Certificates used for signing Suomi.fi e-Identification SAML messages will change in April-May 2026

Certificates used for signing Suomi.fi e-Identification SAML messages will change in April-May 2026

The certificates used for signing Suomi.fi e-Identification SAML messages will be changed as the current certificates expire.

The certificate will first be changed in the testing environment in April and then in the production environment in May.  Changing the certificate requires changes to e-services that use Suomi.fi e-Identification.

New certificates for the testing environment

The certificate change will first take place in the Suomi.fi e-Identification testing environment so that you can test the introduction of the new certificate. At this stage it is important to ascertain if your e-service supports the simultaneous specification of two certificates, the current one and the new one, in the metadata. If this is the case, you can make use of transitional metadata, which can be implemented beforehand and which is simple to implement in the production environment as well.

Finnish Digital Agency will publish the testing environment’s new, signed metadata at https://static.apro.tunnistus.fi/static/metadata/idp-metadata.xmlOpens in a new window. on 7 April 2026. The new two-certificate metadata will contain both the new certificate and the current one. The use of the current certificate for signing SAML messages will continue until 21 April. We recommend that you deploy the new metadata in your testing environment as soon as possible. We will deploy the new certificate in the testing environment on 21 April 2026 at 10:00 a.m.

To ensure that the change of certificate will not cause interruptions in your customer service, complete the following steps:

1. Once they have been published, deploy the new metadata with two certificates in the Suomi.fi e-Identification testing environment as soon as possible and check that your test service works normally. The new metadata can be downloaded on 7 April at https://static.apro.tunnistus.fi/static/metadata/idp-metadata.xml

2. Check that your test service also works with the new certificate. The use of the new certificate will start on 21 April 2026. We will notify you separately when the change has been completed and you can start testing.

3. If the tests show that your e-service is unable to use the metadata with two certificates, secondary single-certificate metadata must be deployed which only contains the new certificate. This metadata is then taken into use at the same time as ID changes the signature certificate of the testing environment, on 21 April 2026 at 10:00 a.m. The secondary metadata will be published on 7 April 2026 at https://static.apro.tunnistus.fi/static/metadata/idp-metadata-secondary.xml

The signing certificates for the test environment idP metadata files of the Suomi.fi e-Identification will change. They will be published at least a week before the metadata is released and will be available at: https://kehittajille.suomi.fi/services/e-identification/how-to-implement-the-technical-setup-of-the-identification-service/metadata/e-identification-idp-metadata-signing-certificates.

Changing certificates in the production environment

The new certificate for the production environment will be taken into use on 19 May 2026 at 10 a.m. The changing of the signature certificate for the production environment means that the e-service must take new metadata into use. We will publish the metadata containing the new certificates on 5 May 2026 at https://tunnistus.suomi.fi/static/metadata/idp-metadata.xmlOpens in a new window..

Your e-service has two options for the implementation of the new certificate for the production environment.

1. Using transitional metadata

If your e-service supports the simultaneous use of two certificates, you can use the transitional metadata. This means that you can deploy the new signature certificate more flexibly in advance. The transitional metadata includes both the current signature certificate and the new certificate to be deployed on 19 May 2026.

2. Implementing the new metadata directly

If your e-service does not support the simultaneous use of two certificates, the new metadata must be implemented in your e-service at the same time as it is changed in Suomi.fi e-Identification, on 19 May 2026 at 10:00 a.m.

We will provide separate information on the change of the certificate for the production environment in May.

Schedule for the change of certificate

7 April 2026 Publication of metadata containing new certificate for testing environment

21 April 2026 Testing environment certificate changes at 10 a.m.

5 May 2026 Publication of metadata containing new certificate for the production environment

19 May 2026 Production environment certificate changes at 10 a.m.