Certificate Profiles¶
The following tables describes the fields and extensions included in the X.509 certificates currently issued by BankID eSign for use in the BankID CSC and BankID Signing WYSIWYS services.
Qualified Certificate for Natural Person¶
| Section | Field | OID | Description | Example Value |
|---|---|---|---|---|
| BASIC INFO | ||||
| Version | - | X.509 certificate version | 3 | |
| Serial Number | - | Unique identifier assigned by the CA | 70:22:67:94:91:51:7a:4f:d9:6b:c9:47:c4:87:03:a0 | |
| Signature Algorithm | - | Algorithm used to sign the certificate | ecdsa-with-SHA384 | |
| Not Before | - | Certificate validity start time | 2026-01-23 09:06:02 UTC | |
| Not After | - | Certificate validity end time - total 15 minutes | 2026-01-23 09:21:02 UTC | |
| ISSUER | ||||
| CN | 2.5.4.3 | Common name | CA 1a Preprod | |
| O | 2.5.4.10 | Organization | BankID BankAxept AS | |
| C | 2.5.4.6 | Country | NO | |
| SUBJECT | ||||
| serialNumber | 2.5.4.5 | Unique subject identifier | UN:NO-9578-5100-Q_5iVtjvP_sTBr42bFxZeLdnFfSwdgKzT2TCNWUnfA8 | |
| SN | 2.5.4.4 | Surname | Bombadil | |
| CN | 2.5.4.3 | Common name | Bombadil, Tom | |
| GN | 2.5.4.42 | Given name | Tom | |
| PUBLIC KEY | ||||
| Algorithm | - | Type of public key | id-ecPublicKey | |
| Size | - | Key length | 256 bit | |
| Curve | 1.2.840.10045.3.1.7 | Elliptic curve used | prime256v1 (P-256) | |
| STANDARD EXTENSIONS | ||||
| Key Usage | 2.5.29.15 | Permitted key operations | Digital Signature, Non Repudiation | |
| Basic Constraints | 2.5.29.19 | Not a CA certificate | CA:FALSE | |
| Subject Key Identifier | 2.5.29.14 | Hash of subject's public key | 0E:99:A0:D6:7D:E3:7D:2F:AC:41:1C:C4:9E:6A:BA:68:4B:A8:6A:53 | |
| Authority Key Identifier | 2.5.29.35 | Hash of issuer's public key | 3B:97:BD:5C:89:B0:28:25:F5:92:89:3A:4E:66:AB:4E:0A:C4:2A:3F | |
| CRL Distribution Points | 2.5.29.31 | URL for revocation list | https://pki.esign.preprod.bankid.no/bankidbankaxeptca1apreprod.crl | |
| Authority Info Access | 1.3.6.1.5.5.7.1.1 | URL for issuing CA certificate | https://pki.esign.preprod.bankid.no/bankidbankaxeptca1apreprod.crt | |
| SUBJECT DIRECTORY ATTRIBUTES | ||||
| Date of Birth | 1.3.6.1.5.5.7.9.1 | Subject's date of birth | 2024-04-17 | |
| CERTIFICATE POLICIES | ||||
| BankID eSign Policy | 2.16.578.1.61.1.1.1 | BankID certification practice statement | CPS: https://bankid.no/bankid-esign-cps.pdf | |
| ETSI QCP-n-qscd | 0.4.0.194112.1.2 | Qualified cert for natural person with QSCD | - | |
| QC STATEMENTS (ETSI) | ||||
| QcCompliance | 0.4.0.1862.1.1 | EU Qualified Certificate | Present | |
| QcRetentionPeriod | 0.4.0.1862.1.3 | Retention period in years | 7 | |
| QcSSCD | 0.4.0.1862.1.4 | Key on Qualified Signature Creation Device | Present | |
| QcPDS | 0.4.0.1862.1.5 | PKI Disclosure Statement | https://bankid.no/bankid-esign-pds.pdf (en) | |
| QcType | 0.4.0.1862.1.6.1 | Electronic signature type | esign | |
| STATEMENTS (ETSI) | ||||
| valassured-ST-certs | 0.4.0.194121.2.1 | Short-lived certificate. No OCSP or CRL are required when validating certificate | N/A | |
| eID Means Reference | ||||
| eID Means Reference | 2.16.578.1.61.2 | Reference to the eID means used when issuing this certificate | ||
| eID Means Country | 2.16.578.1.61.2.1 | Issuing country of the eID(ISO 3166-1 alpha-2) | NO | |
| eID Means Reference value | 2.16.578.1.61.2.2 | eID Scheme | BANKID | |
| eID Means Reference value | 2.16.578.1.61.2.3 | eID Personal Identifier (such as PID or SUB) | UN:NO-9578-6000-4-1911943 | |
| Certificate Signature | ||||
| Algorithm | - | Signature algorithm | ecdsa-with-SHA384 | |
| Value | - | Digital signature bytes | 30:64:02:30:25:86:42:7d... (truncated) |
Qualified Certificate for Natural Person with NNIN (fødselsnummer)¶
