Teatis

1

Police and Border Guard Board - Certificate

Policy for identity card, digital identity card,

residence permit card and diplomatic

identity card Version 4.0

OID: 1.3.6.1.4.1.51361.1 (PBGB) and 1.3.6.1.4.1.51455.1 (MFA).

Effective since 15.11.2025

Please note that this CP is partly invalid to the extent of practices related to the Certificates and

initial PIN and PUK codes that are no longer issued to the new Cards from 15.11.2025. Current

CP is relevant for the handover (until 15.07.2026) and Certificate lifecycle management of the

Cards. Please see CP history section below for detailed information.

Version History

Date Version Changes/Updates/Amendments

01.10.2025 4.0 • Please note that this CP is partly invalid to the extent

of practices related to the Certificates and initial PIN

and PUK codes that are no longer issued to the new

Cards from 15.11.2025. Clause 1.1 updated.

• RA role clarified in clause 1.3.2.

• Contact person information updated in clause 1.5.2.

• Processes in relation to Certificate suspension and

termination of suspension updated in clauses 4.9.13,

4.9.14, 4.9.17, 4.9.18, 4.9.19.

21.04.2025 3.0

• No new applications for the digital identity card for

residents will be accepted starting from the 1st of

May, 2025: 1.1., 1.2., 4.1.2.

• There are no more technical environments for

personalization in the RA offices: 1.3.5., 3.2.1., 4.1.2.,

4.7.2., 6.1.1.

• Updated references: 1.6.2., 4.9.3., 9.15, 10.

2

22.03.2024 2.1

• Updates (primarily for clarity and/or to use same

terminology throughout): 1.1., 1.2., 1.6.1., 2.2.2.,

3.2.1., 4.1.2., 4.7.2., 4.9.1., 4.9.2.

• Linguistic corrections:1.6.2., 4.7.

• Updated contact e-mail: 1.5.2.

• Updated website links: 10.

24.05.2023 2.0

• Updates (primary for clarifying RA roles): 1.3.2,

1.3.3, 1.3.5, 1.5.1, 1.5.4, 2.2.2, 3.2.3, 6.1.2, 6.4.1,

9.6.2, 10.

• Linguistic corrections and/or format updates: 1.6.1,

3.2.5.

• Reference numbers were updated throughout the

document to reflect the changes done to 10.

• Words such as “shall”, “shall not”, “may”, and “must”

were updated throughout the document from

uppercase letters to lowercase letters.

17.03.2022

1.3

• Updates: 1.5.2., 1.5.4., 2.2.1.;

• Linguistic corrections, amendments and/or added

explanations: 1.1., 1.3.2., 1.3.3., 1.3.5., 1.4.1., 1.4.2.,

1.6.1., 2.2.2., 3.1.5., 3.2.3., 4.1.1., 4.1.2., 4.2.1.,

4.3.1., 4.7.1., 4.7.2., 4.9.2., 9.15.;

• Updated references: 1.1, 1.3.2., 1.3.3., 1.6.1., 1.6.2.,

3.1.4., 3.2.3., 3.2.5., 4.1.1., 4.1.2., 4.2.1., 4.9.1.,

4.9.2., 4.9.3., 4.9.13., 4.9.14., 4.9.17., 4.9.18.,

4.9.19., 9.15., 10.;

• Improved formatting: entire document (consistent

title and Table of Contents formatting and similar).

05.03.2021

1.2

1.1. amendments;

1.2. , 1.3.2. linguistic corrections;

1.5.3., 1.6.1. amendments;

3.1.4. linguistic corrections;

4.1.2., 4.2.1. amendments;

4.2.2., 4.3.2., 4.7. linguistic corrections;

4.7.1., 4.7.2., amendments;

4.7.3., 4.7.5. linguistic corrections;

4.9.1. amendments;

4.9.2., 4.9.3., 4.9.13., 4.9.14., 4.9.17. - 4.9.19. linguistic

corrections;

6.1.2., 9.6.3. amendments.

3

18.03.2019 1.1

1.6.1 update;

3.2.1 clarification;

3.3.1 update;

4.7 linguistic corrections;

4.7.1-3 update;

4.9.7-8 update;

7.2 update;

26.09.2018 1.0

Table of Contents

1. Introduction ................................................................................................................................ 9

1.1. Overview .................................................................................................................................... 9

1.2. Document Name and Identification .......................................................................................... 11

1.3. PKI Participants ....................................................................................................................... 12

1.3.1. Certification Authorities .................................................................................................. 12

1.3.2. Registration Authorities .................................................................................................. 12

1.3.3. Subscribers ...................................................................................................................... 13

1.3.4. Relying Parties ................................................................................................................ 13

1.3.5. Other Participants ............................................................................................................ 13

1.4. Certificate Usage ...................................................................................................................... 14

1.4.1. Appropriate Certificate Uses ........................................................................................... 14

1.4.2. Prohibited Certificate Uses .............................................................................................. 14

1.5. Policy Administration .............................................................................................................. 15

1.5.1. Organisation Administering the Document ..................................................................... 15

1.5.3. Person Determining CPS Suitability for the Policy ........................................................ 15

1.5.4. CP Approval Procedures ................................................................................................. 15

1.6. Definitions and Acronyms ........................................................................................................ 16

1.6.1. Terminology .................................................................................................................... 16

1.6.2. Acronyms ........................................................................................................................ 18

2. Publication and Repository Responsibilities ............................................................................. 19

2.1. Repositories .............................................................................................................................. 19

2.2. Publication of Certification Information ................................................................................... 19

2.2.1. Publication and Notification Policies .............................................................................. 19

2.2.2. Items not Published in the Certification Practice Statement ........................................... 19

2.3. Time or Frequency of Publication ............................................................................................ 20

2.4. Access Controls on Repositories ............................................................................................... 20

4

3. Identification and Authentication .............................................................................................. 20

3.1. Naming ..................................................................................................................................... 20

3.1.1. Types of Names .............................................................................................................. 20

3.1.2. Need for Names to be Meaningful .................................................................................. 20

3.1.3. Anonymity or Pseudonymity of Subscribers ................................................................... 20

3.1.4. Rules for Interpreting Various Name Forms ................................................................... 20

3.1.5. Uniqueness of Names ...................................................................................................... 20

3.1.6. Recognition, Authentication, and Role of Trademarks ................................................... 20

3.2. Initial Identity Validation .......................................................................................................... 21

3.2.1. Method to Prove Possession of Private Key.................................................................... 21

3.2.2. Authentication of Organisation Identity .......................................................................... 21

3.2.3. Authentication of Individual Identity .............................................................................. 21

3.2.4. Non-Verified Subscriber Information ............................................................................. 21

3.2.5. Validation of Authority ................................................................................................... 21

3.2.6. Criteria for Interoperation ............................................................................................... 21

3.3. Identification and Authentication for Re-Key Requests ........................................................... 21

3.3.1. Identification and Authentication for Routine Re-Key ................................................... 21

3.3.2. Identification and Authentication for Re-Key After Revocation..................................... 21

3.4. Identification and Authentication for Revocation Request ...................................................... 21

4. Certificate Life-Cycle Operational Requirements ..................................................................... 22

4.1. Certificate Application.............................................................................................................. 22

4.1.1. Who Can Submit a Certificate Application ..................................................................... 22

4.1.2. Enrolment Process and Responsibilities .......................................................................... 22

4.2. Certificate Application Processing ........................................................................................... 23

4.2.1. Performing Identification and Authentication Functions ............................................... 23

4.2.2. Approval or Rejection of Certificate Applications ......................................................... 23

4.2.3. Time to Process Certificate Applications ....................................................................... 23

4.3. Certificate Issuance ................................................................................................................... 23

4.3.1. CA Actions During Certificate Issuance ......................................................................... 23

4.3.2. Notifications to Subscriber by the CA of Issuance of Certificate ................................... 23

4.4. Certificate Acceptance .............................................................................................................. 24

4.4.1. Conduct Constituting Certificate Acceptance ................................................................. 24

4.4.2. Publication of the Certificate by the CA ......................................................................... 24

