Certificate hierarchy reform 2021-2022

 

In spring 2021, the Digital and Population Data Services Agency produced two new certificate hierarchies. The new parallel certificate hierarchies contain new root certificates and new certification authority (CA) certificates. To use certificates, these new certification authorities must be set as trusted in our customers' work stations and information systems.

  • Generally, the certificates should be set as trusted on all work stations centrally in AD. Please contact your information management unit for more information. Microsoft has a customer guide for adding a new CA in AD.
  • For information systems, trust in CA is set by the party maintaining each information system. Please contact the suppliers/administrators of your information systems for more information.

One of the new certificate hierarchies has been produced with the RSA technology currently in use and the other with the newer ECC technology. ECC certification authorities and certificates use the parameters according to secp384r1 (NIST P-384).

The new certification authorities will be introduced into production between December 2021 and February 2022. After this, new certificates issued by DVV will be issued by these certification authorities.

​​​​​Date of first use:

  • Service Certificates and Service Certificates for the social welfare and healthcare sector: 9.12.2021
  • Organisation card: 3.2.2022
  • ID card for regulated social welfare and healthcare professionals, and personnel and operator card: 10.2.2022
  • Identity card (Citizen Certificate): 17.2.2022
  • Replacement card (temporary certificate): 24.2.2022

The reform will not affect certificates or cards that have already been issued. Previously issued certificates and certificate cards can be used normally for the duration of their validity, and it is not necessary to renew them due to the change in the certificate hierarchy.
The certificate hierarchy is reformed because of the agency’s name change. The certification authorities currently in production operate under the name of the Population Register Centre.

 

The new certificate hierarchies

The new certificate hierarchies are the following:

  • Root Certificate: DVV Gov. Root CA - G3 RSA
    • Citizen Certificates: DVV Citizen Certificates - G4R
    • Organisation Certificates: DVV Organisational Certificates - G4R
    • Temporary certificates for replacement cards: DVV Temporary Certificates - G3R
    • Service Certificates: DVV Service Certificates - G5R
    • Social welfare and health care professionals’ certificates: DVV Social Welfare and Healthcare Prof. Certificates - G2R
    • Temporary certificates of social welfare and healthcare professionals: DVV Social Welfare and Healthcare Prof. Temp. Certificates - G2R
    • Service Certificates for the social welfare and healthcare sector: DVV Social Welfare and Healthcare Service Certificates - G3R
    • Time Stamp Certificates: DVV Time Stamp Certificates - G2R
  • Root Certificate: DVV Gov. Root CA - G3 ECC
    • Citizen Certificates: DVV Citizen Certificates - G4E
    • Organisation Certificates: DVV Organisational Certificates - G4E
    • Temporary certificates for replacement cards: DVV Temporary Certificates - G3E
    • Service Certificates: DVV Service Certificates - G5E
    • Social welfare and health care professionals’ certificates: DVV Social Welfare and Healthcare Prof. Certificates - G2E
    • Temporary certificates of social welfare and healthcare professionals: DVV Social Welfare and Healthcare Prof. Temp. Certificates - G2E
    • Service Certificates for the social welfare and healthcare sector: DVV Social Welfare and Healthcare Service Certificates - G3E
    • Time Stamp Certificates: DVV Time Stamp Certificates - G2E

The new certificates can be downloaded from the CA Certificates page.

The technical specifications for new certificate hierarchies (the FINEID S2 v5.0 document) will be published in autumn 2021 on the FINEID specifications page.

DVV has produced test hierarchies corresponding to the new certificate hierarchies. They will enable ordering new test cards and test service certificates. We will notify you separately when you can start ordering test cards. When the new certificates are introduced, we ask our customers to verify that existing software and systems work with them.

When the new test cards become available, we will also ask you to test the functionality of your software with the new cards. Please report any problems, incompatibilities, or error conditions as soon as possible at: varmennepalvelut(at)dvv.fi

More information: varmennepalvelut(at)dvv.fi