Information Related to the Implementation of the ESTEID-SK 2015 Intermediate Certificate for e-Service Providers
The information in the article will be updated on an ongoing basis!
Why are the changes taking place?
Based on the requirement of the Information System Authority to restrict the use of the outdated SHA-1 hash algorithm; the Police and Border Guard Board has ordered, and the Certification Centre (SK) has implemented a new ESTEID-SK 2015 intermediate certificate. Starting from March 1, 2016 all end user certificates issued for ID-cards and Mobile-ID use stronger cryptographic algorithms.
What will be the impact of these changes?
The given change involves all information systems and applications for which ID-cards (incl. digital-ID, residence permit card, digital ID for e-residence) or Mobile-ID, can be used to authenticate or provide digital signatures. As well as all information systems in which it is possible to check the validity of digital signatures.
All necessary settings can be made in advance.
When will the certificates from the new chains be issued?
The certificates, based on the new intermediate certifier, are issued starting from March 1, 2016.
What will happen if the support for the new certificates is not added?
If the new ESTEID-SK 2015 intermediate certificate is not added to a server’s configuration, it will not be possible for the persons, whose ID-card or Mobile-ID certificate is created or updated after the change is implemented, to authenticate the corresponding e-service. It will also not be possible for those people to provide digital signatures in an e-service that has not been updated, and it will also not be possible to check the digital signature provided by those people.
Where can one obtain the new intermediate certificate?
The new intermediate certificate, called ESTEID-SK 2015, is available from the SK repository- www.sk.ee/certs.
What changes have been made in the new intermediate certificate?
- The ESTEID-SK 2015 is based on a 4096-bit RSA key and uses SHA-384 (sha384withRSAencryption) hash algorithm.
- An ‘OrganizationIdentifier’ (OID 220.127.116.11) field has been added to the distinguished name (DN) of the certificate and this is valued NTREE-10747013. This is required by clause 4.2.1 of the ETSI standard EN 319412-3 and the contents are explained in clause 5.1.4 of the standard EN 319412-1. The ‘OrganizationIdentifier’ is a new, less common extension and may not be written into the software, or different software may interpret it differently. For example, the software does not recognise the ‘OrganizationIdentifier’ extension and writes it as an unknown extension named as OID.18.104.22.168 .
- Extended Key Usage (EKU) and Name Constraints extensions have been included to the certificate, this is so that the intermediate CA certificate can be considered Technically Constrained according to clause 7.1.5 of the CA/B Forum Baseline Requirements. Based on these extensions the application software can implement the automatic controls that preclude the recognition of web server (SSL) certificates issued under ESTEID-SK 2015, since they should not exist.
- The content of the Policy Qualifier fields have been changed in the certificate in order to better comply with the requirements of the RFC 3647 standard. Thereby, the OID numbers of the certification principles have been shortened, and the indicator of the version number will disappear from the end. This is also in direct reference to ETSI EN 319411 standards.
- An AIA extension (Authority Information Access extension) has been added to the certificate, based on which the EECCRCA certificate can be found along with the location of the issued certificates’ OCSP service location.
- The ESTEID-SK 2015 certificate is issued by the existing root certificate (EE Certification Centre Root CA).
- The certificate SK OCSP RESPONDER 2011 should be used to check the validity of the certificates issued by ESTEID-SK 2015 in regard to the OCSP service.
- The ESTEID-SK 2015 cancellation list is available at http://www.sk.ee/crls/esteid/esteid2015.crl.
What changes will occur in the end-user certificates?
- All certificates issued to the end user are based on a 2048-bit RSA key and include the SHA-256 (sha256WithRSAEncryption) hash algorithm.
- An ‘OrganizationIdentifier’ (OID 22.214.171.124) has been added to the certificate issuer field; see the explanation in the previous section.
What must be done by the administrator of an information system that enables ID-card authentication?
For authentication with an ID-card, the new intermediate certificate support must be added to the web servers and the application servers used for ID-card authentication IN ADDITION TO the existing certificates. The new certificate must be added to the list of accepted certificates, and the validity control for the certificates issued by the new ESTEID-SK 2015 must be set to function. To do this, the SK validity confirmation service (OCSP) or cancellation list (CRL) service should be used.
The answers to inquiries for the control of the validity of the certificates issued by ESTEID-SK 2015 must be verified with a SK OCSP RESPONDER 2011 certificate.
Those services that used the SK Authentication OCSP service to control the validity of certificates, must verify the answers with an AUTHENTICATION OCSP RESPONDER certificate.
In addition, the new certificate must be adjusted to the other systems that used ID-card certificates (VPN clients, computer network solutions for logging in).
- Adjusting ID-card support settings to IIS web servers
- Adjusting ID-card support settings to Apache web servers
What should users of DigiDoc libraries do?
Users of DigiDoc libraries should add the certificate ESTEID-SK 2015 for the catalogue of certificates used by the library. Thereafter it is necessary to add references to this certificate in the configuration file for the libraries.
Exact instructions for making adjustments to the ESTEID-SK 2015 support in the libraries are available here:
The users of trusted services lists (TSL) for certificates in the libraries must use the newest list published by the Technical Regulatory Authority.
How can this be tested?
We have created .ddoc, .bdoc, and asic-e files that have been signed with a certificate issued under the ESTEID-SK 2015 and have validity confirmation signed with the SK OCSP RESPONDER 2011 certificate. With these files you can test to see whether all the necessary certificates are correctly adjusted in your digital signature systems, libraries and document management systems.
In order to test the impact of the changes made in the certificates of your applications and systems, it is possible to order test ID-cards from SK, for the certificates for which have been issued under TEST of ESTEID-SK 2015. Test cards can be ordered using the form on the SK website.
What the users of the online DigiDocService do?
The SK will add the new certificates to the online DigiDocService itself, and therefore the users of the DigiDocService do not generally have to make any changes in their information systems.
How does the change impact the ordinary user?
In order to provide signatures with ID-cards that have new certificates, it is necessary to update the DigiDoc3 client’s software to version 3.12 of the ID-software.
To check digital signatures in the DDOC format provided with ID-cards that have new certificates, the ID-software in the end user’s computer must be updated to version 3.12. Older software versions will display the signature status as “unknown.”
When checking digital signatures in BDOC or ASIC-E formats that are provided with ID-cards that have new certificates, users who have ID-software starting with version 3.10 do not have to worry, because upon the control of the signatures, the new certificate support is automatically added to the official trusted services lists published by the Technical Regulatory Authority.
The aforementioned files can be used for testing.
If I have any questions, where can I get additional information?
Any additional questions regarding these changes should be sent to: support at sk dot ee.