4.4.3. Notification of Certificate Issuance by the CA to Other Entities .................................... 24

4.5. Key Pair and Certificate Usage ................................................................................................. 24

4.5.1. Subscriber Private Key and Certificate Usage ................................................................ 24

4.5.2. Relying Party Public Key and Certificate Usage ............................................................ 24

5

4.6. Certificate Renewal .................................................................................................................. 24

4.7. Certificate Re-Key .................................................................................................................... 24

4.7.1. Circumstances for Certificate Re-Key............................................................................. 24

4.7.2. Who May Request Certification of a New Public Key .................................................... 25

4.7.3. Processing Certificate Re-Key Requests ......................................................................... 25

4.7.4. Notification of New Certificate Issuance to Subscriber .................................................. 25

4.7.5. Conduct Constituting Acceptance of a Re-Keyed Certificate ......................................... 25

4.7.6. Publication of the Re-Keyed Certificate by the CA ........................................................ 26

4.7.7. Notification of Certificate Issuance by the CA to Other Entities .................................... 26

4.8. Certificate Modification ............................................................................................................ 26

4.8.1. Circumstances for Certificate Modification .................................................................... 26

4.8.2. Who May Request Certificate Modification ................................................................... 26

4.8.3. Processing Certificate Modification Requests ................................................................. 26

4.8.4. Notification of New Certificate Issuance to Subscriber .................................................. 26

4.8.5. Conduct Constituting Acceptance of Modified Certificate ............................................. 26

4.8.6. Publication of the Modified Certificate by the CA.......................................................... 26

4.8.7. Notification of Certificate Issuance by the CA to Other Entities .................................... 26

4.9. Certificate Revocation and Suspension .................................................................................... 26

4.9.1. Circumstances for Revocation......................................................................................... 26

4.9.2. Who Can Request Revocation ......................................................................................... 27

4.9.3. Procedure for Revocation Request .................................................................................. 27

4.9.4. Revocation Request Grace Period ................................................................................... 27

4.9.5. Time within Which CA Must Process the Revocation Request ...................................... 27

4.9.6. Revocation Checking Requirements for Relying Parties ................................................ 27

4.9.7. CRL Issuance Frequency ................................................................................................ 27

4.9.8. Maximum Latency for CRLs .......................................................................................... 27

4.9.9. On-Line Revocation/Status Checking Availability ......................................................... 27

4.9.10. On-Line Revocation Checking Requirements .......................................................... 27

4.9.11. Other Forms of Revocation Advertisements Available ............................................ 27

4.9.12. Special Requirements Related to Key Compromise ................................................. 28

4.9.13. Circumstances for Suspension .................................................................................. 28

4.9.14. Who Can Request Suspension .................................................................................. 28

4.9.15. Procedure for Suspension Request ........................................................................... 28

4.9.16. Limits on Suspension Period .................................................................................... 28

4.9.17. Circumstances for Termination of Suspension ......................................................... 28

4.9.18. Who can request Termination of Suspension ........................................................... 28

4.9.19. Procedure for Termination of Suspension ................................................................ 28

6

4.10. Certificate Status Services ........................................................................................................ 28

4.10.1. Operational Characteristics....................................................................................... 28

4.10.2. Service Availability .................................................................................................. 29

4.10.3. Operational Features................................................................................................. 29

4.11. End of Subscription .................................................................................................................. 29

4.12. Key Escrow and Recovery ....................................................................................................... 29

4.12.1. Key Escrow and Recovery Policy and Practices ...................................................... 29

4.12.2. Session Key Encapsulation and Recovery Policy and Practices .............................. 29

5. Facility, Management, and Operational Controls.................................................................. 29

6. Technical Security Controls ..................................................................................................... 29

6.1. Key Pair Generation and Installation ........................................................................................ 29

6.1.1. Key Pair Generation ........................................................................................................ 29

6.1.2. Private Key Delivery to Subscriber ................................................................................. 29

6.1.3. Public Key Delivery to Certificate Issuer ........................................................................ 30

6.1.4. CA Public Key Delivery to Relying Parties .................................................................... 30

6.1.5. Key Sizes ........................................................................................................................ 30

6.1.6. Public Key Parameters Generation and Quality Checking .............................................. 30

6.1.7. Key Usage Purposes (as per X.509 v3 Key Usage Field) ............................................... 30

6.2. Private Key Protection and Cryptographic Module Engineering Controls ......................... 30

6.2.1. Cryptographic Module Standards and Controls .............................................................. 30

6.2.2. Private Key (n out of m) Multi-Person Control ............................................................... 30

6.2.3. Private Key Escrow ......................................................................................................... 30

6.2.4. Private Key Backup ........................................................................................................ 30

6.2.5. Private Key Archival ....................................................................................................... 30

6.2.6. Private Key Transfer Into or From a Cryptographic Module .......................................... 31

6.2.7. Private Key Storage on Cryptographic Module .............................................................. 31

6.2.8. Method of Activating Private Key .................................................................................. 31

6.2.9. Method of Deactivating Private Key ............................................................................... 31

6.2.10. Method of Destroying Private Key ........................................................................... 31

6.2.11. Cryptographic Module Rating .................................................................................. 31

6.3. Other Aspects of Key Pair Management .................................................................................. 31

6.3.1. Public Key Archival ........................................................................................................ 31

6.3.2. Certificate Operational Periods and Key Pair Usage Periods .......................................... 31

6.4. Activation Data ......................................................................................................................... 32

6.4.1. Activation Data Generation and Installation ................................................................... 32

6.4.2. Activation Data Protection .............................................................................................. 32

6.4.3. Other Aspects of Activation Data ................................................................................... 32

7

6.5. Computer Security Controls ..................................................................................................... 32

6.5.1. Specific Computer Security Technical Requirements ..................................................... 32

6.5.2. Computer Security Rating ............................................................................................... 32

6.6. Life Cycle Technical Controls .................................................................................................. 33

6.6.1. System Development Controls ........................................................................................ 33

6.6.2. Security Management Controls ....................................................................................... 33

6.6.3. Life Cycle Security Controls ........................................................................................... 33

6.7. Network Security Controls ....................................................................................................... 33

6.8. Time-Stamping ......................................................................................................................... 33

7. Certificate, CRL, and OCSP Profiles ........................................................................................ 33

7.1. Certificate Profile ..................................................................................................................... 33

7.2. CRL Profile .............................................................................................................................. 33

7.3. OCSP Profile ............................................................................................................................ 33

8. Compliance Audit and Other Assessments ............................................................................... 33

9. Other Business and Legal Matters ............................................................................................ 34

9.1. Fees 34

9.1.1. Certificate Issuance or Renewal Fees .............................................................................. 34

9.1.2. Certificate Access Fees ................................................................................................... 34

9.1.3. Revocation or Status Information Access Fees ............................................................... 34

9.1.4. Fees for Other Services ................................................................................................... 34

9.1.5. Refund Policy .................................................................................................................. 34

9.2. Financial Responsibility ........................................................................................................... 34

9.2.1. Insurance Coverage ......................................................................................................... 34

9.2.2. Other Assets .................................................................................................................... 34

9.2.3. Insurance or Warranty Coverage for End-Entities .......................................................... 34

9.3. Confidentiality of Business Information ................................................................................... 34

9.4. Privacy of Personal Information ............................................................................................... 35

9.4.1. Privacy Plan .................................................................................................................... 35

9.4.2. Information Treated as Private ........................................................................................ 35

9.4.3. Information Not Deemed Private .................................................................................... 35

9.4.4. Responsibility to Protect Private Information ................................................................. 35

9.4.5. Notice and Consent to Use Private Information .............................................................. 35

9.4.6. Disclosure Pursuant to Judicial or Administrative Process ............................................. 35

9.4.7. Other Information Disclosure Circumstances ................................................................. 35

9.5. Intellectual Property rights ....................................................................................................... 35

9.6. Representations and Warranties ................................................................................................ 35

9.6.1. CA Representations and Warranties ................................................................................ 35

8

9.6.2. RA Representations and Warranties ................................................................................ 35

