To be more specific than the existing "No" reply, what famously happened is that Estonia's IDs used Infineon-based chips for a period of time with 2048-bit RSA keys and Infineon's RSA implementation mints RSA keys with a peculiar property that, once you know about it, makes breaking them much cheaper than it should be. CVE-2017-15361 - for HN readers it's more likely you were impacted by this defect in a Yubikey.

"Much cheaper" here means we might expect criminals to break the RSA key for an individual Estonian ID card for less than a million bucks, whereas by design this ought to be impractical at any plausible price. It doesn't mean your bored teenager can make a fake ID on his laptop on a Friday evening. As a practical matter it seems likely key officials & police could be bribed for less than a million bucks, but forging RSA signatures might still be desirable in some circumstances, and anyway of course the mere possibility of this happening ruins public trust in the scheme.

Estonia switched to P-384 keys on the same platform. Unlike choosing random RSA keys (which involve finding large primes) choosing a good P-384 key is trivial so there's no temptation to come up with clever but insecure algorithms to mint keys.

What's interesting about this flaw is that it only happens because the keys are minted on the Infineon device you own. But we know Estonia has historically had some weird incidents which are best explained by keys not being minted on device but instead burned into the ID card after being made (and potentially recorded) elsewhere. Estonia's laws establishing these cards are clear that mustn't happen (if it did the government can seamlessly impersonate any ID, including ID issued to citizens, non-citizen residents and diplomatic staff) but evidence suggests it did, at least a few times and at least on some older platforms.

Estonia's IDs are all public using a very different scheme to Certificate Transparency, since it assumes you trust the Estonian government to decide which IDs exist - but with similar effect, if anybody is minting bogus IDs there would be a smoking gun in the official public records of Estonia.

On the other hand if the government (or a government agency perhaps without wider knowledge) has copies of some or all keys, they would be able to decrypt messages sent to citizens/ residents using the embedded PKI. We would not necessarily have any public evidence that this was happening if indeed it was happening.

You should probably be confident in Estonian IDs as proof of someone's identity in the usual course of things, but it may be prudent not to rely on this to keep secrets from the Estonian government or its allies.

> There was a scandal in Estonia where they had to recall all the ID's because the main private key which signed them all got leaked (and that key was held by a private company)

No.