LDAP

SK public directory service is available via the LDAP and contains two different catalogues:

  • esteid.ldap.sk.ee that contains valid certificates issued for Estonian personal identification documents in ID-1 format (issued by intermediate CA’s ESTEID2018 and ESTEID2015) and for Mobile-ID (issued by intermediate CA ESTEID2015)
  • k3.ldap.sk.ee that contains information about all the issued and valid organisation certificates
    When a certificate is suspended or revoked, it is removed from the directory. Expired certificates are removed from the directory during the first day after the expiry date.

The directory service queries must be submitted using the LDAPS protocol. Only data exchange with TLS encryption supported. Maximum of 50 certificate entries will be returned as a response.

The service access is unrestricted (anonymous bind, simple authentication). The availability of the catalog is at least 99% per year.

Below you can find a detailed description of the directory layout. Description of the layout is necessary for conducting data searches in the directory.

ESTEID LDAP TECHNICAL DESCRIPTION

The directory service queries must be submitted using the LDAPS protocol. The service access is unrestricted (anonymous bind, simple authentication) around the clock. There is support only for data exchange with TLS encryption and TLS client authentication. Maximum of 50 certificate entries will be returned as a response.

Directory is available via esteid.ldap.sk.ee port 636.

Below you will find a detailed description of the directory layout. Knowledge of the layout is necessary for conducting data searches in the directory.

ESTEID LDAP DIRECTORY STRUCTURE

Directory tree list (personal certificates)

 

Searching for personal certificates is restricted by certificate owner’s identity number (serialNumber) in the form „PNOEE-38001085718“ or by certificate’s CN (CommonName) field in the form „JÕEORG,JAAK-KRISTJAN,38001085718“.

LDAP QUERY EXAMPLES

Example query from the Linux or Mac command line to search for a personal certificate:

  1. Query without CA certificate chain of LDAP:
    LDAPTLS_REQCERT=allow ldapsearch -H ldaps://esteid.ldap.sk.ee/ -x -b “c=EE” “(serialNumber=PNOEE-38001085718)”
  2. Query with CA certificate of LDAP (LDAP CA certificate can be found here):
    LDAPTLS_CACERT=ldapca.crt ldapsearch -H ldaps://esteid.ldap.sk.ee/ -x -b “c=EE” “(cn= JÕEORG,JAAK-KRISTJAN,38001085718)”
KLASS3 LDAP TECHNICAL DESCRIPTION

The directory service queries must be submitted using the LDAPS protocol. The service access is unrestricted (anonymous bind, simple authentication) around the clock. There is support only for data exchange with TLS encryption and TLS client authentication. Maximum of 50 certificate entries will be returned as a response.

Directory is available via k3.ldap.sk.ee port 636.

Below you will find a detailed description of the directory layout. Knowledge of the layout is necessary for conducting data searches in the directory.

KLASS3 LDAP DIRECTORY STRUCTURE

Directory tree list (organisation certificates)

LDAP EXAMPLES OF QUERIES

Example queries from the Linux or Mac command line for finding organisation certificates:

  1. Query without CA certificate chain of LDAP.
    By the name of the organisation:
    LDAPTLS_REQCERT=allow ldapsearch -H ldaps://k3.ldap.sk.ee/ -x -b “” “(cn=SK ID Solutions AS)”
    By the registry code:
    LDAPTLS_REQCERT=allow ldapsearch -H ldaps://k3.ldap.sk.ee/ -x -b “” “(serialNumber=10747013)”
  2. Query with CA certificate of LDAP (LDAP CA certificate can be found here).
    By the name of the organisation:
    LDAPTLS_CACERT=ldapca.crt ldapsearch -H ldaps://k3.ldap.sk.ee/ -x -b “” “(cn=SK ID Solutions AS)”
    By the registry code:
    LDAPTLS_CACERT=ldapca.crt ldapsearch -H ldaps://k3.ldap.sk.ee/ -x -b “” “(serialNumber=10747013)”

Queries can be narrowed using a country code if the location of the organisation is known:
LDAPTLS_REQCERT=allow ldapsearch -H ldaps://k3.ldap.sk.ee/ -x -b “c=EE” “(cn=SK ID Solutions AS)”