9.6.3. Subscriber Representations and Warranties .................................................................... 36

9.6.4. Relying Party Representations and Warranties ............................................................... 36

9.6.5. Representations and Warranties of Other Participants .................................................... 36

9.7. Disclaimers of Warranties ........................................................................................................ 36

9.8. Limitations of Liability ............................................................................................................. 36

9.9. Indemnities ............................................................................................................................... 36

9.10. Term and Termination .............................................................................................................. 36

9.10.1. Term ......................................................................................................................... 36

9.10.2. Termination .............................................................................................................. 36

9.10.3. Effect of Termination and Survival .......................................................................... 36

9.11. Individual Notices and Communications with Participants...................................................... 37

9.12. Amendments ............................................................................................................................ 37

9.12.1. Procedure for Amendment ....................................................................................... 37

9.12.2. Notification Mechanism and Period ......................................................................... 37

9.13. Dispute Resolution Provisions .................................................................................................. 37

9.14. Governing Law ......................................................................................................................... 37

9.15. Compliance with Applicable Law ............................................................................................. 37

9.16. Miscellaneous Provisions ......................................................................................................... 38

9.16.1. Entire Agreement ..................................................................................................... 38

9.16.2. Assignment ............................................................................................................... 38

9.16.3. Severability ............................................................................................................... 38

9.16.4. Enforcement (Attorney's Fees and Waiver of Rights) .............................................. 38

9.16.5. Force Majeure .......................................................................................................... 38

9.17. Other Provisions ....................................................................................................................... 38

10. References ................................................................................................................................ 39

9

1. Introduction

1.1. Overview

The Republic of Estonia is the issuer of identity documents (pursuant to sections 94 (1) and 15

(4) of the Identity Documents Act, hereinafter as IDA) [1] that include a certificate that enables

digital authentication and a certificate that enables digital signing, both of which are issued

by/from the EE-GovCA2018 root certificate and the intermediate certificate. The Republic of

Estonia adheres to the following official certificate hierarchy (see Figure 1):

a. The root certificate of the Republic of Estonia is the EE-GovCA2018, which issues the

ESTEID2018 intermediate certificate.

b. The ESTEID2018 intermediate certificate issues a certificate that enables digital

authentication and a certificate that enables digital signing (end-user certificates)

entered in ID-1 format identity documents of the Republic of Estonia.

c. The ESTEID2018 intermediate certificate issues the OCSP Responder certificate,

which issues information on the validity of end-user certificates.

Figure 1. The official certificate hierarchy of the Republic of Estonia

This document, named "Police and Border Guard Board – Certificate Policy for identity card,

digital identity card, residence permit card and diplomatic identity card" (hereinafter referred to

as CP) defines procedural and operational requirements that the Certification Authority adheres

to and requires other entities to adhere to when issuing and managing Certificates for the

following identity documents issued by the Republic of Estonia (hereinafter referred to together

as “Card”):

- identity card for Estonian citizens;

- identity card for European Union citizens;

- digital identity card for Estonian residents;

- digital identity card for e-residents;

- residence permit card for long-term residents;

- residence permit card for temporary residents and NATO SOFA;

- residence permit card for family members of European Union citizens;

- diplomatic identity card.

10

The general term “Card” shall be used when all of the abovementioned identity documents are

concerned. Any specific exceptions shall be described under each section separately according

to the particular identity document type.

Certificates and initial PIN and PUK codes for the new Cards shall be issued until

14.11.2025. Certificates of all valid Cards will continue to be serviced until their expiration

or revocation.

These Certificates facilitate electronic signatures and electronic identification of natural

persons. The Certificates always come in pairs: each Card contains one Authentication

Certificate and one Qualified Electronic Signature Certificate and their corresponding Private

Keys. Each Private Key is protected by separate Activation Data (PIN code) and each Card has

a single Unlock (PUK code). A single person can have only one valid Card per each Card type

at any point in time. The Cards are physically shaped in ID-1 format and comply with the

ISO/IEC 7816 [2] and Card Documentation [3].

According to IDA [1], the Police and Board Guard Board (hereinafter PBGB) is the issuing

authority of the identity documents (except for the diplomatic identity card), and hence is the

owner of this CP. Issuing and managing Certificates for the Card are based on IDA [1] and

Regulation (EU) N° 910/2014 [4], which establish a legal framework for electronic signatures.

Certification Authority (hereinafter CA) is the Subcontractor of the Card Manufacturer.

Issuing and managing Qualified Electronic Signature Certificates for the Card is based on the

requirements of the Policy QCP-n-qscd: Certificate Policy for EU qualified Certificates issued

to natural persons with Private Key related to the certified Public Key in a QSCD.

Issuing and managing Authentication Certificates for the Card is based on the requirements of

the Policy NCP+: Normalised Certificate Policy requiring a Secure Cryptographic Device.

The Certification Service for Qualified Electronic Signature Certificates for the Card described

in this CP shall be a qualified trust service according to the Trusted List of Estonia.

Data structures and communication protocols in use shall be as described in the Card

Documentation [3] where applicable.

In case of conflicts, the following documents shall be considered in the following order

(prevailing ones first):

• ETSI EN 319 411-2 [5],

• ETSI EN 319 411-1 [6],

• this CP,

This document describes only restrictions to the Policy for EU qualified Certificates issued to natural persons where the Private Key and the related Certificate reside on a QSCD (QCP-

nqscd) from ETSI EN 319 411-2 [5] and Normalised Certificate Policy requiring a Secure Cryptographic Device (NCP+) from ETSI EN 319 411-1 [6].

The semantics of “no stipulation” in this document are that no additional restrictions

are set and relevant provisions from QCP-n-qscd and NCP+ are applied directly.

11

• SK ID Solutions AS - ESTEID2018 Certification Practice Statement.

To preserve IETF RFC 3647 [7] outline, this CP is divided into nine parts, section headings that

do not apply, are designated as "Not applicable". Each top-level chapter includes references

to the relevant sections in ETSI EN 319 411-1 [6] and ETSI EN 319 411-2 [5].

Terms and acronyms listed in Clause 1.6 of this CP are written starting with a capital letter in

this CP.

1.2. Document Name and Identification

Refer to Clause 5.3 of ETSI EN 319 411-1 [6] and ETSI EN 319 411-2 [5].

This document is named “Police and Border Guard Board – Certificate Policy for the identity

card, digital identity card, residence permit card and diplomatic identity card". This CP is

identified by two OIDs: 1.3.6.1.4.1.51361.1 and 1.3.6.1.4.1.51455.1.

OID is composed according to the contents of the following table:

Parameter OID reference

Internet attribute 1.3.6.1

Private entity attribute 4

Registered business attribute given by private business manager IANA 1

PBGB attribute in IANA register 51361

MFA attribute in IANA register 51455

Certification Service attribute 1.1

The division of sub-OIDs according to the card type issued are composed according to the

contents of the following table:

Card Type General PBGB

OID

Sub-OID: Type

(identity document

= 1)

Sub-OID:

document

type

identity card for Estonian

citizens

51361 1 1

identity card for European

Union citizens

51361 1 2

digital identity card for

Estonian residents

51361 1 3

digital identity card for e-

residents

51361 1 4

12

residence permit card for

long-term residents

51361 1 5

residence permit card for

temporary residents and

NATO SOFA

51361 1 6

residence permit card for

family members of

European Union citizens

51361 1 7

diplomatic identity card 51455 1 1

Example of sub-OIDs according to the card type issued under this CP:

• Digital identity card for e-residents: 1.3.6.1.4.1.51361.1.1.4

• Diplomatic identity card: 1.3.6.1.4.1.51455.1.1.1

Qualified Electronic Signature Certificate for the Card issued to Subscribers shall include OID's

of the following policies:

• ETSI EN 319 411-2 [5] clause 5.3 c) for QCP-n-qscd: 0.4.0.194112.1.2

Itu-t(0)

identified-organization(4)

etsi(0)

qualified-certificate-policies(194112)

policy-identifiers(1)

qcp-natural-qscd (2)

• OID of the certificate issuer.

Authentication Certificates for the Card issued to Subscribers shall include OID's of the

following policies:

• ETSI EN 319 411-1 [6] clause 5.3 b) for NCP+: 0.4.0.2042.1.2

itu-t(0)

identified-organization(4)

etsi(0)

other-certificate-policies(2042)

policyidentifiers(1)

ncpplus (2)

• OID of the certificate issuer.

