For testing services, it is recommended to order a test ID-card, which are issued by SK ID Solutions AS.
Depending on the profile of the organisation’s users, ordering different generation cards should be considered.
Before using the test cards, you should definitely view:
Ordering test cards
-
Ordering form of test cards:
https://www.skidsolutions.eu/en/services/testcard/?service/test_cards -
Prices of test cards:
https://www.skidsolutions.eu/en/services/pricelist/testcard/
General information on test cards:
General information on test cards:
https://www.skidsolutions.eu/en/services/testcard/
Test cards issued by SK:
- test ID-card (2021);
- test ID-card (2018);
- test e-residency Digi-ID (2018);
e-Seal on crypto-stick issued by SK
- test e-Seal on crypto stick
NB! Keep in mind that:
- test ID-cards can only be used in a test environment;
- test ID-card certificates cannot be updated.
How to test services?
Upon testing services you should remember that today people are using ID-cards from different producers: the so-called old ID-card issued before the end of 2018 and the new ID-card which has been issued since the end of 2018. Thus, all systems should be working at the same time and in the same way with both producers’ cards.
Additional information on changes with ID-cards:
- Estonian eID 2018 Technical Description
- Changes in new ID-card
- Identification with ID-cards and digital IDs on websites
In relation to the new type of ID-card introduced in 2018, the requirements of and expectations for the testing of the ID-card changed.
The following recommendations are meant for testing the most popular service types in the eID ecosystem in the context of the new/modern ID-card.
-
Show Hide Authentication in web services is mainly solved by creating an SSL/TLS/HTTPS connection between the user’s browser and the web service provider’s web server (based on ID-card authentication certificate).
In order to check the user certificate it is possible to use the OCSP validity confirmation service or CRLs.
Which tests should be made with ID-cards?
For web authentication testing you need a test ID-card and the eID software set supporting the test card and must perform at least the following tests:
- Successful identification with the previous producer, i.e. the old ID-card, and the new eID software set.
- Successful identification with the new ID-card and the new eID software set.
- Authentication with the previous producer’s cancelled or suspended certificates with the old card.*
- Authentication with the new producer’s cancelled or suspended certificates with the new card.*
It is recommended to perform successful authentication tests with all eID supported web browsers on at least one computer with Windows, macOS and Ubuntu operating system.
- It is possible to check whether the software installed on the computer is working with a test card here:
https://test-eid.eesti.ee - Uploading certificates to the test environment https://demo.sk.ee/upload_cert.
Validity confirmation service (SK ID Solutions):
The service can be used if there is a respective contract with SK and the service is working with both old and new certificates.
Upon checking certificate verification information from the SK validity confirmation service with access restriction, it must be considered that in the event of certificates issued under ESTEID2018, ocsp.sk.ee confirms the service’s responses with an SK OCSP RESPONDER 2011 certificate. SK OCSP RESPONDER 2011 is already in use with all other certificates.
Validity confirmation service information:
OCSP with access restriction:
OCSP test address:
Other changes related to the new ID-card:
Apache web server setup instructions for authentication with ID-card are available at:
With the new ID-card, the web authentication service is influenced by the following changes:
- Card drivers on all platforms. New card drivers will be added.
- This change is covered by the Information System Authority’s software support and in the context of eID ecosystem testing, the risks associated with this change can be considered hedged.
The new ESTEID2018 certificates do not include a CRL address. If necessary, the CRL address can be found from the revocation list of SK ID Solutions:
https://www.skidsolutions.eu/en/repository/CRL/The format of the certificate SN (SerialNumber) field will change (the prefix ‘PNOEE-’ will be added).
This may affect information systems and services using information on the certificate’s SN (SerialNumber) field to identify the personal identification code in the authentication process.
The change is due to the standard: TS 119 412-1 p.5.1.3: http://www.etsi.org/deliver/etsi_ts/119400_119499/11941201/
Also:
- New ID-card drivers will be added to the computers of end users in all platforms.
- Additional AIA-OCSP service with unrestricted access was added for verifying the validity of certificates.
-
Show Hide Many organisations use centrally managed computer networks where an ID-card is used for user authentication. The most common is logging into Windows or an authentication server over RDP. In both cases, the user authentication certificate (protected with PIN1) is used to identify the user and associate them with the account.
Which tests should be made with ID-cards?
