Operational information

​​Customer affected changes for E-Signing

Service maintenance with customer test DNS update

Time: 2022-11-30 09:00 - 13:00 CEST

Information

Nets will perform maintenance on the FTN/E-Ident, E-Signing and ID-Rights service in the customer test environment. The customer test platform will be upgraded through introduction of new servers. As a consequence of this upgrade the DNS will be updated to reflect new IP-addresses for our services when accessed from Internet. Details are described in the table below:


Service hostname
​Old IP address
​New IP address
​www.ident-preprod1.nets.eu
​91.102.27.93
​91.102.28.51
​www.sign-preprod1.nets.eu
​91.102.25.56
​91.102.28.52
order.sign-preprod1.nets.eu​91.102.25.55​​91.102.28.53
​order.id-rights-preprod1.nets.eu
​91.102.27.91
​91.102.28.54
Services in production will not be affected, only the customer test services.

Norwegian BankID SEID 2.0 changes

Time:

  • Customer test: 10 May 2022
  • Production: Some time during January - March 2023 (postponed from 1 November 2022). Excact date will be published here when this is decided by BankID BankAksept AS.

Information

BankID BankAxept AS has announced changes in their BankID service. These changes will be visible in Nets E-Ident and E-Signing services wherever Norwegian BankID certificate is visible. In addition to this, the following applies:
  • For Nets E-Ident through OIDC the changes will be visible in "sub", "no_bid_pid" and cert related claims.
  • For Nets E-Ident through SAML the changes will be visible in "subject", "NO_BID_PID" and certificate related attributes.
  • For Nets E-Signing service the UniqueId field, included in "GetSDODetails" response will have the same value as the BankID Subject serialnumber field, and will thus be updated as described below.

Please find below a detailed description provided by BankID BankAxept AS:

INFORMATION FROM BANKID BANKAXEPT AS:

BankID certificate contents will change for both End-user certificates to physical persons and Merchant certificates. The reason for this is an alignment of national standards for certificate contents with corresponding European standards. 

For physical persons the name field in the certificate will be extended with a separate field for given name and a separate field for surname. The common name will be kept as it is. The serial number inside the same sequence will stay the same, but it will be encoded with a prefix UN:NO-. This is a preparation for international use.

Certificates to physical persons contain some identifiers to statements about content and usage of the certificate. One such statement is added, another removed, but it is not likely that will cause any practical problems.

The most significant change to merchant certificate is that we add a sub-field called OrganizationIdentifier in the name field. This adds to prefix for international use to the national organization number. For compatibility reasons the original organization number is still kept in the SerialNumber sub-field.

We ask you to pay extra attention to your use of changed and removed attributes. In particular in the person certificates:
  1. Subject Serialnumber - this is now prefixed with “UN:NO-“
  2. SubjectAltName - this is removed
  3. Subject Distinguished Name - minor changes in formatting
 
We updated our preprod environment with the changes on Wednesday 10 May 2022. The changes can be tested in our preprod environment.  The changes will go into production around 1 November 2022. 

It is highly recommended for everyone to test and verify their systems against preprod before the changes go into production.

Overview of the changes: 

End-user certificate:
  • Change: (new) Subject Serialnumber = “UN:NO-“ + old Subject Serialnumber (PID)  
  • Add: givenName (G ?)= substing of commonName following format of common name “surname + comma + space + givenName)”
  • Add: surname (SN) = substing of commonName following format of common name “surname + comma + space + givenName)”
  • Add: qcStatement-2 iht. RFC 3739 [6] og ETSI EN 319 412-1 [10] kap. 5.1.1 med verdien id-etsi-qcssemanticsId-Natural.
  • Keep: esi4-qcStatement-1
  • Remove: esi4-qcStatement-2 (QcEuLimitValue)
  • Keep: esi4-qc-Statement-5
  • Keep: esi4-qc-Statement-6
  • Change: Subject Distinguished Name
  • Remove: SubjectAltName
  • Change: QcStatements

Merchant certificate:
  • Keep: Subject Serialnumber. Stays the same just because of compatibility reasons
  • Add: organizationIdentifier = “NTRNO-“ + Subject Serialnumber
  • Change: Subject Distinguished Name
  • Remove : SubjectAltName
  • Keep: No QcStatements

Service maintenance on database

Time: 2023-01-08 00:00 - 02:00 CET

Information

E-Signing, E-Ident (including FTN and Nets Passport Reader), ID-Rights, E-Signing Portal and E-Consent will have a service window on Sunday 8th January 2023 for production database maintenance. During the service window, these services will be unavailable.

Service maintenance on database

Time: 2023-01-08 00:00 - 02:00 CET

Information

E-Signing, E-Ident (including FTN and Nets Passport Reader), ID-Rights, E-Signing Portal and E-Consent will have a service window on Sunday 8th January 2023 for production database maintenance. During the service window, these services will be unavailable.

Changes to FTN effective in production environment

Time: No later than 15th February 2023

Note: Change can be implemented in customer test and production individually per Merchant ID, at any agreed date between now and 15th February 2023.

Information

To comply with local GDPR regulations, Nets will no longer include "National Identifier" for Finnish Bank IDs in PAdES last page. E-Signing customers using Finnish Bank ID will be affected by this change.

Customers dependant on National Identifier, must do changes to their implementation to support continued access to end user National Identifier (SSN).

Changes to GetPAdES and GeneratePAdES

The GetPAdES and GeneratePAdES functions support an "IncludeSSN" parameter which may be used to request the inclusion of signers National Identifier on the generated PAdES last page. The “IncludeSSN” parameter will no longer have any effect, and instead always be considered set to value “false” for Finnish Bank ID users, and no National Identifier will be included.

Changes to SDO format

The SDO currently include the National Identifier in a separate field of the SDO. This field will no longer be supported for Finnish Bank ID users. The consequence is that no National Identifier will be included in the SDO. Customers that require on the National Identifier being to be included in the SDO, must change their solution to use Authentication Based Signing (ABS) with Finnish Bank ID, as described below.

Authentication Based Signing (ABS) with Finnish Bank ID and Mobiilivarmenne

Nets Customers supporting Authentication Based Signing (ABS) with Finnish Bank ID and Mobiilivarmenne can request inclusion of the National Identifier in the SDO. National Identifier will be included in a dedicated field if one of the following is true:
A) "SignerID" is defined as "SSN" in the sign order, or
B) "IncludeSSN=true" value is set in the sign order with "SignerID" set as PID value

Server certificate update

Time: Between 15th April and 6th July 2023.

Note: Customer should test and if required make applicable updates on their side no later than 15th April (test) and 15th June (production).

Information

The ID-Rights and E-Signing services will during 2023 be updated with new server certificates, issued under a new root CA. If you need to explicitly trust the root certificate, you must ensure both root CA certificates are added to your truststore. This must be done no later than 15th May (customer test) and 15th June (production).

Server certificates for the following E-Signing service endpoints will be updated with the new issuing root at exact dates to be announced separately:
  • Customer test: https://order.sign-preprod1.nets.eu, https://www.sign-preprod1.nets.eu and ​https://order-ext.sign-preprod1.nets.eu
  • Production: https://order.sign.nets.eu, https://www.sign.nets.eu and ​https://order-ext.sign.nets.eu

The new root CA will be a DigiCert root CA, just like today, just a different one. You will find details information about the two applicable root certificates on the Service Access page.