1.3. PKI Participants

Refer to Clause 5.4 of ETSI EN 319 411-1 [6] and ETSI EN 319 411-2 [5].

1.3.1. Certification Authorities

SK ID Solutions AS issues Certificates under this CP.

1.3.2. Registration Authorities

13

The PBGB shall fulfil the role of RA (except for the diplomatic identity card) when:

 identifying the Subscribers,

 processing the Subscriber applications,

 issuing Cards with Subscriber Certificates,

 issuing initial PIN and PUK codes,

 requesting the termination of suspension of Subscriber Certificates,

 requesting the revocation of Subscriber Certificates, and

 issuing replacement PIN and PUK codes.

In case of the diplomatic identity cards, the Ministry of Foreign Affairs (hereinafter MFA) shall fulfil the role of RA when:

 identifying the Subscribers,

 processing the Subscriber applications,

 issuing Cards with Subscriber Certificates

 issuing initial PIN and PUK codes,

 requesting the termination of suspension of Subscriber Certificates,

 requesting the revocation of Subscriber Certificates, and

 issuing replacement PIN and PUK codes.

The MFA shall also identify the Subscribers, issue the Cards with Subscriber Certificates, issue the initial PIN and PUK codes, request the termination of suspension of Subscriber Certificates, and issue replacement PIN and PUK codes (except for diplomatic identity cards) on behalf of the PBGB.

External service providers, who are contractors of the PBGB, shall fulfil the role of RA when identifying the Subscribers, when issuing Cards (except diplomatic identity cards) with the Subscriber Certificates and when issuing the initial PIN and PUK codes on behalf of the PBGB.

The responsibilities of the RAs are laid down in IDA [1] and Electronic Identification and Trust Services for Electronic Transactions Act [12]. Transfer of functions listed under IDA section 3¹ may be applied.

Hereinafter the RA will refer to the roles of the PBGB and the MFA only. In case the RA is a contractor of the PBGB, the requirement will be pointed out separately.

1.3.3. Subscribers

Subscriber is the Subject of the Certificate issued under this CP.

Subscriber can only be a natural person entitled by IDA [1]. IDA [1] refers to the Subscriber as

“the holder of the Document.” The Subscriber can have only one document with Subscriber

Certificates, of the same document type valid at any point of time.

1.3.4. Relying Parties

Relying Parties are legal or natural persons who are making decisions based on the Certificate.

1.3.5. Other Participants

The Card Manufacturer is a Contractor of the PBGB. The Card Manufacturer manufactures and

personalises the Cards only when ordered by the PBGB or the MFA.

IT and development centre of the Ministry of the Interior (hereinafter SMIT) is responsible for

14

allocating a correct and unique e-mail address in the eesti.ee domain for the Subscriber (except

for the holder of diplomatic identity card).

1.4. Certificate Usage

Refer to Clause 5.5 of ETSI EN 319 411-1 [6] and ETSI EN 319 411-2 [5].

1.4.1. Appropriate Certificate Uses

Subscriber Certificates are intended for the following purposes:

Qualified Electronic Signature Certificate is intended for:

- creating Qualified Electronic Signatures compliant with eIDAS

[4]. Authentication Certificate is intended for:

- Authentication,

- Encryption,

- secure e-mail.

CA Private Keys shall not be used to sign other types of Certificates except for the following:

- Subscriber Certificates compliant with QCP-n-qscd or NCP+,

- OCSP response verification Certificates,

- Internal Certificates for technical needs.

1.4.2. Prohibited Certificate Uses

Subscriber Certificates issued under this CP shall not be used for any of the following purposes:

- unlawful activity (including cyber-attacks and attempt to infringe the Certificate or the

Card),

- issuance of new Certificates and information regarding Certificate validity,

- enabling other parties to use the Subscriber’s Private Key,

- enabling the Certificate issued for electronic signing to be used in an automated way,

- using the Certificate issued for electronic signing for any other purpose than creating

a Qualified Electronic Signature, including for signing documents which can bring

about unwanted consequences or signing such documents for testing purposes.

The Subscriber Authentication Certificate shall not be used to create Electronic Signatures.

15

1.5. Policy Administration

1.5.1. Organisation Administering the Document

This CP is administered by the PBGB. Registry

code 70008747

Pärnu mnt 139, 15060 Tallinn

Email: [email protected]

https://www.politsei.ee/en/

1.5.2. Contact Person

Any questions and change proposals regarding this CP shall be sent to the Policy Administrator’s

email [email protected].

1.5.3. Person Determining CPS Suitability for the Policy

Policy Administrator validates and determines CPS conformity to this CP.

1.5.4. CP Approval Procedures

The Policy Administrator (PBGB), shall review this CP annually, or if significant changes occur,

to ensure the continuing suitability, adequacy and effectiveness of applicable standards to the

current policy. Change proposals to this CP may be sent at any time to the CP contact person. If

applicable, the Policy Administrator may coordinate changes to this CP with the Information

System Authority (RIA), CA, MFA and the Card Manufacturer.

Amendments which do not change the meaning of this CP, such as annual reviews with no

amendments, spelling corrections and/or contact detail updates, shall be documented in the

version history section of this CP. In this case, the fractional part of the version number shall be

incremented. In the case of substantial changes, the new CP version shall be clearly

distinguishable from the previous ones, and the serial number shall be incremented by one.

The amended CP, along with the enforcement date, which cannot be earlier than 30 days after

publication, shall be published electronically on the www.id.ee website.

All amendments shall be approved by the Identity and Status Bureau of the PBGB and the eID

Department of RIA. The amended CP shall be enforced by the Deputy Director of the PBGB.

The Policy Administrator shall notify RIA, CA, MFA and the Card Manufacturer when a new

version of this CP is uploaded on the www.id.ee website.

16

1.6. Definitions and Acronyms

1.6.1. Terminology

In this CP the following terms have the following meaning:

Term Definition

Authentication Unique identification of a person by checking his/her alleged identity.

Card

Personal identity document in ID-1 format and issued on the basis of

IDA [1]. Cards include identity card for Estonian citizens, identity

card for European Union citizens, digital identity card for Estonian

residents, digital identity card for e-residents, residence permit card

for long-term residents and NATO SOFA, residence permit card for

family members of European Union citizens and diplomatic identity

card.

Card Manufacturer

Contractor of the PBGB who manufactures and personalises identity

cards, resident permit cards, digital identity cards for residents and e-

residents as ordered by the PBGB, diplomatic identity cards as

ordered by the MFA, and manufactures blank digital identity cards

and provides the technical environment for the personalisation of

digital identity cards in the RA offices.

Certificate

Public Key, together with additional information, laid down in the

Certificate Profile [9], rendered unforgeable via encipherment using

the Private Key of the Certificate Authority which issued it.

Certificate Authority

A part of the trust service provider’s structure responsible for issuing

and verifying electronic Certificates. SK ID Solutions AS issues

Certificates under this CP.

Certificate Pair A pair of Certificates consisting of one Authentication Certificate and

one Qualified Electronic Signature Certificate.

Certificate Policy

A set of rules that indicates applicability of a specific Certificate to a

particular community and/or PKI implementation with common

security requirements.

Certification Practice

Statement

One of the several documents that all together form the governance

framework in which Certificates are created, issued, managed, and

used.

Certificate Profile Document that determines the information contained within a

Certificate as well as the minimal requirements towards the Certificate.

Certificate Revocation

List

A list of invalid (revoked, suspended) Certificates. CRL contains

suspended and revoked Certificates during their validity period, i.e.

until they expire.

Certification Service

Trust service related to issuing Certificates, managing suspension,

termination of suspension, revocation, modification and re-key of the

Certificates.

17

Directory Service Trust service related to publication of Certificate validity information.

Distinguished name Unique Subject name in the infrastructure of Certificates.

Encrypting Information treatment method changing the information unreadable for

those who do not have necessary rights.

ID-1 Format which defines physical characteristics of identification cards

according to the standard ISO/IEC 7816 [2].

