In summer 2011 the Sertifitseerimiskeskus implemented a new root certificate – EE Certification Centre Root CA and went over to new certification chains.
All certificates of SK can be downloaded here http://www.sk.ee/en/repository/certs/
Why should there be any changes?
As the root certificate “Root SK” of the Sertifitseerimiskeskus expires in summer 2016, it will not be possible to issue 5-year ID-card certificates from the certification chain starting from this summer. Due to this SK has to implement a new certification chain.
What impact will this change have?
This change will have an impact on all systems using ID-card, digi-ID and Mobiil-ID certificates or in other words all information systems and applications, where it is possible to authenticate and provide a digital signature with an ID-card, digi-ID or Mobiil-ID. Also all information systems, where it is possible to verify the validity of digital signatures.
When will you start issuing certificates from the new chains?
All new certificates are available on the webpage of the SK and it is possible to make all necessary configurations in information systems in advance.
The first ID-card/digi-ID/Mobiil-ID identification certificates were issued from the new certification chain July 10, 2011.
What will happen if the support for new certificates has not been added?
In case the new certificates have not been added in the configuration of the system, persons, whose ID-card/digi-ID card or Mobiil-ID certificates have been issued after implementation of the changes or who have updated their ID-cards after implementation of the changes, cannot authenticate in a relevant e-service. Besides, it is not possible to verify the digital signatures given by these persons after implementation of the changes.
What kind of changes are made in the certificates?
Compared to the current certificates there are some changes made in the new certificates. It is important to check that the new certificates are compatible with your information system.
- Instead of the current UCS2 encoding the enduser certificates containing letters with dots (ID-card, digi-ID as well as Mobile-ID certificates) shall be proved with UTF-8 encoding.
- The serial numbers of the certificates are longer than earlier. Instead of 4-byte serial numbers used earlier, we now use 16-byte serial numbers.
- All new certification services implement a common validity confirmation service (OCSP) certificate (SK OCSP RESPONDER 2011) issued by the new root certificate (EE Certification Centre Root CA). Earlier each certification service had its own validity confirmation certificates (for instance ESTEID-SK 2007 OCSP RESPONDER issued via ESTEID-SK 2007).
The description of the existing certification chain of SK is here and the description of the new certification chain is here.
To provide you with a possibility to test the impact of changes made in the certificates in your service, you can order test cards with new certificates from SK. To order test cards please fill in the form on the webpage of the SK.
What are the new certificates like and where to get them?
All certificates of the Certification Centre can be downloaded here http://www.sk.ee/en/repository/certs/
- EE Certification Centre Root CA is valid from 30.10.2010 (this is the new root certificate of the Certification Centre);
- ESTEID-SK 2011 valid from 18.03.2011 (This is the place ID-card, Digi-ID, Mobile-ID and living permit card certificates will be issued);
- EID-SK 2011 valid from 18.03.2011 (This is the place Omnitel Mobile-ID certificates will be issued);
- SK OCSP RESPONDER 2011 valid from 18.03.2011 (All certification services implement a common validity confirmation service (OCSP) certificate).
What should the administrator of the information system enabling authentication do?
IN ADDITION to the support of existing certificates the support of all new certificates must be added in all web servers meant for personal identification with an ID-card and application servers using ID-card authentication.
New certificates must be added in the list of accepted certificates and to set the validity control of certificates issued by new certification applications, use the validity confirmation service (OCSP) of the SK or revocation list (CRL) service.
In the case of both certifiers – “ESTEID-SK 2011” as well as “EID-SK 2011” the answers to the inquiries regarding validity control of the certificates issued by these certifiers must be verified with the “SK OCSP RESPONDER 2011“ certificate.
In addition the new certificates must be set for other systems that use the certificates of the ID-card (VPN-clients, log-in solutions to the computer network).
What should the users of DigiDoc libraries do?
Users who use DigiDoc libraries in digital signing applications must add all new certificates in the configuration files of DigiDoc libraries.
The users of a DigiDoc COM library can get an updated library in their user computer by downloading the DigiDoc Client version 2.7.11 of the Certification Centre, which is available on http://installer.id.ee from the beginning of May.
What should DigiDocService web service users do?
SK will add new certificates to the DigiDocService web server itself and thus the users of DigiDocService must make no changes in their communication system.
How will this change influence an end-user?
In order to give a digital signature with new certificates with DigiDoc client software and to verify the digital signatures given with new certificates it is needed to update the ID-card basic software in the computer of the end user.
The basic software version 3.4 of the ID-card supporting the new certificates is available on the addresshttps://installer.id.ee from May 9th.
Where to get addition information if I have some questions?
Please send all additional questions regarding the changes on e-mail address support[at]sk.ee.