Certificate Management
The provider for the CDR Certificate Authority, DigiCert, will decommission the current certificate management system on 1 October 2025. It is being replaced by a new platform, DigiCert ONE. To maintain continuity of service and avoid disruptions to production certificates, the ACCC CDR is transitioning to DigiCert ONE.
As part of this migration, a new chain of trust will be established for certificates issued via DigiCert ONE. The ACCC plans to begin issuing certificates from this new trust chain starting 1 October 2025.
Until 30 September 2025: Certificates will continue to be issued from the existing ICA, CDR Banking Intermediate CA.
From 1 October 2025: Certificates will be issued from the new ICA, CDR Intermediate CA 2025, under the new trust chain. Existing certificates will remain valid and revocable via the CDR Participant Portal.
Until 1 November 2026 - Certificates issued from the old trust chain will remain valid and revocable via the CDR Participant Portal. The Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) services will remain fully operational and continue to support previously issued certificates.
Certificates are a key component in maintaining the security and trust between participants of the Consumer Data Right (CDR) ecosystem.
Both Transport Layer Security (TLS) and Mutual Transport Layer Security (mTLS) communication are used within the CDR ecosystem, depending on the scenario. TLS and mTLS rely on certificates to establish the secure communication channel. All 'authenticated' connections in CDR use mTLS in a private trust chain based on certificates provisioned by the ACCC.
The ACCC uses DigiCert as the Certificate Authority (CA) for this purpose. The certificates provisioned for CDR are known as 'Register CA certificates' or 'CDR certificates' and they form a trust chain to a 'CDR Root CA'.
CDR Certificate Authority
DigiCert acts as the certificate authority that issues and manages certificates to CDR participants as directed by the ACCC Register in its capacity as the CDR Registrar.
Certificate Trust Model
The CDR utilises a private certificate trust chain for all Register CA secured endpoints being hosted by Data Holders, Data Recipients and the Register.
This trust chain encompasses a set of root and intermediate CAs issued for the test and production environments.
Environment | CA Download Link | Notes |
CTS Environment |
| CTS utilizes its own separate trust chain and cannot be used to transact in the production environment. CTS CA Bundle ━ CDR CTS Root CA |
Production Environment | CDR Trust Chain 1
CDR Trust Chain 2
Bundled
| From 1st October 2025, ACCC will stop issuing certificates from CDR Trust chain 1 and only issue certificates from CDR Trust chain 2
The Root CAs in both the trust chains are the same
CDR Trust Chain Bundle 1 ━ CDR Root CA CDR Trust Chain Bundle 2 ━ CDR Root CA CDR Trust Chain Combined Bundle ━ CDR Root CA |
Please refer to the Frequently Asked Questions (FAQ) page for additional information, including OCSP and CRL endpoint changes.
From 1st October 2025, ACCC will stop issuing certificates from CDR Trust chain 1 and only issue certificates from CDR Trust chain 2
For production environments, CDR participants MUST support certificates issued from both trust chains from 1st October 2025.
Certificate Usage
Further details on the CDR CA issued certificates can be found in the ACCC Certification Practice Statement.