Service Certificates

It is also necessary to identify the service provider in on-line services. The Population Register Centre issues server certificates to this end. They can be used for identifying public as well as private sector services. Using a server certificate lets the user of a service verify the authenticity of the service provider.

A server certificate enables SSL-protected communications between a browser and the server or between two servers.

A server certificate is issued for one or two years, as chosen by the certificate applicant.

Key pairs used by server certificates are created by the server administrator. The key may be 2048 or 4096 bits long.

The server certificate's use may be defined by usage:

  • for server authentication
  • for client authentication
  • both simultaneously (server authentication and client authentication).

Server certificates issued by the PRC may be used to implement three kinds of on-line services:

  • server-only certificate
  • server certificate and user certificate (non-predetermined users)
  • server certificate and user certificate (predetermined users)

Server-only certificate

The pages of a Web service are defined to entirely or partially use protected communications. In this case, communications are protected from external parties between the server and the user's browser (SSL/TLS). In this solution, a Certificate Authority's certificate trusted by both parties needs to be installed on the server and the user's browser. The PRC sells server certificates to service providers. Services may utilize a traditional combination of user ID and password.

Server certificate and user certificate (non-predetermined users)

As in the previous section (a server-only certificate), but users receive certificates issued by a trusted Certificate Authority (card, card readers and card reader software, for instance SetWeb or SmartTrust Personal software), based on which different services for a broad, non-predetermined user base are implemented. Typical examples of this are governmental services and, e.g., web stores. It provides strong user authentication. Utilizing user certificates does not cost anything for the service provider! The electronic client identifier in the Citizen Certificate may be used to retrieve the user's personal identity number and/or postal address from the Population Information System (PRC's non-free service, also requires permission to disclose information) by way of an application query. Other unique IDs are used in organization certificates.

Enables electronic signature of data (documents).

NB! Certificate validity and revocation list checks must be performed!

Server certificate and user certificate (predetermined users)

As in the previous section (server certificate and user certificate, non-predetermined users), but the user certificate is linked to some (operating system, database, etc.) user ID and user rights. In this solution, the user's certificate needs to be retrieved in advance to link the user’s ID with, e.g., LDAP. The certificate may also be copied directly from the card in the presence of the cardholder. In this case, the issuer of the user right sees the ID card (and its holder). An ID card's Citizen Certificate or organization-specific organization certificates may be used as certificates.

This is a typical option in systems where databases are updated, for instance. Different users have different rights in the system. It is popular for both Intranet and extranet uses. This method can also be used in specifying an on-line service's maintenance IDs in the first two options above.

Users do not need to remember different user IDs and passwords, making user ID management easier.

NB! Certificate validity and revocation list checks must be performed!

In practice, an extensive on-line service comprises parts of the previous sections. For instance, user certificates are linked to existing customer data (e.g. a customer postal address is requested from the user instead of programmatically retrieving it from the Population Information System). Existing background systems and the service's functionality requirements have an effect on its implementation.

Server certificates may also be utilized elsewhere, such as in e-mail servers and for mutual communication between different gateway software and hardware.