Presumably the changes related to the new ID-card have been considered by now, but for testing you should:
- add the new as well as the old ID-card user to the system;
- try to transfer from the old card to the new;
- have a successful login/authentication with the old card;
- have a successful login/authentication with the new card;
- perform an authentication test with the new card’s cancelled or suspended certificates;
- perform an authentication test with the old card’s cancelled or suspended certificates.
Changes related to the new ID-card:
- In connection with the new card added in 2018, the possible changes of the LDAP service address and response structure should be checked.
- Use the AIA-OCSP service instead of the LDAP service when checking certificate validity.
- OCSP and AIA-OCSP (see AIA-OCSP URL).
- Upon checking the validity information of certificates with CRL, you must consider that with the new CA ESTEID2018, CRL URL is no longer written in the certificate. The new CRL URL can be found from the revocation list:
https://www.skidsolutions.eu/en/repository/CRL/). - The format of the certificate SN (SerialNumber) field will change (the prefix ‘PNOEE-’ will be added).
- This may affect information systems using information on the certificate’s SN (SerialNumber) field. The change is due to the standard: TS 119 412-1 p.5.1.3 http://www.etsi.org/deliver/etsi_ts/119400_119499/11941201/
-
Show Hide AIA-OCSP URL with unrestricted access can usually be found in the certificate. Each CA branch has its own URL and certificate to sign OCSP responses.
Since 2019, a new OCSP response profile is valid for organisation certificates, which is also applied to CA certificates. With the new OCSP response, Archive Cutoff and Extended Revoked Definition solutions were taken into use Find additional information on the website of SK ID Solutions.
NB! Older certificates might not have this in the URL certificate, in which case the URL should be found from the following list:
Live chain service URL Test chain service URL http://aia.sk.ee/esteid2018 http://aia.demo.sk.ee/esteid2018 http://aia.sk.ee/esteid2011 http://aia.demo.sk.ee/esteid2011 http://aia.sk.ee/eid2011 http://aia.demo.sk.ee/eid2011 http://aia.sk.ee/klass3-2010 http://aia.demo.sk.ee/klass3-2010 http://aia.sk.ee/esteid2015 http://aia.demo.sk.ee/esteid2015 http://aia.sk.ee/eid2016 http://aia.demo.sk.ee/eid2016 http://aia.sk.ee/nq2016 http://aia.demo.sk.ee/nq2016 http://aia.sk.ee/klass3-2016 http://aia.demo.sk.ee/klass3-2016 Information agreed on the BDOC-TM (TimeMark) signature should not be used in the nonce field of AIA-OCSP with unrestricted access.
NB! The validity of the certificates used for signing the responses of AIA-OCSP with unrestricted access is brief.
-
Show Hide The Estonian ID-card authentication certificate also supports encrypting and decrypting data. Considering the limited validity time of the ID-card certificates (five years), encryption is definitely not a suitable method for long-term preservation of documents.
Encrypting is meant for ensuring confidentiality of data during their mediation/forwarding and a decrypted document should be saved as soon as possible in another secure storage solution.
Encrypting data in an ID-card certificate can be used in several ways:
- document encryption using the eID Desktop Application
- encryption of information forwarded from the information system to a person
- encryption of e-mail messages in e-mail clients
Encryption/decryption of eID desktop application(s) is covered by the Information System Authority’s software support and in the context of eID ecosystem testing, the risks associated with this change can be considered hedged.
It is important to pay attention to information systems encrypting data on ID-card certificates to ensure safer exchange of information between ID-card holders.
It is also important to keep in mind the ID-card holders who use message encryption and decryption directly in the mail client.
Which tests should be made with ID-cards?
Install the latest ID-software version in the computer and test:
- data encryption and decryption with the new and old ID-card type (issued before 2018);
- data encryption to a recipient with the new and old card;
- data forwarding to a recipient with the old and new card as an encrypted e-mail and e-mail encryption with the e-mail client, if the information system uses encryption based on mail clients.
Upon encrypting e-mail messages with an ID-card certificate, attention must be paid to the fact that the mail address format of the new ID-card changed: personal identification code is used instead of the person’s name. For encryption/decryption to keep working in a mail client, the e-mails must be sent to the e-mail address containing the personal identification code.
It is recommended to do all the tests with mail clients supporting decryption of e-mails encrypted on an ID-card in at least one computer with Windows, macOS and Ubuntu operating systems.
