Information Related to the Implementation of the KLASS3-SK 2016 Intermediate Certificate for e-Service Providers

The information in the article will be updated on an ongoing basis!

Information below is important in particular for information systems owners who use e-Seal, certificate for encryption or authentication or a SSL certificate issued by SK ID Solutions AS (SK).

Why are the changes taking place?

In accordance with the renewed requirements for certification services, SK ID Solutions AS (SK) introduced a new  intermediate certificate KLASS3-SK 2016. Starting from June 1, 2017 all organisation certificates are issued under new KLASS3-SK 2016.

What will be the impact of these changes?

This amendment concerns in particular the holders of information systems for whom the new certificate is issued after June 1, 2017, then KLASS3-SK 2016 has to be configured together with new certificate. However, all third party information systems or applications in which it is possible to check the validity of digitally stamped files are also affected. All necessary settings can be made in advance.

When will the certificates from the new chains be issued?

The certificates, based on the new intermediate certifier, are issued starting from June 1, 2017. After this date no certificates are issued by KLASS3-SK 2010. 

What will happen with certificated issued before 01.06.2017?

All certificates issued under old CA remain valid until their "valid to" date. There is no need to replace or renew them.

What will happen if the support for the new certificates is not added?

In case the new KLASS3-SK 2016 has not been added in the configuration of the system or application then you cannot use a new e-Seal / certificate for encryption / certificate for authentication which is issued after 01.06.2017. Also your web server is not trusted by browsers. Besides, it is not possible to verify some digitally stamped files.

Where can one obtain the new intermediate certificate?
The new intermediate certificate, called KLASS3-SK 2016, is available from the SK repository - www.sk.ee/certs

KLASS3-SK 2016 is issued by exiting Root certificate EE Certification Centre Root CA.

Which validity confirmation (OCSP) certificate will be validating responses of KLASS3-SK 2016 certificates?

The answers to queries for the control of the validity of the certificates issued by KLASS3-SK 2016 must be verified with a SK OCSP RESPONDER 2011 certificate (which is also used in case of KLASS3-SK 2010). 

What kind of changes are made in the KLASS3-SK 2016 certificate?

  • KLASS3-SK 2016 is based on a 4096-bit RSA key and uses SHA-384 (sha384withRSAencryption) hash algorithm.
  • An ‘OrganizationIdentifier’ (OID 2.5.4.97) field has been added to the distinguished name (DN) of the certificate and this is valued NTREE-10747013. This is required by clause 4.2.1 of the ETSI standard EN 319412-3 and the contents are explained in clause 5.1.4 of the standard EN 319412-1. The ‘OrganizationIdentifier’ is a new, less common extension and may not be written into the software, or different software may interpret it differently. For example, the software does not recognise the ‘OrganizationIdentifier’ extension and writes it as an unknown extension named as OID.2.5.4.97.
  • The content of the Policy Qualifier fields have been changed in the certificate in order to better comply with the requirements of the RFC 3647 standard. Thereby, the OID numbers of the certification principles have been shortened, and the indicator of the version number will disappear from the end. This is also in direct reference to ETSI EN 319411 standards.

What changes will occur in the end certificates?

  • An ‘OrganizationIdentifier’ (OID 2.5.4.97) has been added to the certificate issuer field; see the explanation in the previous section.
  • An AIA extension (Authority Information Access extension) has been added to the certificate: http://aia.sk.ee/klass3-2016
  • The content of the Policy Qualifier fields have been change. In detail the changed are available in profile document: https://www.sk.ee/repositoorium/profiil/ section Asutuste sertifikaadid
  • There is no CRL available for KLASS3-SK 2016

Info for services and information systems where documents are digitally stamped or where digitally stamped documents are validated

Information systems that use DigiDoc libraries for digital stamping or for validating digitally stamped files have to be checked and, if needed, KLASS3-SK 2016 certificate must be added to the certificates folder used by the library, and then also add the corresponding links in the configuration file. Additional instruction could be find from documentation of specific library https://www.id.ee/36107.

Users of trusted certificate lists (TSL-s) in libraries have to use the latest trusted service list published by the Technical Regulatory Authority (https://sr.riik.ee/tsl/estonian-tsl.xml).

Info for services that use TempelPlus digital stamping software

Users of TempelPlus software have to check and, if needed, add the KLASS3-SK 2016 certificate to the certificates folder used by the jdigidoc library, and then add the corresponding links in the configuration file. Additional info: https://www.id.ee/public/SK-JDD-PRG-GUIDE.pdf

Info for services that use web server (SSL) certificates issued by SK.

When configuring the support of new SSL certificated issued after 01.06.2017 then also KLASS3-SK 2016 has to be added to configuration.

PS. An easy way to check the quality of your web server is here: https://www.ssllabs.com/ssltest/. Enter the address of your webpage that uses a web server certificate issued by SK. 

What the users of the online DigiDocService do?
The SK will add the new certificates to the online DigiDocService itself, and therefore the users of the DigiDocService do not generally have to make any changes in their information systems.

How does the change impact DigiDoc3 Client users?

  • To validate the digitally stampled files in BDOC or ASiC-E format - users who have ID-software starting with version 3.10 do not have to worry, because upon the control of the signatures, the new certificate support is automatically added to the official trust list published by the Technical Regulatory Authority. It is important to allow the automatic renewal of trust lists.
  • It is not possible to validate DDOC files digitally stamped with e-Seal issued after June 1, 2017. The status is "unknown". 
  • To use e-Seal issued after June 1, 2017 for digital stamping or encryption with DigiDoc3 Client you only have to have latest ID-software. The support of KLASS3-SK 2016 is disseminated through the central configuration management. It is important that the user's computer is allowed to update through the central configuration management.

How can this be tested?

We have created .bdoc and asic-e files that have been signed with a certificate issued under the KLASS3-SK 2016  and have validity confirmation signed with the SK OCSP RESPONDER 2011 certificate. With these files you can test to see whether all the necessary certificates are correctly adjusted in your digital signature systems, libraries and document management systems.

Qualified e-Seal on the QSCD

Qualified e-Seal which is not on the QSCD

If I have any questions, where can I get additional information?

Any additional questions regarding these changes should be sent to: support at sk dot ee.

 


ASK FOR HELP

If you didn't find an answer to your question, send it to our team.



  • See instructions
  • Please estimate your ability to use the computer, so that we can provide you with the best guidance

         

  • Verification failed

How can we improve the article and be more helpful?
Send Close