Call to e-service providers using Mobile-ID: configure the EID-SK 2016 intermediate certificate and review certificate profile changes!
From 2nd of July, SK ID Solutions will start issuing new end-user certificates to all new Mobile-ID documents from under the EID-SK 2016 certificate chain. For all e-services to continue working with the new Mobile-ID certificates the service owners must trust the EID-SK 2016 intermediate certificate in addition to the existing ESTEID-SK 2015 intermediate certificate. In addition, the certificate profile changes need to be considered.
The change is scheduled for 2nd of July 2022 and affects all information systems and applications that allow authentication or digital signatures using the Mobile-ID service.
The EID-SK 2016 intermediate certificate is already in use for Lithuanian Mobile-ID documents and Smart-ID. Now it is about to be used for the issuance of Estonian Mobile-ID documents. At the same time, continued ESTEID-SK 2015 support is still necessary for the existing Mobile-IDs and those issued up to 1st of July would continue to function until their expiry across all e-services.
For all e-services to continue working with the Mobile-ID issued from 2nd of July, all e-service providers must promptly add the intermediate certificate EID-SK 2016 to their information systems (list of trusted certificates).
In addition, we kindly ask you to review if the following changes in certificate profile will impact your e-services. Mobile-ID certificates issued from 2nd of July 2022:
- have no personal code on CommonName field, personal code is on SerialNumber field;
- have first name before surname (for example MARI,MAASIKAS) on CommonName field;
- have no @eesti.ee e-mail address;
- is not possible to download revocation (CRL) list;
- is not published in LDAP catalogue.
If you fail to add the new intermediate certificate configuration, users will be unable to access your e-service or generate digital signatures using the new Mobile-ID.
Please check in our DEMO environment that your system is compatible with the changes that will take effect on 02.07.2022. You can use a Mobile-ID test number with a new certificate profile to test.
- Test number that allows for testing of the change in the demo environment are available here: https://github.com/SK-EID/MID/wiki/Test-number-for-automated-testing-in-DEMO
- More information on verifying the authentication response is available here: https://github.com/SK-EID/MID#336-verifying-the-authentication-response
- Example on how this change can be implemented: https://github.com/SK-EID/mid-rest-java-client#validate-returned-certificate-is-a-trusted-mid-certificate
- Information on this change if PHP library is used (see step #9): https://github.com/SK-EID/mid-rest-php-client#example-of-authentication
- SK certificate information is available here: https://www.skidsolutions.eu/en/repository/certs/
SK signed a new 5-year contract with Estonia to continue issuing Mobile-ID and Mobile-ID will continue as governmental document.