Integrity A characteristic of an array: information has not been changed after the

array was created.

Object Identifier An identifier used to uniquely name an object (OID).

Personal Data File File on Card that includes the Subscriber's personal data.

PIN code Activation code for the Authentication Certificate and for the

Qualified Electronic Signature Certificate.

Private Key

The key of a key pair that is assumed to be kept in secret by the holder of

the key pair, and that is used to create electronic signatures and/or to

decrypt electronic records or files that were encrypted with the

corresponding Public Key.

Public Key

The key of a key pair that may be publicly disclosed by the holder of

the corresponding Private Key and that is used by Relying Parties to

verify electronic signatures created with the holder’s corresponding

Private Key and/or to encrypt messages so that they can be decrypted

only with the holder’s corresponding Private Key.

PUK code The code for unblocking the PIN codes when they have been blocked

after number of allowed consecutive incorrect entries.

Qualified Certificate

A certificate for electronic signatures, that is issued by the qualified

trust service provider and meets the requirements laid down in Annex

I of the eIDAS [4] Regulation.

Qualified Electronic

Signature

Advanced electronic signature that is created by a qualified electronic

signature creation device, and which is based on a Qualified

Certificate for electronic signatures.

Qualified Electronic

Signature Creation

Device

A Secure Signature Creation Device that meets the requirements laid

down in the eIDAS [4] Regulation.

Relying Party Entity that relies on the information contained within a Certificate.

18

Registration Authority

Entity that is responsible for the identification and Authentication of

Subjects of Certificates. Additionally, the Registration Authority may

accept Certificate applications, check the applications and/or forward

the applications to the Certificate Authority.

Secure Cryptographic

Device

Device, which holds the Private Key of the user, protects this key

against compromise and performs signing or decryption functions on

behalf of the user.

Subscriber A natural person to whom the Certificates of the Card are issued as a

public service, provided that the person has a statutory right to it and

has requested it.

Subject In this document, the Subject is the same as the Subscriber.

Terms and Conditions

Document that describes obligations and responsibilities of the

Subscriber with respect to using Certificates. The Subscriber has to

be familiar with the document and accept the Terms and Conditions

[10] upon submitting an application for a Card.

1.6.2. Acronyms

Acronym Definition

CA Certificate Authority

CP Certificate Policy

CPS Certification Practice Statement

CRL Certificate Revocation List

eIDAS

Regulation (EU) No 910/2014 [4] of the European Parliament and of the

Council of 23 July 2014 on electronic identification and trust services for

electronic transactions in the internal market and repealing Directive

1999/93/EC, as amended by Regulation (EU) 2024/1183 as regards

establishing the European Digital Identity Framework.

IDA Identity Documents Act [1]

MFA Ministry of Foreign Affairs

NCP+

Normalised Certificate Policy requiring a Secure Cryptographic Device

from ETSI EN 319 411-1 [6]

OCSP Online Certificate Status Protocol

OID Object Identifier, a unique object identification code

PBGB Police and Border Guard Board

19

PKI Public Key Infrastructure

QSCD Qualified Electronic Signature Creation Device

QCP-

n-qscd

Policy for EU qualified certificate issued to a natural person where the private

key and the related certificate reside on a QSCD from ETSI EN 319 411-2 [5]

RA Registration Authority

RIA Information System Authority

SK SK ID Solutions AS

SMIT IT and development centre of the Ministry of the Interior

2. Publication and Repository

Responsibilities Refer to Clause 6.1 of ETSI EN 319 411-1 [6] and ETSI EN 319 411-2 [5].

2.1. Repositories

CA shall ensure that its repository is available 24 hours a day, 7 days a week with a minimum of

99% availability overall per year with a scheduled down‐time that does not exceed 0,5% annually.

2.2. Publication of Certification Information

2.2.1. Publication and Notification Policies

This CP shall be published on the www.id.ee website and the reference shall be added to the CA

website repository no less than 30 days prior to taking effect.

The Certification Practice Statement [11], the Certificate Profile [9], as well as the Terms and

Conditions [10] with the enforcement dates shall be published on the CA website repository no

less than 30 days prior to taking effect.

Any changes to the Certification Practice Statement [11], the Certificate Profile [9] and the Terms

and Conditions [10] shall be approved by the PBGB prior to publishing.

2.2.2. Items not Published in the Certification Practice Statement

Information about service levels, fees and technical details laid out in mutual agreements between

the CA, PBGB and Card Manufacturer may be left out of the CPS.

The CPS may not cover internal procedures of the PBGB, the MFA, the CA, RAs (including PBGB’s

external service providers), or the Card Manufacturer.

20

2.3. Time or Frequency of Publication

No stipulation.

2.4. Access Controls on Repositories

No stipulation.

3. Identification and Authentication Refer to Clause 6.2 of ETSI EN 319 411-1 [6] and ETSI EN 319 411-2 [5].

3.1. Naming

The Distinguished Name of the Subscriber shall comply with the conventions set in the

Certificate Profile [9].

3.1.1. Types of Names

No stipulation.

3.1.2. Need for Names to be Meaningful

All the values in the Subscriber information section of a Certificate shall be meaningful.

3.1.3. Anonymity or Pseudonymity of Subscribers

Not applicable.

3.1.4. Rules for Interpreting Various Name Forms

Pursuant to IDA [1], international letters shall be encoded according to ICAO transliteration rules

where necessary.

3.1.5. Uniqueness of Names

PBGB and MFA shall ensure that Certificates with a matching Common Name (CN),

SerialNumber and e-mail addresses in the Subject Alternative Name (SAN) fields are not issued to

different Subscribers.

3.1.6. Recognition, Authentication, and Role of Trademarks

Not applicable.

21

3.2. Initial Identity Validation

3.2.1. Method to Prove Possession of Private Key

Private Keys shall be generated on the QSCD during personalisation by the Card Manufacturer.

3.2.2. Authentication of Organisation Identity

Not applicable.

3.2.3. Authentication of Individual Identity

Identity proofing and verification of a natural person shall be done in accordance with IDA [1] and is based on Commission Implementing Regulation (EU) 2015/1502 [8], that sets out

minimum technical specifications and procedures for assurance levels for electronic identification means. Identity proofing and verification of natural persons is done according to

Level of Assurance high. The CA and the Card Manufacturer shall rely on the identification data provided by the RA. In this context, RA includes the PBGB, the MFA, as well as PBGB’s

external service providers when they identify a Subscriber and issue Cards with Subscriber

Certificates on behalf of the PBGB.

3.2.4. Non-Verified Subscriber Information

Non-verified Subscriber information shall not be allowed in a Certificate.

3.2.5. Validation of Authority

Validation shall be carried out by the RA in accordance with IDA [1].

3.2.6. Criteria for Interoperation

No stipulation.

3.3. Identification and Authentication for Re-Key Requests

3.3.1. Identification and Authentication for Routine Re-Key

Private Keys shall be generated and authentication shall be carried out according to 3.2.3.

3.3.2. Identification and Authentication for Re-Key After Revocation

No stipulation.

3.4. Identification and Authentication for Revocation

Request

No stipulation.

22

4. Certificate Life-Cycle Operational

Requirements Refer to Clause 6.3 of ETSI EN 319 411-1 [6] and ETSI EN 319 411-2 [5].

4.1. Certificate Application

4.1.1. Who Can Submit a Certificate Application

The eligibility for persons to request a Card is defined in IDA [1]. CA shall accept Certificate

requests only from the Card Manufacturer. The Certificate request from the Card Manufacturer

shall include a signed file as a confirmation that the request to personalise the Card is originated

by either PBGB or MFA.

4.1.2. Enrolment Process and Responsibilities

The responsibilities and process for making decisions about the eligibility to apply for a

Certificate are laid out in IDA [1].

Upon a positive decision, the PBGB or in case of the diplomatic identity card the MFA shall send

an order to the Card Manufacturer to produce a new Card.

It is the responsibility of the Card Manufacturer to manufacture the blank Card, imprint visual

elements to it, personalise the Card with the Subscriber’s personal data, create the Personal Data

File on the Card, generate the keypairs for Authentication and Qualified Electronic Signature on

the Card and submit a pair of Certificate requests to the CA.

