SCS component

Due to the SCS architecture, changes not related to Net iD Client that can block this functionality can happen at any time. The SCS functionality in Net iD Client is provided "as is", and SecMaker expressly disclaims any warranties, including as regards fitness for purpose, freedom from errors and bugs, or that defects in the functionality will be corrected.

For more information regarding SCS, please refer to the DVV documentation Signature Creation Service specification (external link that opens in new tab) External link that opens in new tab..

The SCS service is an implementation of the Finnish standard Signature Creation Service. It starts a local web server that is accessed from the web browser. See Service SCS and scs CLI command for more information on how to configure and use the SCS service.

This component normally requires system service for Windows since it needs administrative privileges to start a web server. For Citrix Server, it runs as a user service because virtual loopback is implemented as user-specific. It can be run as both system and user service for Linux and macOS.

Most web browsers do not allow using SSL/TLS-sessions with non-SSL/TLS-sessions. Thus, use SSL/TLS from now on. The current implementation supports TLS 1.2 with a limited range of supported algorithms. More algorithms can be added in the future.

The SCS runs as a web server and the web server certificate is generated locally and signed by a local CA.

CA certificates and web certificates

Certificates have no reference to CRL or OCSP. Certificates are generated from certificate templates.

CA certificates are valid for ten years, for example 2020-01-01–2029-12-31. CA keypair is deleted after ten certificates are signed.

Web server certificates are valid for one year, for example 2020-01-01–2020-12-31. Ten certificates are generated, one for each year. All web server certificates use the same keypair.

The CA certificate and current web server certificate can be downloaded by any browser:

SCS certificates

View SCS certificate

To see the SCS certificates, use the Command utility.

Example 1. View SCS certificate using the Command utility.
  1. Select option [6] Utility.

  2. Select option [3]/[4] View SCS certificate.

Delete SCS certificate

To delete the SCS certificates/keypair, use the Command utility when running as SYSTEM. The SCS certificates/keypair is regenerated at SCS startup when missing.

Example 2. Delete SCS certificate using the Command utility.

To get the necessary options for virtual tokens, the command utility must be run as administrator.

  1. Start the command utility.

    $ netid.exe -command
  2. Select option [4] Token.

  3. Select option [0] Initialize.

  4. Select the option indicating virtual token.

The certificates are identical, so OS/browsers can be confused. Only keypair and subject-key-id/authority-key-id are different.

Supported algorithms

Cipher suites

  • TLS_RSA_WITH_AES_128_CBC_SHA256

  • TLS_RSA_WITH_AES_256_CBC_SHA256

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Key exchange algorithms

  • secp256r1

  • secp384r1

  • secp521r1

Signature algorithms

  • RSA-SHA-1

  • RSA-SHA-256

  • RSA-SHA-384

  • RSA-SHA-512