Server Certificates

Usage of the OU field (Organizational Unit) in server certificates is deprecated starting 1.9.2022. The change does not affect server certificates issued prior to 1.9.2022. The change does not require actions by our customers.

The validity time of new server certificates issued by Digital and Population Data Services Agency is one year starting 1.9.2020.

It is also necessary to identify the service provider in on-line services. The Digital and Population Data Services Agency issues server certificates to this end. They can be used for identifying public as well as private sector services. Using a server certificate lets the user of a service verify the authenticity of the service provider.

Important information regarding applications for new server certificates

The Digital and Population Data Services Agency will no longer issue server certificates or social welfare and healthcare server certificates based only on an IP address after 15 September 2023. Because of this, an application for a certificate must include either a domain name or a domain name and an IP address.  

In addition to the above, from 15 September 2023 onwards, the Digital and Population Data Services Agency will stop issuing server certificates that contain an email address.  This change does not affect email certificates, which are a type of certificate separate from server certificates.

A server certificate enables SSL-protected communications between a browser and the server or between two servers. A server certificate is issued for one or two years, as chosen by the certificate applicant. Key pairs used by server certificates are created by the server administrator. The key may be 2048 or 4096 bits long.

Digital and Population Data Services Agency is the only Finnish Certificate Authority offering EU-qualified QWAC certificates (Qualified website authentication certificate).

The server certificate's use may be defined by usage:

  • for server authentication
  • for client authentication
  • both simultaneously (server authentication and client authentication).

Server certificates issued by the Digital and Population Data Services Agency may be used to implement three kinds of on-line services:

  • server-only certificate
  • server certificate and user certificate (non-predetermined users)
  • server certificate and user certificate (predetermined users)

In the more recent telephone certificates, the serial number of the certificate follows a new longer format, which may have to be taken into account in the development of information systems to avoid interoperability problems.
The old, longer format: hex 0bf4eab0 = decimal 200600240
The new, longer form: hex 0100000168f0a805c366b43b5de968c691fb = decimal 87112293252494463413683796322992020427259

Server-only certificate

The pages of a Web service are defined to entirely or partially use protected communications. In this case, communications are protected from external parties between the server and the user's browser (SSL/TLS). In this solution, a Certificate Authority's certificate trusted by both parties needs to be installed on the server and the user's browser. The Digital and Population Data Services Agency sells server certificates to service providers. Services may utilize a traditional combination of user ID and password.

Server certificate and user certificate (non-predetermined users)

As in the previous section (a server-only certificate), but users receive certificates issued by a trusted Certificate Authority (card, card readers and card reader software, for instance SetWeb or SmartTrust Personal software), based on which different services for a broad, non-predetermined user base are implemented. Typical examples of this are governmental services and, e.g., web stores. It provides strong user authentication. Utilizing user certificates does not cost anything for the service provider! The electronic client identifier in the Citizen Certificate may be used to retrieve the user's personal identity number and/or postal address from the Population Information System (Digital and Population Data Services Agency's non-free service, also requires permission to disclose information) by way of an application query. Other unique IDs are used in organization certificates. Enables electronic signature of data (documents).

Server certificate and user certificate (predetermined users)

As in the previous section (server certificate and user certificate, non-predetermined users), but the user certificate is linked to some (operating system, database, etc.) user ID and user rights. In this solution, the user's certificate needs to be retrieved in advance to link the user’s ID with, e.g., LDAP. The certificate may also be copied directly from the card in the presence of the cardholder. In this case, the issuer of the user right sees the ID card (and its holder). An ID card's Citizen Certificate or organization-specific organization certificates may be used as certificates.

This is a typical option in systems where databases are updated, for instance. Different users have different rights in the system. It is popular for both Intranet and extranet uses. This method can also be used in specifying an on-line service's maintenance IDs in the first two options above.

Users do not need to remember different user IDs and passwords, making user ID management easier. Certificate validity and revocation list checks must be performed.

In practice, an extensive on-line service comprises parts of the previous sections. For instance, user certificates are linked to existing customer data (e.g. a customer postal address is requested from the user instead of programmatically retrieving it from the Population Information System). Existing background systems and the service's functionality requirements have an effect on its implementation.

Server certificates may also be utilized elsewhere, such as in e-mail servers and for mutual communication between different gateway software and hardware.