Changes to Suomi.fi e-Identification certificate practices – action required from e-services
Published 8/12/2025
Changes to Suomi.fiOpens in a new window. e-Identification certificate practices – action required from e-services
The lifetime of TLS certificates will be reduced gradually in the next few years. In March 2026, it will be reduced to 200 days, and in a few years, to 47 days. Shortening the lifetime of TLS certificates will bring changes to the Suomi.fiOpens in a new window. e-Identification certificate guidelines.
Changes to Suomi.fi e-Identification certificate practices
Changes to Suomi.fiOpens in a new window. e-Identification certificate practices apply to the SAML certificate type and the validity of the certificates.
The SAML certificate type in the e-service metadata file must be a system signature certificate instead of a server certificate. The system signature certificates are issued by the Digital and Population Data Services Agency. For additional information on ordering Digital and Population Data Services Agency certificates, please visit https://dvv.fi/en/how-to-order-a-service-certificateOpens in a new window.. Continuing to use TLS certificates will increase the amount of maintenance work in e-services due to the shortened lifetime of the certificates. For this reason, we recommend adopting a system signature certificate issued by the Digital and Population Data Services Agency that is valid for two years.
The validity period of certificates will be checked beginning from 2027. At the moment, the validity period of certificates is not being checked. The e-service is responsible for ensuring that a valid certificate is being used in the service.
You can find the Suomi.fiOpens in a new window. e-Identification certificate guidelines at https://kehittajille.suomi.fi/services/e-identification/how-to-implement-the-technical-setup-of-the-identification-service/metadata/creating-metadata-for-the-e-service.
Impact on the client test environment
You can use self-signed certificates in the client test environment. The validity of certificates in the client test environment must not exceed 2 years. Expired certificates will not be allowed in the client test environment from 2027.
Schedule
The changing certificate practices will take effect immediately.
At the moment, the validity period of the certificates is not being checked. From the beginning of 2027, the validity period of the certificates will be checked in the production environment and the client test environment.
E-services must ensure that no expired certificates are being used.
Actions required from e-services
Please check the validity of your service’s SAML certificate. If necessary, contact your system provider for more information.
If the certificate has expired, follow the instructions to update the new certificate.
If the certificate is valid, make note of the certificate instructions for the next certificate update.
Additional information
Read more about the reduction of TLS certificate lifetimes: https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-daysOpens in a new window..