Estonia is enhancing the security of its digital identities
E-residents must now update their digital ID card certificates.
Estonia is upgrading the security of ID cards and digital IDs used by citizens, residents and e-residents.
A new certificates update has been developed based on advanced elliptic-curve cryptography, which is more secure and faster than the SSL certificates previously used.
This certificate update will protect users from a potential security vulnerability that the Estonian government announced last month had been identified by a group of security researchers.
It has now been confirmed that the vulnerability is contained in software that had previously been installed on the embedded chip used in ID cards around the world, including those issued by Estonia between 16 October 2014 and 25 October 2017.
Although the problem is international, minimising the risk and developing a solution has been a top priority for Estonia since the government was informed.
However, there has still been no reported incidents of any Estonian digital ID or ID card being misused in the way described by the researchers. Considerable resources and expertise would be required for this so the risk for most people affected has always been low.
What you now need to do as an e-resident
All e-residents whose digital IDs were issued prior to 25 October 2017 must now update their digital ID card certificates from the Estonian ID card utility software on their computer. It will inform you automatically that your certificates need updating.
To complete the certificates update, you will need the latest version of the Estonian ID card utility software. If you have not downloaded it then please do so first here. We recommend using the latest version of the software so you may need to update it.
The certificates update is necessary to reprogramme the chip contained inside your digital ID card. Only a few clicks are required, including entering your current PIN codes, but the process may take up to 15 minutes to complete.
Before you start, make sure you have your existing PIN codes, as well as a pen and paper ready to write down your new ones. You can also change these afterwards if you wish.
If you have encrypted documents that you need to access in future then make sure you decrypt them before the update as it is not possible decrypt documents with new certificates that were encrypted with the previous certificates. It won’t be possible to encrypt documents for around a month afterwards, although a solution for this is being developed.
If you are unsure how to update your certificates, watch this tutorial:
If there are any problems, you can contact the e-Residency programme on firstname.lastname@example.org or simply try to update the certificates again later.
All previous certificates will likely be switched off in early November. Once this happens, your digital ID card will not work unless and until you update your certificates.
The certificate update period will last until 31 March 2018. After that, you will need to apply for a new digital ID card if you did not update your certificates.
All e-residents whose digital ID cards were issued from November 2017 will not need to take any action because the chips inside all new cards will already have the new certificates installed. Please note that this does not include e-residents who were informed that their digital ID card was ready to collect prior to November.
This certificate update has required close co-operation across the public and private sector. In addition to public e-services, private companies that integrate with Estonia’s digital ID cards are also ready for the new certificates — except one notable exception due to issues currently affecting Apple Macs.
Issues currently affecting Apple Macs
E-residents can use Apple Macs to update their certificates, as well as continue using them for digitally signing documents in the ID card utility software. However, other uses of Estonian digital ID cards will only be possible on Apple Macs with the current version of the Firefox browser.
This is far from ideal so Estonia is working on a solution with Apple to enable full functionality of an Estonian digital ID card in all browsers on an Apple Mac.
In the meantime, Apple Mac users are encouraged to download the Firefox browser before starting the certificates update. Further guidance will be provided in the near future.
There are other solutions too. Banks that previously required the use of e-Residency digital ID cards to log into their services also offer a remote log-in method for e-residents called Smart ID. This is a mobile app that only requires you to authenticate yourself once so you can continue securely using Estonian banking services. Smart ID does not enable authentication and digital signing for other purposes, however.
- If you are an e-resident with a digital ID card issued prior to 25 October 2017 then open the ID card utility software on your computer now and follow the instructions to update your certificates. Don’t forget a pen and paper so you can write down your new PIN and PUK codes. You may need to update the software first too if you haven’t done so.
- However, if you are an e-resident and have not yet downloaded the ID card utility software then do so here now and then follow the instructions to update your certificates straight afterwards.
- If you have a digital ID card issued from November 2017 then no further action is required. Your digital ID will already contain the new certificates.
- If you have been granted e-Residency and were informed prior to November that your digital ID card is ready to collect, then please do so as early as possible and then update your certificates. If your digital ID card has been waiting longer than six months then check directly with your chosen pickup location. All uncollected digital ID cards with the previous certificates will be returned to Estonia on 1 March.
- If you are an Apple Mac user then you are recommended to activate Smart ID for logging into your bank and also use the Firefox browser for accessing other services. There will be further updates about how we are working to restore full functionality.
- If you are a citizen or resident of Estonia then further advice is available here. Much of the advice is the same, but this article is intended specifically for e-residents.
- If you have already applied for e-Residency and have questions about your application status then you can contact the Estonian Police and Border Guard Board at email@example.com. Please make sure you include your full name and date of birth.
- If you require further support regarding this issue — or the process of becoming an e-resident, starting a company and running a company — then please contact our team on firstname.lastname@example.org.
- If your digital ID card has been issued but not yet collected then please contact your chosen pickup location directly.