Certificate hierarchy reform 2021-2022

In spring 2021, the Digital and Population Data Services Agency produced two new certificate hierarchies. The new parallel certificate hierarchies contain new root certificates and new certification authority (CA) certificates. New certificates issued by the Digital and Population Data Services Agency will be issued by these certification authorities.

Setting certification authorities as trusted

To use certificates, these new certification authorities must be set as trusted in our customers' work stations and information systems.

  • Generally, the certificates should be set as trusted on all work stations centrally in AD. Please contact your information management unit for more information. Microsoft has a customer guide for adding a new CA in AD.
  • For information systems, trust in CA is set by the party maintaining each information system. Please contact the suppliers/administrators of your information systems for more information.

The use of certificate cards produced by new certification authorities requires the use of DigiSign Client card reader software version 4.0.20e (organisation cards and healthcare cards) or 4.2.0 (electronic ID cards) or newer.

One of the new certificate hierarchies has been produced with the RSA technology currently in use and the other with the newer ECC technology. ECC certification authorities and certificates use the parameters according to secp384r1 (NIST P-384).

​​​​​The new certification authorities have been taken into production according to the schedule below:

  • Service Certificates and Service Certificates for the social welfare and healthcare sector: 9.12.2021
  • Organisation card: 3.2.2022
  • ID card for regulated social welfare and healthcare professionals, and personnel and operator card: 10.2.2022
  • Identity card (Citizen Certificate): 17.2.2022
  • Replacement card (temporary certificate): 1.3.2022

The reform will not affect certificates or cards that have already been issued

Previously issued certificates and certificate cards can be used normally for the duration of their validity, and it is not necessary to renew them due to the change in the certificate hierarchy.
 

 

The new certificate hierarchies

The new certificate hierarchies are the following:

  • Root Certificate: DVV Gov. Root CA - G3 RSA
    • Citizen Certificates: DVV Citizen Certificates - G4R
    • Organisation Certificates: DVV Organisational Certificates - G4R
    • Temporary certificates for replacement cards: DVV Temporary Certificates - G3R
    • Service Certificates: DVV Service Certificates - G5R
    • Social welfare and health care professionals’ certificates: DVV Social Welfare and Healthcare Prof. Certificates - G2R
    • Temporary certificates of social welfare and healthcare professionals: DVV Social Welfare and Healthcare Prof. Temp. Certificates - G2R
    • Service Certificates for the social welfare and healthcare sector: DVV Social Welfare and Healthcare Service Certificates - G3R
    • Time Stamp Certificates: DVV Time Stamp Certificates - G2R
  • Root Certificate: DVV Gov. Root CA - G3 ECC
    • Citizen Certificates: DVV Citizen Certificates - G4E
    • Organisation Certificates: DVV Organisational Certificates - G4E
    • Temporary certificates for replacement cards: DVV Temporary Certificates - G3E
    • Service Certificates: DVV Service Certificates - G5E
    • Social welfare and health care professionals’ certificates: DVV Social Welfare and Healthcare Prof. Certificates - G2E
    • Temporary certificates of social welfare and healthcare professionals: DVV Social Welfare and Healthcare Prof. Temp. Certificates - G2E
    • Service Certificates for the social welfare and healthcare sector: DVV Social Welfare and Healthcare Service Certificates - G3E
    • Time Stamp Certificates: DVV Time Stamp Certificates - G2E

The new certificates can be downloaded from the CA Certificates page.

The test hierarchies corresponding to the new certificate hierarchies can be downloaded from the Test CA Certificates page. They enable ordering new test cards and test service certificates.

The technical specifications for new certificate hierarchies (the FINEID S2 v5.0 document) is published on the FINEID specifications page.

We also ask you to ensure that existing software and systems work with the new certificates and cards. Please report any problems, incompatibilities, or error conditions as soon as possible at: varmennepalvelut(at)dvv.fi

The certificate hierarchy was reformed because of the agency’s name change. The previous certification authorities operated under the name of the Population Register Centre.