Skip to content

Implementing HTTPS pinning

Kristjan Jalukse edited this page Oct 8, 2024 · 15 revisions

Anyone who is using Smart-ID API needs to make sure that the connection endpoint is authentic and that the connection is secure. This is required to prevent MITM attacks for the authentication and signature protocols. This requirement is described in detail also here: https://github.com/SK-EID/smart-id-documentation#226-rp-api-endpoint-authentication

rp-api.smart-id.com certificates

Serial number (HEX) Validity Status Download
0E20714E18D8C3BEE183CC07F74EA14E 2024.09.18 00:00.00 -
2025.10.20 23:59:59
in use from 10.10.2024 DER, PEM
0DBC12F684D97E77F23969C80B4145CF 2023.09.14 00:00.00 -
2024.10.15 23:59:59
in use from 12.10.2023 DER, PEM

Important

New certificate is issued by new intermediate certificate (DigiCert Global G2 TLS RSA SHA256 2020 CA1), which itself is issued by new root (DigiCert Global Root G2) certificate. Certificates are found here.

Smart-ID-Java-Client

Using smart-id-java-client one can comply with the requirement without importing anything directly to Java. But it requires changes in the code.

Samples: https://github.com/SK-EID/smart-id-java-client/blob/master/README.md#verifying-the-ssl-connection-to-application-provider-sk

Smart-ID-PHP-client

Same functionality as Smart-ID-Java-Client is available with the new smart-id-php-client.

https://github.com/SK-EID/smart-id-php-client/blob/master/README.md#configure-client-details-and-https-pinning

Other means

Systems running on other platforms must achieve the same result using methods suitable for these particular platforms. SK ID Solutions is not providing sample client libraries for other platforms besides Java and PHP.