In case of the digital identity card for an Estonian resident, no orders will be sent by the PBGB

to the Card Manufacturer from the 1st of May 2025.

PBGB and MFA will ensure the submitting of correct identification data (names, personal codes,

dates, photo etc) to the Card Manufacturer. The Card Manufacturer and the CA will rely upon the

values provided by the PBGB or MFA, no alteration of the data provided by PBGB or MFA is

allowed.

SMIT is responsible for assigning the correct e-mail address in the eesti.ee domain to the

Certificate for Authentication:

re-use the previous one if the Subscriber already has an address assigned;

generate a previously unused address according to data provided by RA.

SMIT is responsible for keeping track of e-mail address assignments.

For diplomatic identity cards, the MFA is responsible for assigning the correct e-mail address

in the eesti.ee domain and for keeping track of those e-mail address assignments.

23

4.2. Certificate Application Processing

4.2.1. Performing Identification and Authentication Functions

The Subscriber's identity shall be validated by the RA as described in Chapter 3 of IDA [1] and

in case of e-resident’s digital identity card as described in Chapter 5² of IDA [1].

PBGB or MFA shall send a Certificate application to the Card Manufacturer, who shall submit

an applicable Certificate request to the CA.

CA shall accept Certificate requests only from the Card Manufacturer. The Certificate request

submitted by the Card Manufacturer to the CA shall include a confirmation that the request to

personalise the Card is originated by either PBGB or MFA. CA and the Card Manufacturer shall

rely upon identification data provided by PBGB or MFA.

4.2.2. Approval or Rejection of Certificate Applications

CA shall refuse to issue a Certificate if the Certificate request does not comply with the

following technical requirements:

• Certificate application shall be signed by PBGB or in case of the diplomatic identity card by MFA.

• Certificate request shall be sent in an encrypted form.

• Certificate request data file and data in the signed application shall match exactly.

If the data contained in a Certificate application needs to be modified, the corresponding

amendment shall be coordinated with PBGB or in case of the diplomatic identity card with the

MFA.

4.2.3. Time to Process Certificate Applications

In accordance with the applicable laws and agreements.

4.3. Certificate Issuance

4.3.1. CA Actions During Certificate Issuance

SMIT shall allocate correct and unique e-mail address in the eesti.ee domain to the Subscriber.

At this stage, OCSP service shall not return response "GOOD" and the Certificate shall not be

made available via the Directory Service.

4.3.2. Notifications to Subscriber by the CA of Issuance of Certificate

No stipulation.

24

4.4. Certificate Acceptance

4.4.1. Conduct Constituting Certificate Acceptance

No stipulation.

4.4.2. Publication of the Certificate by the CA

Certificate shall be published by the CA using the Directory Service immediately after the

Subscriber has accepted it, OCSP shall start responding with "GOOD".

4.4.3. Notification of Certificate Issuance by the CA to Other Entities

No stipulation.

4.5. Key Pair and Certificate Usage

4.5.1. Subscriber Private Key and Certificate Usage

No stipulation.

4.5.2. Relying Party Public Key and Certificate Usage

No stipulation.

4.6. Certificate Renewal

Not allowed.

4.7. Certificate Re-Key

Certificate Re-Key shall be allowed only upon successful personal identification of the

Subscriber via physical identity checks or digital Authentication methods.

During Certificate Re-Key the Certificates to be replaced shall be revoked.

Certificate Re-Key may be done upon initial application in the case of the Card manufacturing

errors before acceptance of the Certificates or to replace a defective Card. In either case only the

last Certificates shall be written to the Card and remain valid. All the erroneous or unusable

Certificates shall be revoked immediately.

4.7.1. Circumstances for Certificate Re-Key

This CP treats recurring Certificate application the same way as initial Card application. The

Subscriber’s application for a recurring Certificate shall be processed as an application for a new

Card and either physical or digital Authentication shall be conducted.

25

Certificate Re-Key is allowed:

• to replace an expired or defective Card;

• to fix production errors that are discovered during quality checks;

• when applying for a recurring Card.

If the Subscriber claims that the card is defective, the Subscriber is requested to submit a warranty

claim and Certificate Re-Key is done upon initial Certificate application.

4.7.2. Who May Request Certification of a New Public Key

Re-Key may be requested by the Subscriber, PBGB, MFA (in case of diplomatic identity card) or

the Card Manufacturer.

Subscriber may request Re-Key in case of initial Certificate application or to replace a defective

Card.

PBGB may request Re-Key of all the Cards (except diplomatic identity card) to replace a

defective Card.

MFA may request Re-Key of diplomatic identity card to replace a defective card.

Card Manufacturer may request Re-Key of all the Cards, if the need to replace the Certificate is

discovered during quality checks before delivery of the Card to the PBGB or MFA.

CA shall not accept Re-Key requests from any other party than the Card Manufacturer following

a Certificate application signed by either PBGB or MFA.

4.7.3. Processing Certificate Re-Key Requests

If the Re-Key is to replace an expired or defective Card or to apply for a recurring Card, the

process is similar to initial issuance.

If the Card needs to be replaced because it is defective then the warranty claim is treated as the

Certificate application and Certificate Re-Key is done upon initial Certificate application. With

the warranty claim the person must agree to the Terms and Conditions [10] applicable at the

moment of the claim in a written format.

4.7.4. Notification of New Certificate Issuance to Subscriber

No stipulation.

4.7.5. Conduct Constituting Acceptance of a Re-Keyed Certificate

No stipulation.

26

4.7.6. Publication of the Re-Keyed Certificate by the CA

Refer to Clause 4.4.2 of this CP.

4.7.7. Notification of Certificate Issuance by the CA to Other Entities

No stipulation.

4.8. Certificate Modification

Not allowed.

4.8.1. Circumstances for Certificate Modification

Not allowed.

4.8.2. Who May Request Certificate Modification

Not allowed.

4.8.3. Processing Certificate Modification Requests

Not allowed.

4.8.4. Notification of New Certificate Issuance to Subscriber

Not allowed.

4.8.5. Conduct Constituting Acceptance of Modified Certificate

Not allowed.

4.8.6. Publication of the Modified Certificate by the CA

Not allowed.

4.8.7. Notification of Certificate Issuance by the CA to Other Entities

Not allowed.

4.9. Certificate Revocation and Suspension

4.9.1. Circumstances for Revocation

Circumstances for Certificate revocation shall be as laid down in IDA [1].

In case the Card does not pass the quality check and a new card is personalised to replace the

Card, the Manufacturer or PBGB shall be allowed to request the revocation of the Certificates of

27

the Card that has not passed the quality check.

4.9.2. Who Can Request Revocation

Entities eligible to request Certificate revocation shall be as laid down in IDA [1].

In case the Card does not pass the quality check, and a new card is manufactured to replace the

Card, the Manufacturer or PBGB shall be allowed to request the revocation of the Certificates of

the Card that has not passed the quality check.

4.9.3. Procedure for Revocation Request

The procedure for revocation request for issued Cards shall be in accordance with national

legislation and eIDAS [4].

If the new Certificate request is sent to CA and the Card has not been issued then CA shall revoke

the previously generated certificate.

4.9.4. Revocation Request Grace Period

No stipulation.

4.9.5. Time within Which CA Must Process the Revocation Request

No stipulation.

4.9.6. Revocation Checking Requirements for Relying Parties

No stipulation.

4.9.7. CRL Issuance Frequency

No stipulation.

4.9.8. Maximum Latency for CRLs

No stipulation.

4.9.9. On-Line Revocation/Status Checking Availability

No stipulation.

4.9.10. On-Line Revocation Checking Requirements

No stipulation.

4.9.11. Other Forms of Revocation Advertisements Available

No stipulation.

28

4.9.12. Special Requirements Related to Key Compromise

No stipulation.

4.9.13. Circumstances for Suspension

Circumstances for Certificate suspension shall be as laid down in section 17 of the Electronic

Identification and Trust Services for Electronic Transactions Act [12].

