X-tee: trust services and their providers
In the context of X-Road, trust services are defined as:
- e-Seal certificate ( sign certificate)
- authentication certificate ( auth certificate)
- certificate validity confirmation service (OCSP - Online Certificate Status Protocol)
- time-stamping service
The e-Seal certificate is issued to the organization that requested it, and this certificate is used to sign queries made on behalf of the organization. This ensures that the request is made by the organization specified in the query.
The authentication certificate is issued to a specific Security Server, and this certificate is used to communicate with other Security Servers. When a Security Server communicates with another Security Server, both Security Servers prove with their authentication certificate that it is the correct Security Server.
The certificate validity confirmation service certifies that the certificate to be inspected has been recognized as valid by the certification center. By default, the validation is updated every 48 minutes and the validation is checked if either an e-Seal or an authentication certificate is used.
The time-stamping service stamps messages from the Security Server with a timestamp so that you can later see which messages were sent at a certain time. The time-stamping occurs every 48 minutes.
At least 1 e-Seal certificate and at least 1 authentication certificate must be imported to the X-Road Security Server. If the Security Server also hosts other organizations, the sign certificate of each hosted organization must be imported into the Security Server. When hosting, it is a good practice to keep e-Seal certificates on a separate signing device.
In the X-tee Self-Service environment, certificates can be ordered using a Certificate Signature Request (CSR) created in the Security Server.
The following instructions describe how to create CSR's on a Security Server:
Trust service providers
Both SK ID Solutions AS and RIA (Estonian Information System Authority) offer trust services on X-tee. To help you choose between them, we've highlighted a few key differences.
|General parameters||Estonian Information System Authority||SK ID Solutions AS|
|supported X-Road environments|
|signing device requirement||recommended|
mandatory in the production environment
|cost of services||free||according to the price list|
|monitoring of services||troubleshooting only on weekdays||SLA 24/7 in the production environment|
Key differences explained:
- Signing device requirement: Also known as HSM (Hardware Secure Module) is required for storing the identity of the organization (e-Seal certificate private key), which is used to sign X-Road requests mediated by the Security Server.
RIA (Estonian Information System Authority) does not require the use of a signing device (HSM), but we strongly recommend using a physical HSM device in the production environment to store the organization's e-Seal certificate.
- Qualified certificates vs. not qualified certificates: The use of qualified certificates is important for probative value. They help to ensure that the certificates used are related to the correct parties (authenticity). The Estonian Information System Authority is not a qualified trust service provider as defined by the eIDAS regulation.
When to use eIDAS qualified certificates?
A qualified certificate is a guarantee that the person's identity was established when the certificate was issued and the use of a qualified signature-creation-device (HSM) is a guarantee that the data used to create a signature (private key) is under the sole control of the signer. This is important when there is a need to ensure the probative value of query signatures. We recommend that you use qualified certificates if you provide data services that must meet some security standard (such as ISKE high security standard), or if it is important to provide probative value for the data exchanged.