A functioning X-Road ecosystem requires two types of trust services:
time-stamping authority (TSA)
certification authority (CA).
Trust Service Providers are organizations providing these services. Trust Service Providers may be commercial third parties, or the services can be provided and maintained by the X-Road Operator too. Regardless of who provides the services, they must meet certain technical requirements.
The time-stamping authority must meet the following technical requirements:
The TSA service must be compliant with RFC3161 specification.
The TSA service must use HTTP(S) with POST
for transportation.
The TSA service must support SHA-256
or stronger hash functions in requests
The certificate that is used for time-stamping signatures must have the id-kp-timeStamping
value in the ExtendedKeyUsage
field.
The TSA service must not require the usage of reqPolicy
field in requests.
The TSA service must use at least 2048-bit RSA key and SHA-256
(or stronger) hash function for response signatures.
TSA service must maintain its accuracy within 1 second of UTC.
The Certification Authority (CA) issues certificates to Security Servers (authentication certificates) and/or X-Road member organizations (signing certificates). Some requirements apply to both certificate types while others apply to one specific type only.
In addition to the technical requirements listed in this page, a certificate profile that’s aligned with the CA’s certificate policy is required. The requirements for the certificate profile are documented here.
The certificates must be compliant with the RFC5280 specification.
The CA must accept PKCS#10 Certificate Signing Requests (CSRs).
The CA must support issuing certificates for public RSA keys with at least 2048-bit length.
The CA must use at least 2048-bit legnth RSA signature function and SHA-256
(or stronger) hash function for certificate signature.
The KeyUsage field must include at least one of the following values: digitalSignature
, keyEncipherment
or dataEncipherment
.
The KeyUsage field must not include nonRepudiation
.
The Extended Key Usage field may contain ClientAuthentication
or ServerAuthentication
.
The KeyUsage field must include nonRepudiation
.
The CA issuing must ensure that Qualified eSeal certificates are issued only if private key is stored on a Qualified Signature Creation Device.
The CA must ensure that Advanced eSeal certificates are issued only if private key is handle securely by certificate owner.
When a Qualified Signature Creation Device is used, the Device must support PKCS#11 protocol for connectivity.
The CA issuing certificates must provide a certificate validation service that is compliant with the RFC6960 or RFC2560 specification.
The certificate validation service must use at least 2048-bit length RSA signature function and SHA-256
(or stronger) hash function for response signing.
The content by label feature automatically displays related articles based on labels you choose. To edit options for this feature, select the placeholder and tap the pencil icon.