Note: Only available using the scope esign/nnin and the end-user consents to sharing. The NNIN is then included as an additional extension in the certificate under the OID 2.16.578.1.61.2.4
| Section | Field | OID | Description | Example Value |
|---|---|---|---|---|
| BASIC INFO | ||||
| Version | - | X.509 certificate version | 3 | |
| Serial Number | - | Unique identifier assigned by the CA | 70:22:67:94:91:51:7a:4f:d9:6b:c9:47:c4:87:03:a0 | |
| Signature Algorithm | - | Algorithm used to sign the certificate | ecdsa-with-SHA384 | |
| Not Before | - | Certificate validity start time | 2026-01-23 09:06:02 UTC | |
| Not After | - | Certificate validity end time - total 15 minutes | 2026-01-23 09:21:02 UTC | |
| ISSUER | ||||
| CN | 2.5.4.3 | Common name | CA 1a Preprod | |
| O | 2.5.4.10 | Organization | BankID BankAxept AS | |
| C | 2.5.4.6 | Country | NO | |
| SUBJECT | ||||
| serialNumber | 2.5.4.5 | Unique subject identifier | UN:NO-9578-5100-Q_5iVtjvP_sTBr42bFxZeLdnFfSwdgKzT2TCNWUnfA8 | |
| SN | 2.5.4.4 | Surname | Bombadil | |
| CN | 2.5.4.3 | Common name | Bombadil, Tom | |
| GN | 2.5.4.42 | Given name | Tom | |
| PUBLIC KEY | ||||
| Algorithm | - | Type of public key | id-ecPublicKey | |
| Size | - | Key length | 256 bit | |
| Curve | 1.2.840.10045.3.1.7 | Elliptic curve used | prime256v1 (P-256) | |
| STANDARD EXTENSIONS | ||||
| Key Usage | 2.5.29.15 | Permitted key operations | Digital Signature, Non Repudiation | |
| Basic Constraints | 2.5.29.19 | Not a CA certificate | CA:FALSE | |
| Subject Key Identifier | 2.5.29.14 | Hash of subject's public key | 0E:99:A0:D6:7D:E3:7D:2F:AC:41:1C:C4:9E:6A:BA:68:4B:A8:6A:53 | |
| Authority Key Identifier | 2.5.29.35 | Hash of issuer's public key | 3B:97:BD:5C:89:B0:28:25:F5:92:89:3A:4E:66:AB:4E:0A:C4:2A:3F | |
| CRL Distribution Points | 2.5.29.31 | URL for revocation list | https://pki.esign.preprod.bankid.no/bankidbankaxeptca1apreprod.crl | |
| Authority Info Access | 1.3.6.1.5.5.7.1.1 | URL for issuing CA certificate | https://pki.esign.preprod.bankid.no/bankidbankaxeptca1apreprod.crt | |
| SUBJECT DIRECTORY ATTRIBUTES | ||||
| Date of Birth | 1.3.6.1.5.5.7.9.1 | Subject's date of birth | 2024-04-17 | |
| CERTIFICATE POLICIES | ||||
| BankID eSign Policy | 2.16.578.1.61.1.1.1 | BankID certification practice statement | CPS: https://bankid.no/bankid-esign-cps.pdf | |
| ETSI QCP-n-qscd | 0.4.0.194112.1.2 | Qualified cert for natural person with QSCD | - | |
| QC STATEMENTS (ETSI) | ||||
| QcCompliance | 0.4.0.1862.1.1 | EU Qualified Certificate | Present | |
| QcRetentionPeriod | 0.4.0.1862.1.3 | Retention period in years | 7 | |
| QcSSCD | 0.4.0.1862.1.4 | Key on Qualified Signature Creation Device | Present | |
| QcPDS | 0.4.0.1862.1.5 | PKI Disclosure Statement | https://bankid.no/bankid-esign-pds.pdf (en) | |
| QcType | 0.4.0.1862.1.6.1 | Electronic signature type | esign | |
| STATEMENTS (ETSI) | ||||
| valassured-ST-certs | 0.4.0.194121.2.1 | Short-lived certificate. No OCSP or CRL are required when validating certificate | N/A | |
| eID Means Reference | ||||
| eID Means Reference | 2.16.578.1.61.2 | Reference to the eID means used when issuing this certificate | ||
| eID Means Country | 2.16.578.1.61.2.1 | Issuing country of the eID(ISO 3166-1 alpha-2) | NO | |
| eID Means Reference value | 2.16.578.1.61.2.2 | eID Scheme | BANKID | |
| eID Means Reference value | 2.16.578.1.61.2.3 | eID Personal Identifier (such as PID or SUB) | UN:NO-9578-6000-4-1911943 | |
| eID National Identity Number | 2.16.578.1.61.2.4 | eID National Identity Number, for example Norwegian National Identity Number (fødselsnummer) | 17842459508 | |
| Certificate Signature | ||||
| Algorithm | - | Signature algorithm | ecdsa-with-SHA384 | |
| Value | - | Digital signature bytes | 30:64:02:30:25:86:42:7d... (truncated) |