A functioning X-Road ecosystem requires two types of trust services:
time-stamping authority (TSA)
certification authority (CA).
Trust Service Providers are organizations providing these services. Trust Service Providers may be commercial third parties, or the services can be provided and maintained by the X-Road Operator too. Regardless of who provides the services, they must meet certain technical requirements.
...
The certificates must be compliant with the RFC5280 specification.
The CA must accept PKCS#10 Certificate Signing Requests (CSRs).
The CA must support issuing certificates for public RSA keys with at least 2048-bit length.
The CA must use at least 2048-bit legnth RSA signature function and
SHA-256
(or stronger) hash function for certificate signature.
...
The Key Usage field must include at least one of the following values:
digitalSignature
,keyEncipherment
ordataEncipherment
.The KeyUsage field must not include
nonRepudiation
.The Extended Key Usage field may contain
ClientAuthentication
orServerAuthentication
.
Requirements for signing certificates
The KeyUsage field must include
nonRepudiation
.The CA issuing must ensure that Qualified eSeal certificates are issued only if private key is stored on a Qualified Signature Creation Device.
The CA must ensure that Advanced eSeal certificates are issued only if private key is handle securely by certificate owner.
When a Qualified Signature Creation Device is used, the Device must support PKCS#11 protocol for connectivity.
...
The CA issuing certificates must provide a certificate validation service that is compliant with the RFC6960 or RFC2560 specification.
The certificate validation service must use at least 2048-bit length RSA signature function and
SHA-256
(or stronger) hash function for response signing.
...