The certificates used for signing SAML messages will be replaced in the production environment on March 7th, 2019

The certificates used for signing Suomi.fi e-Identification SAML messages are changing because the current certificates are expiring. Changing the certificate requires changes to the e-services that use Suomi.fi e-Identification. If you do not make the change, e-identification will not work in your e-service. Ensure with your service provider or some other corresponding party that the change is made.

Changing certificates in the production environment

The new certificate for the production environment will be taken into use on Thursday, 7 March 2019 at 12 noon. The changing of the signature certificate for the production environment means that customer services must take new metadata into use. The metadata containing the new certificates has been published on 13 February at the address below.

Customer services have two options for the implementation of the new certificate for the production environment.

  1. The use of transitional metadata

If your customer service supports the simultaneous use of two certificates, you can use the transitional metadata. In this way, the implementation of the new signature certificate can be flexibly carried out beforehand. Using the transitional metadata, Suomi.fi e-Identification works with both the current signature certificate and the new certificate to be taken into use on 7 March 2019. The certificate which contains both the old and the new metadata can be downloaded here: https://tunnistus.suomi.fi/static/metadata/idp-metadata.xml

  1. Implementing the new metadata directly

If your customer service does not support the simultaneous use of two certificates, the new metadata must be implemented in your customer service at the same time as it is changed in Suomi.fi e-Identification, on 7 March 2019 and 12 noon. The certificate which only contains the new metadata can be downloaded here: https://tunnistus.suomi.fi/static/metadata/idp-metadata-secondary.xml

If you observe any problems in your customer service because of the change, please get in touch at tunnistus-kayttoonotot@vrk.fi.

Changing certificates in the test environment

The certificate has been replaced in the customer test environment. If you haven’t implemented the changes already in the test environment, do the following immediately:

  1. Take into use the new Suomi.fi e-Identification test environment double-certificate metadata as soon as possible and check that it works normally in your test service. The new metadata can be downloaded at https://testi.apro.tunnistus.fi/static/metadata/idp-metadata.xml
  2. If it emerges within the tests that the customer service is not able to use the double-certificate metadata, a secondary single-certificate metadata must be implemented. This metadata only has the new certificate. This metadata has been taken into use on this day as the signature certificate has been replaced in the test environment. The secondary metadata has been published at https://testi.apro.tunnistus.fi/static/metadata/idp-metadata-secondary.xml.

Timetable for change of certificate

  • 13 February 2019 – Publication of metadata containing new certificates for customer production environment
  • 7 March 2019 – Customer production environment certificate is changed

 

Kind regards,

Population Register Centre