir on how European eSeals work with Maskinporten.

What you should not order

It is easy to choose the wrong product. Here are a couple to avoid:

eSignature or other personal certificate. These identify a person. You need an eSeal, which identifies the business (a legal person).
A qualified eSeal that requires a QSCD. A qualified eSeal often forces the private key into a certified hardware device (HSM or smart card), which rules out the soft token flow. What you must avoid is the QSCD requirement, not qualified in itself: a qualified certificate is fine as long as the key is delivered as a soft token.
TLS/SSL or code-signing certificate. The wrong type of certificate for this purpose.

Issuers

eSeal certificates are available from many trust service providers in the EU. The table below is a short list of issuers known to offer an advanced eSeal with a soft token. The list is not exhaustive and is not a recommendation from Norwegian Customs. If you need other options, you can search for providers by country and service type in the EU's Trusted List Browser (the eIDAS dashboard). Offerings and product names change, so always confirm with the issuer.

Issuer	Product	Covers	Key generated by	Note
Buypass	QC eSeal	Nordics and Baltics	You (CSR) or issuer (.p12)	–
Commfides	Standard eSegl Virksomhetssertifikat	Europe	Issuer (.p12)	–
DigiCert	EU Qualified eSeal	Europe	You (CSR)	Only via European CertCentral.
GlobalTrust	GlobalTrust Advanced Seal	Europe	You (CSR) or issuer (.p12)	–
D-Trust	Seal ID	Europe	You (CSR) or issuer (.p12)	Ordered via Certificate Service Manager (CSM) or a reseller.
Sectigo	eIDAS sealing certificate	Europe	You (CSR)	–
ADACOM	Advanced (Soft) eSeal for Legal Person	Europe	You (CSR)	Requires a signature certified by a notary public

If the key is to be generated by you (via CSR), this is an extra technical step you can read about under Creating a CSR.

Product pages are often ambiguous, and a product is frequently marketed as a “Qualified eSeal” even when an advanced variant exists. The safest approach is to ask the issuer to confirm in writing that you are getting a certificate for an advanced eSeal (without QSCD) for a legal person, where the private key can be held as a soft token.

Typical ordering process

The details vary between the issuers, but the process is essentially as follows:

Choose an issuer and product. See Issuers, and confirm with the issuer that the product meets the requirements (Which certificate you need). See also What you should not order.
Identification and verification of the business. The issuer must verify the identity of the legal entity. Usually this requires a register extract from the business register in the home country and a person who can represent the business (with signing rights or power of attorney). In addition, an identity check is often carried out by phone or video. This step usually takes the longest, from a few days to several weeks.
Generate a key and CSR. If the issuer uses CSR-based issuance, you generate the key pair and a CSR yourself (see Creating a CSR). The CSR is included in the order in the next step. Some issuers generate the key pair for you. In that case you do not need a CSR, but receive the key from the issuer once the order has been processed.
Submit the order and pay. Submit the order or the CSR via the issuer's portal, and complete payment.
Receive or retrieve the certificate and key. You obtain the certificate either by downloading it (including the private key if you did not use a CSR), or by having it sent to an address you provide in the order.
Continue with onboarding. Once you have the certificate, proceed to Onboarding to register and start using the certificate with Maskinporten.

Creating a CSR

A CSR (Certificate Signing Request) lets the issuer create a certificate without seeing your private key. You generate a key pair locally (a private key and a public key) and send the CSR to the issuer. The main purpose of the CSR is to convey the public key. It also contains a subject with information about the business, but the issuer normally sets these themselves based on the order and the verification of the business. The values you put in the CSR yourself are therefore mostly just a starting point.

The private key stays with you. This is the key that proves it is your business authenticating with Maskinporten. Anyone with access to the private key can in practice act on behalf of the business, so the file must be kept secret and looked after carefully.

The example below shows how to create a CSR using OpenSSL, but many tools can be used for this. Use the key type, key length and any other instructions your issuer specifies.

# Generate a private key (keep this file secret).
# RSA 3072 shown here; some issuers accept or require RSA 2048 or ECDSA P-256.
openssl genrsa -out eseal.key 3072

# Create the CSR from the key. Use the subject fields the issuer asks for.
openssl req -new -key eseal.key -out eseal.csr \
  -subj "/C=SE/O=Example Legal Entity AB/CN=Example Legal Entity AB"

# Check the CSR before submitting it.
openssl req -in eseal.csr -noout -text

Upload eseal.csr to the issuer. After issuance you receive the certificate itself (.cer/.pem), which belongs together with eseal.key.

Terms

A quick reference for the terms that come up with the issuers.

Advanced vs. qualified: An advanced eSeal is the minimum requirement. A qualified eSeal provides an even higher level of security, but usually requires a QSCD, and should therefore be avoided here, unless the key can be delivered as a soft token.
CA / CA certificate: Certificate Authority: the service within a TSP that issues and signs certificates. On a trusted list, each service is identified by its CA certificate (its "service digital identity"), so trust is determined by whether the specific CA certificate is listed, not merely by whether the company is a known provider.
CSR: Certificate Signing Request. The way you send the issuer the public key and the information about the business, without revealing the private key (see Creating a CSR).
eIDAS: The EU regulation on electronic identification and trust services. It defines electronic seals (eSeals) and signatures, the assurance levels (advanced/qualified), and the EU trusted-list framework.
eSeal: An electronic seal created by a business (legal person), as defined by eIDAS. In contrast to an eSignature, which belongs to an individual. An eSeal is the seal itself, not a certificate.
eSeal certificate: The certificate you order, used to create an eSeal. This is what you actually need to authenticate the business with Maskinporten.
EUTL / LOTL: EU Trusted Lists: the collection of the member states' national trusted lists, where trust services and their issuing CA certificates are published. The central index of these national lists is the LOTL (List of Trusted Lists), maintained by the European Commission. Your issuer's CA certificate must appear here.
QSCD: A certified hardware device for the private key (HSM or smart card). If a product requires a QSCD, you cannot hold the key as a soft token, and the product is not suitable here.
Soft token: The private key resides in software (for example a .p12 file), in contrast to a hard token, where the key is bound to dedicated hardware (QSCD/HSM). For practical authentication with Maskinporten you need a soft token, since it offers fast and unlimited signing.
TSP / QTSP: A Trust Service Provider (TSP) is the organisation that issues your certificate; a QTSP is a qualified TSP. The TSP operates the Certificate Authority (CA) that signs your eSeal.

Next: Onboarding