Adding support for ESTEID SK 2015 certification chain

kristiu edited this page Jan 20, 2016 · 7 revisions

Libdigidocpp versions 3.12 and newer

Support for ESTEID-SK 2015 certification chain is already included in Libdigidocpp library's versions 3.12 and above, no additional configuration is necessary.

Libdigidocpp versions older than 3.12

Libdigidocpp library uses different trusted certification chain management mechanisms in case of different file formats. Adding support for ESTEID-SK 2015 depends on the library's settings and the format.

BDOC 2.1 (ASiC-E) format

In case of BDOC 2.1 format, the certificates trust management is done directly by Libdigidocpp library by using TSL trust lists. Support for ESTEID-SK 2015 can be added as follows:

  1. For digital signature creation and validation operations, ensure that the Estonian national TSL list used by the library is up to date and contains ESTEID-SK 2015 certificate:
    1. If automatic TSL updating is enabled then the appropriate TSL version is loaded automatically by the library.
    2. If automatic TSL updating is not enabled then the library's user must download the newest version of Estonian TSL (containing ESTEID-SK 2015 information) from http://sr.riik.ee/tsl/estonian-tsl.xml and add the file to the Libdigidocpp TSL cache location. Information about configuring TSL automatic updates and TSL cache location is provided in Libdigidocpp documentation, see Libdigidocpp Trust anchor/TSL settings.
  2. For digital signature creation operation, OCSP responder server URL must be configured. Add the following row to digidocpp.conf configuration file:
<ocsp issuer="ESTEID-SK 2015">http://ocsp.sk.ee</ocsp>

DDOC (DIGIDOC-XML 1.3) format

In case of DDOC (DIGIDOC-XML 1.3) format, Libdigidocpp uses CDigiDoc library (also known as Libdigidoc) as a base library for handling digitally signed documents. In order to add ESTEID-SK 2015 support, please refer to respective configuration instructions for CDigiDoc library.