FINA PKI System

Fina’s production environment for issuing Digital Certificates and Qualified Electronic Time-Stamps

Characteristics of Fina’s production environment:

  • Two-level architecture of Certification Autohrities (CA);

  • Use of secure cryptographic algorithms and longer cryptographic keys;

  • New certificate status verification service;

  • Qualified Electronic Time-Stamp Service.

Digital Certificates and Qualified Electronic Time-Stamps issued using Fina’s production environment comply with the applicable EU and international standards concerning the issuance of Digital Certificates and Time Stamps, Electronic Signature standards and best practices.

The image presents a Digital Certificate and services provided by Fina’s two-level production environment for issuing Digital Certificates and Qualified Electronic Time-Stamps.

Two-tier architecture of Fina’s production Certification Authorities

The certificate issuing system comprises a Root Certification Authority (Root CA) which issues certificates for Subordinate Certification Authorities (Subordinate CA). Subordinate Certification Authorities issue certificates to end users.

Fina’s new Digital Certificate production includes:

  • one Root Certification Authority: Fina Root CA; and
  • two Subordinate Certification Authorities:
    • Fina RDC 2015, and
    • Fina RDC-TDU 2015.

Fina Root CA has issued and signed the certificates for the Fina RDC 2015 and Fina RDC-TDU 2015 Subordinate CAs.

Cryptographic algorithms and key lengths

Pursuant to the relevant Electronic Signature legislation, Fina uses prescribed secure cryptographic algorithms and cryptographic key lengths for issuing Certificates and Time-Stamps.

The SHA-256, RSA algorithm is used to calculate the summary for signing certificates, CRLs and Time-Stamps.

The lengths of cryptographic RSA key pairs used are as follows:

  • CA key pairs: 4096 bits, RSA,

  • Subscriber key pairs: 2048 bits, RSA.

This ensures the security of and trust in issued Certificates and Qualified Electronic Time-Stamps

Characteristics of FINA’s production certificates

Fina Root CA Certificate

The Fina Root CA Certificate is described in the Certificate policy and certification practice statement for Fina Root CA.

Certificates for the Fina RDC 2015 and Fina RDC-TDU 2015 CAs

The Fina RDC 2015 and Fina RDC-TDU 2015 Certificates are described in the Certificate policy and certification practice statement for Fina Root CA.

Characteristics of Subscriber Certificates

Subscriber Certificates issued by Fina RDC 2015 and Fina RDC-TDU 2015 are described in documents in table below:

Certificate Policy

Certificate policy for qualified certificates for electronic signatures and seals (ver. 1.0)  valid from: 1.7.2017.

Certificate policy for non-qualified certificates (ver. 1.0)  valid from: 1.7.2017.

Certificate policy for certificates for website authentication (ver. 1.0) valid from: 1.7.2017.

 

Online certificate status verification service - FINA OCSP

Fina’s OCSP service titled Fina OCSP provides information about the statuses of certificates issued by Fina Root CA, Fina RDC 2015 and Fina RDC-TDU 2015. The access address for Fina OCSP is provided in the Authority Information Access extension of each Fina’s Production Certificate. Fina OCSP operates as recommended in IETF RFC 6960.

Fina OCSP signs responses by using a 2048-bit RSA private key and the SHA-256 and RSA cryptographic algorithms.

In addition to using Fina OCSP, certificate status may also be verified by retrieving CRLs. We recommend you use the OCPS service to verify certificate status and use CRL retrieval for status verification as an alternative verification method in case the OCSP service is unavailable.