Changes related to the new ID-card:
- The LDAP address will change and there will be possible changes to the response structure. For LDAP, there is a change to the LDAP server address. The new address will be ldaps://esteid.ldap.sk.ee.
The catalogue is served over a more secure LDAPS (Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL)/Transport Layer Security (TLS)) protocol. - The format of the certificate SN (SerialNumber) field will change (the prefix ‘PNOEE-’ will be added).
- The format of the e-mail address on the certificate will change. The new format is ‘[email protected]’.
-
Show Hide In Estonia, digital signing with an ID-card or mobile-ID is used internally, i.e. within organisations, as well as publicly, i.e. in the public eID ecosystem. It is important that the systems used publicly are compatible with other parts of the eID ecosystem and earlier container formats.
Which tests should be made with ID-cards?
- Creating a BDOC container and signing it with the new and old ID-card, and:
- validating the created containers with eID final user software;
- validating the created containers with eID SIVA service.
- Creating an ASiC-E container and signing it with the new and old ID-card, and:
- validating the created containers with eID final user software;
- validating the created containers with eID SIVA service.
- We recommend checking earlier BDOC-s, where only TM signatures are used as well as BDOC-s, where TS signatures are used.
During testing it should be observed that the systems in the tests with test cards are configured to recognise test certificates. Upon testing with test certificates, SIVA test address should be used with SIVA: https://siva-arendus.eesti.ee/V2test/
If the information system has been built so that the base library of eID software communicates directly through the driver with the ID-card in the user’s device (not using signing via browser plugin), it is recommended to test all operation systems supported by the system.
In order to make sure that the software installed on the computer works with the new ID-card, it is possible to test signing in the browser on the GitHub hwcrypto page.
Changes related to the new ID-card in 2018:
- now the default file format in the basic software of eID is .ASICE and only timestamp (TS) signatures are created. This means that files in different formats (e.g. .BDOC files with TS signatures) can be simultaneously used. Information systems using the outdated JDIGIDOC library may have difficulties with processing .ASICE envelopes.
- OCSP – for more information on OCSP certificate control, view AIA-OCSP. Upon creating signatures it must be ensured that the service of AIA-OCSP URL with unrestricted access can only be used for timestamp (TS) signatures.
Timemark (TM) signatures are not permitted with this service. - The format of the certificate SN (SerialNumber) field will change (the prefix ‘PNOEE-’ will be added).
- It may impact the information systems that uses personal identification code information and reads it from the serial no. field of the certificate.
- Transition to the ASICE format in eID software – this affects the information systems using the older Java library (Jdigidoc) without the support of the respective format
now the default file format in the basic software of eID is .ASICE and only timestamp (TS) signatures are created. This means that files in different formats (e.g. .BDOC files with TS signatures) can be simultaneously used. Information systems using the outdated JDIGIDOC library may have difficulties with processing .ASICE envelopes.
- Creating a BDOC container and signing it with the new and old ID-card, and:
-
Show Hide Information systems using the ID-card only for obtaining identification data (personal identification code), where the users do not have to identify themselves with PIN1, are used as loyalty card systems. This includes both commercial establishments, access control systems as well as ticket purchasing systems.
There are several options for obtaining a personal identification code from an ID-card: reading the information from the personal data file or from the certificate.
Which tests should be made with ID-cards?
As the new producer’s cards did not replace the existing cards, but were added to them, it is important to keep in mind while testing that both the new and old cards would work correctly at the same time and the systems would know how to choose the right method for obtaining personal data (certificate or personal data file).
More detailed testing instructions are difficult to define as the systems are very different. You should definitely try the main positive applications and most common possible error situations with the new as well as the old card.
Changes related to the new ID-card:
The ID-card updated in 2018 includes some changes in comparison with the earlier one as to using the data.
- The structure of personal data and commands to obtain personal data from the card have changed.
- This affects systems which use the personal data file on the ID-card to obtain information.
- The format of the certificate SN (SerialNumber) field will change (the prefix ‘PNOEE-’ will be added).
- This may affect systems which use the personal identification code information on the certificate’s ‘serial no.’ field to obtain the personal identification code.
- The format of the e-mail address on the certificate will change. The new format is [email protected].
- This may affect systems which also read e-mail addresses.
- The structure of personal data and commands to obtain personal data from the card have changed.