Juur-SK Certificate Will Expire in August 26, 2016 5:23PM

As the root certificate Juur-SK of the Certification Centre (SK) will expire on August 26, 2016 5:23PM, please check and ensure that your applications and information systems have been accurately configured and make sure that all necessary changes are implemented in time.

This information is important for service providers and owners of information systems, as well as users of the web server (SSL) certificates issued by SK.

For end users, it is important that the latest ID-software version (version 3.12 or later) is used. The latest ID-software version can be downloaded from the id.ee website.

NOTE! The Information in this article is subject to constant updates! 

Exactly which certificates will expire?

On August 26, 2016 5:23PM, SK’s root certificate ‘Juur-SK’ will expire and, along with it, all intermediate certificates ESTEID-SK 2007, EID-SK 2007, KLASS3-SK 2010 (issued on March 31, 2010) issued from this chain, as well as all certificates issued by them (including service certificates (e.g., OCSP certificates, DigiDocService service certificate)). The certification chains of SK are visualized here.

ID-card and Mobile-ID certificates were issued from Juur-SK chain until July 11, 2011, therefore the last ones will expire on July 11, 2016.

What is the significant distinction from the intermediate certificate KLASS3-SK 2010?

The significant distinction from KLASS3-SK 2010 is that a certificate of the same name has also been issued under SK’s new root certificate 'EE Certification Centre Root CA' on March 18, 2011 and on June 4, 2015. Please make sure that your configuration includes the latest KLASS3-SK 2010 certificate and the new root certificate. If it does, the expiration of the old KLASS3-SK 2010 will not affect you. 

Which validity confirmation (OCSP) certificate will be validating responses of KLASS3-SK 2010 certificates?

The KLASS3-SK 2010 OCSP RESPONDER in use today will expire and be replaced by SK OCSP RESPONDER 2011 from 14:00 on August 15, 2016.

SK OCSP RESPONDER 2011 is already in use for all other certificates in the new certification chain. Starting from August 15, the common validity confirmation certificate (SK OCSP RESPONDER 2011) will be used for all SK’s certificates in the ocsp.sk.ee service  .

Where can I obtain the certificates of the new certification chain?

The certificates are available in SK’s repository. Here are the links:

What impact will the expiration of Juur-SK and of the certificates issued under it have on applications and information systems?

Services that use Certificate Revocation List (CRL) for user authentication.

The ESTEID-SK 2007 CRL will not be issued anymore, after the expiration of Juur-SK certificate on August 26, 2016. The expired CRL will be removed and will no longer be available. The revocation lists of EID-SK 2007 and of Juur-SK will also expire and be removed. There will be no changes concerning KLASS3-SK 2010 CRL, it will remain available.

Servers should be configured so that they will not attempt to download the CRL after the last expiration, as this will overload your servers, as well as ours.   

Services that use the DigiDocService web service.

The web server (SSL) certificate (CN=digidocservice.sk.ee) of the DigiDocService (https://digidocservice.sk.ee) has been issued under the intermediate certificate of KLASS3-SK 2010 and it will expire on August 26, 2016. As of 23:00 on August 15, the DigiDocService will be using a new SSL certificate. The new service certificate has been issued under a different certificate chain.

If your application uses a verification of the DigiDocService service certificate against the certificate issuer chain, the certificates of the chain must be checked. It is important to have KLASS3-SK 2010 (issued on June 4, 2015) and the new root certificate 'EE Certification Centre Root CA' in the configuration.

In order to make sure that the expiration and replacement of the SSL certificate of DigiDocService will not affect the functioning of your services, the certificates of the new chain should be added to the configuration as soon as possible. The new configuration will also function with the present SSL certificate; therefore, you can already implement this change. An SSL certificate issued under the new KLASS3-SK 2010 is already available in the test service of DigiDocService (https://tsp.demo.sk.ee).

If your application verifies the SSL certificate itself, the new DigiDocService SSL certificate must be added.  

DigiDocService's new SSL certificate in PEM format is available here.

Services that use web server (SSL) certificates issued by SK. 

It is important to check that your configuration has the newest KLASS3-SK 2010 certificate and the new root certificate 'EE Certification Centre Root CA', so please add them as soon as possible, if needed. If this has been done, the expiration of the old KLASS3-SK 2010 and Juur-SK in August will not affect you. 

For all public web servers that have a web server certificate issued by SK, we will carry out the respective tests required ourselves and notify the owners of the available service if any changes are needed.

An easy way to check the quality of your web server is here: https://www.ssllabs.com/ssltest/. Enter the address of your webpage that uses a web server certificate issued by SK. If the "Additional Certificates" and "Certification Path" blocks in the results show the KLASS3-SK 2010 certificate that will expire in 2016 and that has been issued by Juur-SK, then the server configuration has to be reviewed. 

 Guides for configuring SSL server certificates on servers can be found here:

  • Windows 2012 (IIS8, currently in Estonian only), PDF
  • Apache, PDF

Services and information systems where documents are digitally stamped or where digitally stamped documents are validated.

Information systems that use DigiDoc libraries for digital stamping or for validating digitally stamped files have to be checked and, if needed, the following certificates must be added to the certificates folder used by the library, and then also add the corresponding links in the configuration file:

  • KLASS3-SK 2010 (issued on June 4, 2015) 
  • KLASS3-SK 2010 (issued on March 18, 2011) 

It is also important to have the SK OCSP RESPONDER 2011 certificate.

Users of trusted certificate lists (TSL-s) in libraries have to use the latest trusted service list published by the Technical Regulatory Authority (https://sr.riik.ee/tsl/estonian-tsl.xml).

For testing purposes, we have created .ddoc, .bdoc, and asic-e files signed using a certificate issued under KLASS3-SK 2010 (issued on June 4, 2015) with a validity confirmation that has been signed with the SK OCSP RESPONDER 2011 certificate. You can use these files to test if all necessary certificates are properly configured in your digital signing systems, libraries and document management systems. Once these files are validated as valid, the configuration is correct.

Services that use TempelPlus digital stamping software.

Users of TempelPlus software have to check and, if needed, add the following certificates to the certificates folder used by the jdigidoc library, and then add the corresponding links in the configuration file:

  • KLASS3-SK 2010 (issued on June 4, 2015)
  • KLASS3-SK 2010 (issued on March 18, 2011) 

It is also important to have the SK OCSP RESPONDER 2011 certificate.

For testing purposes, we have created .ddoc, and .bdoc files signed using a certificate issued under KLASS3-SK 2010 (issued on June 4, 2015) with a validity confirmation that has been signed with the SK OCSP RESPONDER 2011 certificate. You can use these files to test if the necessary certificates are properly configured in the TempelPlus software. Once these files are validated as valid, the configuration is correct.

Services that use the validity confirmation service, issuing authentication certificate information (User-Based Authentication Service).

The OCSP certificate (CN=AUTHENTICATION OCSP RESPONDER) validating the responses of the validity confirmation service issuing the information of authentication certificates will expire on August 26, 2016. A new OCSP certificate will replace the expiring certificate, and the service will begin using it starting from 14:00 on August 15.

New AUTHENTICATION OCSP RESPONDER 2016 certificate is available at http://www.sk.ee/certs

If I have questions, where can I get more information?

Please send all questions regarding this change to support at sk dot ee.

 


ASK FOR HELP

If you didn't find an answer to your question, send it to our team.



  • See instructions
  • Please estimate your ability to use the computer, so that we can provide you with the best guidance

         

  • Verification failed

How can we improve the article and be more helpful?
Send Close