RFC008: Use of PKIOverheid Private certificates hampers use of public (HTTP) endpoints

[reinkrul]

Section 3.1 states that PKIOverheid Private certificates are used:

A node will need to configure the correct CA-tree so other nodes can connect. The certificate to configure are the Staat der Nederlanden Private Root CA G1 root certificate and the Staat der Nederlanden Private Services CA – G1 CA. All certificates can be downloaded from the PKIoverheid website. TSPs are responsible for signing certificates. The TSPs have their own CA. To trust all PKIo certificates, any software that validates a certificate and its chain, MUST trust any intermediate CA below the Staat der Nederlanden Private Services CA – G1 CA. The PKIoverheid private services CA is not by default accepted by browsers and operating systems.

This was probably changes to the Private root because PKIOverheid will stop issuing publicly trusted certificates: https://www.logius.nl/actueel/pkioverheid-stopt-met-uitgeven-publiek-vertrouwde-webserver-ssltls-certificaten

However, the Nuts node currently falsely assumes "the Nuts node certificate" (the private cert) is a publicly trusted certificate, because it also expects public clients (IRMA app) to be able to access HTTP endpoints secured with this certificate.

Spec or Nuts node needs to change.

[reinkrul]

public needs to be secured by an alternative certificate; but this is not spec'd so not an issue for nuts-specification.