4.9.14. Who Can Request Suspension

Entities eligible to request Certificate suspension shall be as laid down in section 17 of the

Electronic Identification and Trust Services for Electronic Transactions Act [12].

4.9.15. Procedure for Suspension Request

It shall be possible to request Certificate suspension via phone 24 hours a day, 7 days a week.

Certificate suspension shall leave a uniquely identifiable trace.

4.9.16. Limits on Suspension Period

No limits.

4.9.17. Circumstances for Termination of Suspension

Termination of suspension is allowed during the Card issuance.

4.9.18. Who can request Termination of Suspension

Termination of suspension is allowed during the Card issuance by RAs, including external service

providers of the PBGB.

4.9.19. Procedure for Termination of Suspension

The RAs, including external service providers of the PBGB, shall be able to terminate the

suspension of the Certificates during the Card issuance. The termination of suspension shall be

processed immediately.

The procedure for termination of Certificate suspension shall be as laid down in section 18 of the

Electronic Identification and Trust Services for Electronic Transactions Act [12].

4.10. Certificate Status Services

4.10.1. Operational Characteristics

No stipulation.

29

4.10.2. Service Availability

CA shall ensure that the Certificate Status Services are available 24 hours a day, 7 days a week

with a minimum of 99% availability overall per year with a scheduled down‐time that does not

exceed 0,5% annually.

4.10.3. Operational Features

No stipulation.

4.11. End of Subscription

No stipulation.

4.12. Key Escrow and Recovery

4.12.1. Key Escrow and Recovery Policy and Practices

Not allowed.

4.12.2. Session Key Encapsulation and Recovery Policy and Practices

Not applicable.

5. Facility, Management, and Operational

Controls Refer to Clause 6.4 of ETSI EN 319 411-1 [6] and ETSI EN 319 411-2 [5].

6. Technical Security Controls Refer to Clause 6.5 of ETSI EN 319 411-1 [6] and ETSI EN 319 411-2 [5].

6.1. Key Pair Generation and Installation

6.1.1. Key Pair Generation

The Subscriber Certificate keys shall be generated using the QSCD by the Card Manufacturer.

6.1.2. Private Key Delivery to Subscriber

Private keys shall be delivered on a QSCD inside a sealed envelope that shall be handed over to

the RA by the Card Manufacturer.

30

During issuance, the RA checks that the QSCD is functioning and delivers the unopened envelope

containing the PIN and PUK codes to the Subscriber. The Subscriber confirms receiving the Card

with Subscriber Certificates and that the PIN and PUK code envelope is in an intact form.

In this context, the RA includes the PBGB, the MFA, and PBGB’s external service providers who

identify Subscribers and issue Cards with Subscriber Certificates on behalf of the PBGB.

6.1.3. Public Key Delivery to Certificate Issuer

The Card Manufacturer shall deliver the Public Key to the CA using a secure communication channel.

6.1.4. CA Public Key Delivery to Relying Parties

No stipulation.

6.1.5. Key Sizes

Allowed key sizes shall be as described in the Certificate Profile [9].

6.1.6. Public Key Parameters Generation and Quality Checking

No stipulation.

6.1.7. Key Usage Purposes (as per X.509 v3 Key Usage Field)

Allowed key usage flags shall be set as described in the Certificate Profile [9].

6.2. Private Key Protection and Cryptographic Module

Engineering Controls

6.2.1. Cryptographic Module Standards and Controls

Private Key shall be generated on a QSCD.

6.2.2. Private Key (n out of m) Multi-Person Control

No stipulation.

6.2.3. Private Key Escrow

No stipulation.

6.2.4. Private Key Backup

No stipulation.

6.2.5. Private Key Archival

No stipulation.

31

6.2.6. Private Key Transfer Into or From a Cryptographic Module

No stipulation.

6.2.7. Private Key Storage on Cryptographic Module

No stipulation.

6.2.8. Method of Activating Private Key

The Subscriber shall be prompted to enter the PIN code of the Authentication Certificate at least

once after the Card has been inserted into the card reader device.

The Subscriber shall be prompted to enter the PIN code of the Qualified Electronic Signature

Certificate before every single operation done with the corresponding Private Key.

It shall be possible to create different PIN codes for different keys of the Subscriber. The

length of the PIN codes shall be at least:

- for the Authentication Key 4 numbers,

- for the signature Key 5 numbers,

- The PUK code shall be at least 8 numbers.

6.2.9. Method of Deactivating Private Key

No stipulation.

6.2.10. Method of Destroying Private Key

No stipulation.

6.2.11. Cryptographic Module Rating

No stipulation.

6.3. Other Aspects of Key Pair Management

6.3.1. Public Key Archival

No stipulation.

6.3.2. Certificate Operational Periods and Key Pair Usage Periods

Validity period of the Subscriber Certificate shall not exceed the validity period of the

corresponding Card for which it was issued.

32

6.4. Activation Data

6.4.1. Activation Data Generation and Installation

The initial activation PIN codes shall be generated by the Card Manufacturer and shall be

included in a separate sealed envelope for delivery to the Subscriber. The Card Manufacturer

delivers the sealed envelopes to the RA (in this context PBGB, MFA, or PBGB’s external service

provider) and the RA in turn delivers the unopened envelopes to the Subscriber. Copies of the

PIN codes shall not be stored by the Card Manufacturer or any other entity involved in the

process.

The Card Manufacturer shall produce replacement PIN codes and PUK code and shall hand them

over to RA in sealed envelopes. The mechanism for replacing the PIN codes and PUK code shall

ensure by technical means the impossibility to view or store the replacement PIN codes and PUK

code by the RA employee during the whole process.

On the basis of the Subscriber’s application, the RA shall issue replacement PIN codes and PUK

code to the Subscriber when the PIN codes and PUK code need to be replaced or updated.

All PIN codes and PUK code of a single Card shall be replaced at once.

Prior to issuing replacement PIN codes and PUK code the RA shall Authenticate the Subscriber.

In case of replacement PIN and PUK codes, the PBGB and the MFA are in the RA role. In case of

providing the initial PIN and PUK codes to a Subscriber, RA role includes the PBGB, the MFA,

and PBGB’s external service providers when they identify a Subscriber and issue Documents on

behalf of the PBGB.

6.4.2. Activation Data Protection

PIN codes and PUK code shall be handed over personally to the Subscriber by the RA. Copies

of the PIN codes and PUK code shall not be stored by the RA.

6.4.3. Other Aspects of Activation Data

No stipulation.

6.5. Computer Security Controls

6.5.1. Specific Computer Security Technical Requirements

No stipulation.

6.5.2. Computer Security Rating

No stipulation.

33

6.6. Life Cycle Technical Controls

6.6.1. System Development Controls

No stipulation.

6.6.2. Security Management Controls

No stipulation.

6.6.3. Life Cycle Security Controls

No stipulation.

6.7. Network Security Controls

No stipulation.

6.8. Time-Stamping

No stipulation.

7. Certificate, CRL, and OCSP Profiles Refer to Clause 6.6 of ETSI EN 319 411-1 [6] and ETSI EN 319 411-2 [5].

7.1. Certificate Profile

The Certificate shall comply with the profile described in the Certificate Profile [9].

7.2. CRL Profile

The CRL shall comply with the profile described in the Certificate Profile [9].

7.3. OCSP Profile

The OCSP responses shall comply with the profile described in the Certificate Profile [9].

8. Compliance Audit and Other Assessments Refer to Clause 6.7 of ETSI EN 319 411-1 [6] and ETSI EN 319 411-2 [5].

34

9. Other Business and Legal Matters Refer to Clause 6.8 of ETSI EN 319 411-1 [6] and ETSI EN 319 411-2 [5].

9.1. Fees

9.1.1. Certificate Issuance or Renewal Fees

No stipulation.

9.1.2. Certificate Access Fees

No stipulation.

9.1.3. Revocation or Status Information Access Fees

No stipulation.

9.1.4. Fees for Other Services

No stipulation.

9.1.5. Refund Policy

No stipulation.

9.2. Financial Responsibility

9.2.1. Insurance Coverage

No stipulation.

9.2.2. Other Assets

No stipulation.

9.2.3. Insurance or Warranty Coverage for End-Entities

No stipulation.

