JMRTD

Certificates for document validation

The validity checking of an ePassport involves verifying a signature on the information embedded in the ePassport (passive authentication). Most issuing countries include the so-called Document Signing Certificate (DSC) in the ePassport itself. The certificate to ultimately check the chain of signatures is called the Country Signing Certificate (CSC). Some countries have made their CSC publicly available. The list below contains those CSCs that we could find with Google. The list has links to government Web and LDAP servers where we found the certificates. (But please, don't trust us, go to your government's server, see if you trust it, and download the certificate yourself!)

Some countries also distribute their DSCs and CSCs through a central infrastructure called the ICAO PKD. Te German BSI has a list of CSCs in a so-called CSCA Master List. Adam Laurie also maintains a list of DSCs read from passports from different countries.

A Certificate Revocation List (CRL) contains certificates which should no longer be used for document verification. Those countries publishing CSCs also publish CRLs. The ICAO PKD also contains CRLs.

my.cer
Country:my: Malaysia
Name:Malaysia Country Signer
Valid:Jan 31 2012 - Jan 31 2022
Source:http://www.imi.gov.my/index.php/en/main-services/pasport/the-malaysian-country-signing-ca-csca
se.cer
Country:se: Sweden
Name:Swedish Country Signing CA
Valid:Sep 26 2005 - Sep 22 2021
Source:http://polisen.se/en/Languages/Service/Swedish-certificates-and-CRLs/CSCA/
fi.cer
Country:fi: Finland
Name:Finland Country CA
Valid:Jun 12 2006 - Sep 11 2016
Source:http://www.intermin.fi/intermin/hankkeet/biometria/home.nsf/webprint/C958723350320B69C22571CC0051A0F4?OpenDocument
cz.cer
Country:cz: Czech Republic
Name:CSCA_CZ
Valid:Jul 24 2006 - Oct 24 2021
Source:http://www.mvcr.cz/clanek/ceska-narodni-certifikacni-autorita.aspx
bg.cer
Country:bg: Bulgaria
Name:CSCA
Valid:Mar 05 2010 - May 30 2025
Source:http://www.mvr.bg/en/CSCA
gr.cer
Country:gr: Greece
Name:CSCA-HELLAS
Valid:Aug 23 2006 - Nov 23 2016
Source:http://www.passport.gov.gr/index.php?option=com_content&task=view&id=34&Itemid=58
es.cer
Country:es: Spain
Name:AC RAIZ PASAPORTE
Valid:Jul 20 2006 - Oct 20 2021
Source:ldap://ldap.dnie.es:389
hu.cer
Country:hu: Hungary
Name:CSCA-HUNGARY
Valid:Aug 25 2006 - Nov 25 2019
Source:http://www.nyilvantarto.hu/kekkh/kozos/index.php?k=csca_tanusitvany_eng
ee.cer
Country:ee: Estonia
Name:CSCA Estonia
Valid:Nov 28 2012 - Mar 05 2021
Source:https://www.politsei.ee/en/nouanded/isikut-toendavad-dokumendid/cert.dot
fr.cer
Country:fr: France
Name:CSCA-FRANCE
Valid:Mar 31 2006 - Jun 30 2021
Source:http://www.interieur.gouv.fr/misill/sections/a_votre_service/vos_demarches/cni-passeport/autorite-certification-csca/view
mc.cer
Country:mc: Monaco
Name:CSCAPKI_MC2
Valid:Dec 02 2008 - Mar 04 2017
Source:http://www.police.gouv.mc/devwww/wwwnew.nsf/1909$/EE6842B6660F9D47C125756F002B93D3GB?OpenDocument&8GB
si.cer
Country:si: Slovenia
Name:CSCA-Slovenia
Valid:Jun 08 2006 - Jun 08 2021
Source:http://www.csca-si.gov.si/eindex.htm
at.cer
Country:at: Austria
Name:CSCA-AUSTRIA
Valid:Jun 08 2006 - Sep 12 2021
Source:http://www.bmi.gv.at/csca/startseite.asp
nl.cer
Country:nl: Netherlands
Name:CSCA NL
Valid:Feb 21 2014 - Mar 02 2027
Source:https://www.rijksdienstvooridentiteitsgegevens.nl/Reisdocumenten/Informatiebank/Procedures/Download_certificaten
ch.cer
Country:ch: Switzerland
Name:csca-switzerland-1
Valid:Jun 28 2006 - Aug 31 2017
Source:http://www.bit.admin.ch/adminpki/00247/00798/index.html?lang=de
de.cer
Country:de: Germany
Name:csca-germany
Valid:Aug 08 2005 - Feb 08 2019
Source:http://www.bsi.de/csca

Other countries

Some other countries, while not offering their CSC certificate for download, do provide some information. (In some cases this information is given in the form of a distinguished name, serial number, and certificate thumbprint which may be enough to check whether a claimed CSC is valid.)

Philippe Teuwen did some research into which manufacturers provide technology for which countries.

Using the ICAO PKD files with OpenLDAP

The ICAO PKD currently provides dumps of the read-only PKD for download (for non-commercial personal use).

Importing these into OpenLDAP is easy:

A JNDI interface to such a PKD LDAP server is supported in the latest version of JMRTD.

To access the CSA master lists (cross signed lists containing the root CSCs) a new schema has to be added to OpenLDAP:

   objectidentifier id-icao-mrtd-security 2.23.136
   objectidentifier id-icao-cscaMasterList 2.23.136.2
   objectidentifier id-icao-cscaMasterListSigningKey 2.23.136.3

   attributetype (2.23.136.1.1.2 NAME 'CscaMasterListData'
	   DESC 'CSCA Master List Data'
	   SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE )

   objectclass (2.23.136.2 NAME 'CscaMasterList'
	   DESC 'CSCA Master List'
	   SUP person
	   STRUCTURAL
	   MUST ( CscaMasterListData ) )

The suffix for the CSCA master lists is "dc=CSCAMasterList,dc=pkdDownload".

Other open source LDAP servers (OpenDS, OpenDJ) work as well.

Certificate validation with OpenSSL

If you wish to verify the signature of the CSC (in file csc.cer) on some DSC (in file dsc.cer), without relying on JMRTD, here's how to do it with OpenSSL:

   openssl x509 -in csc.cer -inform DER -out csc.pem
   openssl x509 -in dsc.cer -inform DER -out dsc.pem
   openssl verify -CAfile csc.pem dsc.pem