The existing eDelivery components are designed to work with a single PKI. That means, that all SMP certificates MUST be based on a single SMP root certificate, and all AS4 certificates MUST be based on a single AS4 root certificate. This rule only applies to the SMP and AS4 certificates, but NOT to TLS certificates used for transport security.
The usage of a single root certificate provides an easy way to check if a certificate is valid or not. It requires a functioning OCSP or CRL revocation check to work properly. For a production PKI to function, it needs a strong governance and appropriate controls and measures.
All certificates int the DE4A pilots are based on the “CommisSign2 PKI” provided by the European Commission to the project free of charge. This PKI was used for to create certificates for SMPs and for the AS4 message exchange.