9.3. Confidentiality of Business Information

No stipulation.

35

9.4. Privacy of Personal Information

9.4.1. Privacy Plan

No stipulation.

9.4.2. Information Treated as Private

No stipulation.

9.4.3. Information Not Deemed Private

No stipulation.

9.4.4. Responsibility to Protect Private Information

No stipulation.

9.4.5. Notice and Consent to Use Private Information

No stipulation.

9.4.6. Disclosure Pursuant to Judicial or Administrative Process

No stipulation.

9.4.7. Other Information Disclosure Circumstances

No stipulation.

9.5. Intellectual Property rights

PBGB obtains intellectual property rights to this CP.

9.6. Representations and Warranties

9.6.1. CA Representations and Warranties

An employee of CA shall not have been convicted for an intentional crime.

9.6.2. RA Representations and Warranties

An employee of RA shall not have been convicted for an intentional crime. RA includes the PBGB,

the MFA, and the external service providers of the PBGB who identify a Subscriber and issue

Documents on behalf of the PBGB.

36

9.6.3. Subscriber Representations and Warranties

The Subscriber warrants to complying with the Terms and Conditions [10] agreed to upon

submitting an application for a Card.

9.6.4. Relying Party Representations and Warranties

Relying Party shall verify the validity of the Certificate using validation services offered by CA

prior to relying on the Certificate.

Relying Party shall consider the limitations stated in the Certificate and shall ensure that the

transaction to be accepted corresponds to this CP.

9.6.5. Representations and Warranties of Other Participants

An employee of the Card Manufacturer shall not have been punished for an intentional crime.

9.7. Disclaimers of Warranties

No stipulation.

9.8. Limitations of Liability

No stipulation.

9.9. Indemnities

No stipulation.

9.10. Term and Termination

9.10.1. Term

Refer to Clause 2.2.1 Publication and Notification Policies of this CP.

9.10.2. Termination

This CP shall remain in force until it is replaced by the new version or when the service is

terminated upon the request of the RA and all the Certificates therefore become invalid.

9.10.3. Effect of Termination and Survival

PBGB shall communicate the conditions and effect of termination of this CP.

37

9.11. Individual Notices and Communications with

Participants

No stipulation.

9.12. Amendments

9.12.1. Procedure for Amendment

Refer to Clause 1.5.4 of this CP.

9.12.2. Notification Mechanism and Period

Refer to Clause 1.5.4 of this CP.

9.13. Dispute Resolution Provisions

No stipulation.

9.14. Governing Law

This CP is governed by the jurisdictions of the European Union and Estonia.

9.15. Compliance with Applicable Law

CA shall ensure compliance with the following requirements:

- eIDAS [4] - Regulation (EU) No 910/2014 of the European Parliament and of the

Council of 23 July 2014 on electronic identification and trust services for electronic

transactions in the internal market and repealing Directive 1999/93/EC, as amended

by Regulation (EU) 2024/1183 as regards establishing the European Digital Identity

Framework,

- GDPR [13] - Regulation (EU) 2016/679 of the European Parliament and of the Council

of 27 April 2016 on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data, and repealing Directive

95/46/EC,

- Electronic Identification and Trust Services for Electronic Transactions Act [12],

- Identity Documents Act [1],

- State Fees Act [14],

- Personal Data Protection Act [15],

- Emergency Act [16],

38

- Consular Act [17],

- Cybersecurity Act [18].

- related European Standards:

- ETSI EN 319 401 Electronic Signatures and Infrastructures (ESI); General Policy

Requirements for Trust Service Providers [19],

- ETSI EN 319 411-1 Electronic Signatures and Infrastructures (ESI); Policy and

security requirements for Trust Service Providers issuing certificates; Part 1: General

requirements [6],

- ETSI EN 319 411-2 Electronic Signatures and Infrastructures (ESI); Policy and

security requirements for Trust Service Providers issuing certificates; Part 2:

Requirements for trust service providers issuing EU qualified certificates [5],

- CEN EN 419 211 Protection profiles for secure signature creation device [20].

9.16. Miscellaneous Provisions

9.16.1. Entire Agreement

No stipulation.

9.16.2. Assignment

No stipulation.

9.16.3. Severability

No stipulation.

9.16.4. Enforcement (Attorney's Fees and Waiver of Rights)

No stipulation.

9.16.5. Force Majeure

No stipulation.

9.17. Other Provisions

Not allowed.

39

10. References [1] “Identity Documents Act, RT I 1999, 25, 365.” Published:

https://www.riigiteataja.ee/en/eli/ee/521062017003/consolide/current

[2] “ISO/IEC 7816, Parts 1-4.” Published: http://iso.org

[3] Card Documentation. Published: www.id.ee

[4] eIDAS - Regulation (EU) No 910/2014 of the European Parliament and of the Council of

23 July 2014 on electronic identification and trust services for electronic transactions in

the internal market and repealing Directive 1999/93/EC, as amended by

Regulation (EU) 2024/1183 as regards establishing the European Digital Identity

Framework. Published: http://data.europa.eu/eli/reg/2014/910/2024-10-18 and

http://data.europa.eu/eli/reg/2024/1183/oj.

[5] “ETSI EN 319 411-2 Electronic Signatures and Infrastructures (ESI); Policy and security

requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust

service providers issuing EU qualified certificates.” Published: https://www.etsi.org/

[6] “ETSI EN 319 411-1 Electronic Signatures and Infrastructures (ESI); Policy and security

requirements for Trust Service Providers issuing certificates; Part 1: General

requirements.” Published: https://www.etsi.org/

[7] “RFC 3647 – Request For Comments 3647, Internet X.509 Public Key Infrastructure,

Certificate Policy and Certification Practices Framework.” Published:

https://www.ietf.org/rfc/rfc3647.txt

[8] “Consolidated text: Commission Implementing Regulation (EU) 2015/1502 of 8 September

2015 on setting out minimum technical specifications and procedures for assurance levels for

electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of

the European Parliament and of the Council on electronic identification and trust services for

electronic transactions in the internal market.” Published:

http://data.europa.eu/eli/reg_impl/2015/1502/2022-07-11

[9] “Certificate, CRL and OCSP Profile for ID-1 format identity documents issued by the

Republic of Estonia.” Published: https://www.skidsolutions.eu/resources/profiles/

[10] “Terms and Conditions for Use of Certificates for ID-1 Format Identity Documents of the

Republic of Estonia.” Published: https://www.skidsolutions.eu/resources/conditions-for-

use-of-certificates/

[11] “SK ID Solutions AS - ESTEID2018 Certification Practice Statement” Published:

https://www.skidsolutions.eu/resources/certification-practice-statement/

[12] “Electronic Identification and Trust Services for Electronic Transactions Act,

26.10.2016.” Published:

https://www.riigiteataja.ee/en/eli/527102016001/consolide/current

[13] “Regulation (EU) 2016/679 of the European Parliament and of the council of 27 April

2016 on the protection of natural persons with regard to the processing of personal data

and on the free movement of such data, and repealing Directive 95/46/EC.” Published:

http://data.europa.eu/eli/reg/2016/679/oj

[14] “State Fees Act.” Published:

https://www.riigiteataja.ee/en/eli/ee/519022016005/consolide/current

[15] “Personal Data Protection Act, 15.01.2019.” Published:

https://www.riigiteataja.ee/en/eli/ee/523012019001/consolide/current

[16] “Emergency Act, RT I, 03.03.2017, 1.”

40

Published: https://www.riigiteataja.ee/en/eli/ee/505012018004/consolide/current

[17] “Consular Act, RT I 2009, 29, 175.” Published:

https://www.riigiteataja.ee/en/eli/ee/527012016004/consolide/current

[18] “Cybersecurity Act.” Published: https://www.riigiteataja.ee/en/eli/ee/523052018003/consolide/current

[19] “ETSI EN 319 401 Electronic Signatures and Infrastructures (ESI); General Policy

Requirements for Trust Service Providers.” Published: https://www.etsi.org/

[20] “CEN EN 419 211 Protection profiles for secure signature creation device.” Published:

https://standards.cencenelec.eu/