Authentication success depends on the client platform used. You can create independent authentication solutions in Windows on the basis of the ID-card CSP or use web-based authentication. This is supported by Internet Explorer, Firefox and Chrome browsers and Apache and IIS servers.
Authentication certificate validity confirmation (OCSP query)
When using an ID-card for identification, it is important to perform an ID-card authentication certificate validity check (an OCSP query).
Validity confirmation service (foreign certificates check):
Configuring ID-card support in IIS web server:
Configuring ID-card support in Ubuntu web server:
- Two-way SSL setup in Ubuntu Ngnix web server (in English, 28. April. 2021)
- Two-way SSL setup in Ubuntu Apache2 web server (in English, 27. April. 2021)
- Adopting TLS 1.3 standard in web server may require changes to authentication solution
- Digital documents valid in Estonia
- Validity confirmation service
ID-card and testing:
Ordering test cards
Ordering form of test cards:
Prices of test cards:
General information on test cards:
General information on test cards:
Test cards issued by SK:
- test ID-card (2018);
- test ID-card (ECC certificates, 2017 update);
- test e-Resident’s digital ID (2018);
e-Seal on crypto-stick issued by SK
- test e-Seal on crypto stick
NB! Keep in mind that:
- test ID-cards can only be used in a test environment;
- test ID-card certificates cannot be updated.
- Ordering form of test cards:
AIA-OCSP URL with unrestricted access can usually be found in the certificate. Each CA branch has its own URL and certificate to sign OCSP responses.
Since 2019, a new OCSP response profile is valid for organisation certificates, which is also applied to CA certificates. With the new OCSP response, Archive Cutoff and Extended Revoked Definition solutions were taken into use Find additional information on the website of SK ID Solutions.
NB! Older certificates might not have this in the URL certificate, in which case the URL should be found from the following list:
Live chain service URL Test chain service URL http://aia.sk.ee/esteid2018 http://aia.demo.sk.ee/esteid2018 http://aia.sk.ee/esteid2011 http://aia.demo.sk.ee/esteid2011 http://aia.sk.ee/eid2011 http://aia.demo.sk.ee/eid2011 http://aia.sk.ee/klass3-2010 http://aia.demo.sk.ee/klass3-2010 http://aia.sk.ee/esteid2015 http://aia.demo.sk.ee/esteid2015 http://aia.sk.ee/eid2016 http://aia.demo.sk.ee/eid2016 http://aia.sk.ee/nq2016 http://aia.demo.sk.ee/nq2016 http://aia.sk.ee/klass3-2016 http://aia.demo.sk.ee/klass3-2016
Information agreed on the BDOC-TM (TimeMark) signature should not be used in the nonce field of AIA-OCSP with unrestricted access.
NB! The validity of the certificates used for signing the responses of AIA-OCSP with unrestricted access is brief.
- In the DigiDoc4 Client, it is possible to use both Idemia as well as an older Estonian ID-card in Windows and macOS. Both Idemia and Estonian minidriver are necessary.
- For using DigiDoc4s signatures and OCSP-based authentication, it is necessary to upload test card certificates to test-OCSP-service:
- The test-OCSP service is available here: http://demo.sk.ee/ocsp
Authentication in web services
- Add a test certificate to your test service: https://sk.ee/upload/files/TEST_of_ESTEID2018.der.crt.
- Instructions for authentication configuration in service.
After using beta software, it is necessary to clean local cache catalogues:
- Windows – erase %APPDATA%\digidocpp ja %APPDATA%\RIA
- macOS – erase ~/Library/Containers/ee.ria.qdigidoc4/Data/Library/Application Support/RIA/qdigidoc4/*
- Ubuntu – erase catalogues /.digidocpp/tsl ja /.local/share/RIA/qdigidoc4