Certificates

Certificates for document validation

The validity checking of an ePassport involves verifying a signature on the information embedded in the ePassport (passive authentication). Most issuing countries include the so-called Document Signing Certificate (DSC) in the ePassport itself. The certificate to ultimately check the chain of signatures is called the Country Signing Certificate (CSC) Some countries have made their CSC publicly available. The list below contains those CSCs that we could find with Google. The list has links to government Web and LDAP servers where we found the certificates. (But please, don't trust us, go to your government's server, see if you trust it, and download the certificate yourself!)

Some countries also distribute their DSCs and CSCs through a central infrastructure called the ICAO PKD. Adam Laurie also maintains a list of DSCs read from passports from different countries.

A Certificate Revocation List (CRL) contains certificates which should no longer be used for document verification. Those countries publishing CSCs also publish CRLs. The ICAO PKD also contains CRLs.

Country:	fi: Finland
Name:	Finland Country CA
Valid:	Jun 12 2006 - Sep 11 2016
Source:	http://www.intermin.fi/intermin/hankkeet/biometria/home.nsf/webprint/C958723350320B69C22571CC0051A0F4?OpenDocument

Country:	cz: Czech Republic
Name:	CSCA_CZ
Valid:	Jul 24 2006 - Oct 24 2021
Source:	http://www.mvcr.cz/clanek/ceska-narodni-certifikacni-autorita.aspx

Country:	bg: Bulgaria
Name:	CSCA
Valid:	Mar 05 2010 - May 30 2025
Source:	http://www.mvr.bg/en/CSCA

Country:	gr: Greece
Name:	CSCA-HELLAS
Valid:	Aug 23 2006 - Nov 23 2016
Source:	http://www.passport.gov.gr/index.php?option=com_content&task=view&id=34&Itemid=58

Country:	es: Spain
Name:	AC RAIZ PASAPORTE
Valid:	Jul 20 2006 - Oct 20 2021
Source:	ldap://ldap.dnie.es:389

Country:	hu: Hungary
Name:	CSCA-HUNGARY
Valid:	Aug 25 2006 - Nov 25 2019
Source:	http://www.nyilvantarto.hu/kekkh/kozos/index.php?k=csca_tanusitvany_eng

Country:	fr: France
Name:	CSCA-FRANCE
Valid:	Mar 31 2006 - Jun 30 2021
Source:	http://www.interieur.gouv.fr/misill/sections/a_votre_service/vos_demarches/cni-passeport/autorite-certification-csca/view

Country:	mc: Monaco
Name:	CSCAPKI_MC2
Valid:	Dec 02 2008 - Mar 04 2017
Source:	http://www.police.gouv.mc/devwww/wwwnew.nsf/1909$/EE6842B6660F9D47C125756F002B93D3GB?OpenDocument&8GB

Country:	si: Slovenia
Name:	CSCA-Slovenia
Valid:	Jun 08 2006 - Jun 08 2021
Source:	http://www.csca-si.gov.si/eindex.htm

Country:	:
Name:
Valid:	Nov 30 1999 - Nov 30 1999
Source:	http://www.google.com/

Country:	at: Austria
Name:	CSCA-AUSTRIA
Valid:	Jun 08 2006 - Sep 12 2021
Source:	http://www.bmi.gv.at/csca/startseite.asp

Country:	nl: Netherlands
Name:	CSCA NL
Valid:	Aug 21 2006 - Aug 30 2014
Source:	http://www.paspoortinformatie.nl/nederlands/Echtheidskenmerken/Model_2006/Echtheidskenmerken_model_2006/Chip/Download_certificaten

Country:	ch: Switzerland
Name:	csca-switzerland-1
Valid:	Jun 28 2006 - Aug 31 2017
Source:	http://www.bit.admin.ch/adminpki/00247/00798/index.html?lang=de

Country:	de: Germany
Name:	csca-germany
Valid:	Aug 08 2005 - Feb 08 2019
Source:	http://www.bsi.de/csca

Other countries

Some other countries, while not offering their CSC certificate for download, do provide some information.

au: Australia has a site with general information. You might also be able to get this country's CSC (for personal use only) from the ICAO PKD CSCA Masterlist.
be: Belgium has a root certificate but those certificates seem to refer to their National (eID) PKI.
br: Brazil has a certificate site.
ca: Canada has a site with general information.
dk: Denmark has a site with general information.
ie: Ireland has a site with general information.
ee: Estonia has a root certificate but those certificates seem to refer to their National (eID) PKI.
hk: Hong Kong has a site with general information.
kr: South Korea has a site with specific characteristics (issuer, subject key identifier, SHA fingerprints) of their CSC certificate.
mt: Malta has a site with general information.
nz: New Zealand has a site with general information. You might also be able to get this country's CSC (for personal use only) from the ICAO PKD CSCA Masterlist.
pl: Poland has a site with general information.
pt: Portugal has a site with general information.

Philippe Teuwen did some research into which manufacturers provide technology for which countries.

Using the ICAO PKD files with OpenLDAP

The ICAO PKD currently provides dumps of the read-only PKD for download (for non-commercial personal use).

Importing these into OpenLDAP is easy:

Download the pkd.xxxxxx.ldif
Stop slapd and setup slapd.conf to use suffix "dc=data,dc=pkdDownload"
In the ldif file replace "userCertificate::" with "userCertificate;binary::" and "certificateRevocationList::" with "certificateRevocationList;binary::".
slapadd the resulting ldif file and start slapd.

A JNDI interface to such a PKD LDAP server is supported in the latest version of JMRTD.

To access the CSA master lists (cross signed lists containing the root CSCs) a new schema has to be added to OpenLDAP:

   objectidentifier id-icao-mrtd-security 2.23.136
   objectidentifier id-icao-cscaMasterList 2.23.136.2
   objectidentifier id-icao-cscaMasterListSigningKey 2.23.136.3

   attributetype (2.23.136.1.1.2 NAME 'CscaMasterListData'
	   DESC 'CSCA Master List Data'
	   SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE )

   objectclass (2.23.136.2 NAME 'CscaMasterList'
	   DESC 'CSCA Master List'
	   SUP person
	   STRUCTURAL
	   MUST ( CscaMasterListData ) )

The suffix for the CSCA master lists is "dc=CSCAMasterList,dc=pkdDownload".

Other open source LDAP servers (OpenDS, OpenDJ) work as well.

Certificate validation with OpenSSL

If you wish to verify the signature of the CSC (in file csc.cer) on some DSC (in file dsc.cer), without relying on JMRTD, here's how to do it with OpenSSL:

   openssl x509 -in csc.cer -inform DER -out csc.pem
   openssl x509 -in dsc.cer -inform DER -out dsc.pem
   openssl verify -CAfile csc.pem dsc.pem