Certificates for document validation
The validity checking of an
ePassport involves verifying a signature on the information embedded
in the ePassport (passive authentication).
Most issuing countries include the so-called
Document Signing Certificate (DSC) in the ePassport itself.
The certificate to ultimately check the chain of
signatures is called the Country Signing Certificate (CSC).
Some countries have made their CSC publicly available. The list
below contains those CSCs that we could find with
The list has links to government Web and LDAP servers where we found the
certificates. (But please, don't trust us, go to your government's server, see if you trust it, and download the certificate yourself!)
Some countries also distribute their DSCs and CSCs through a central
infrastructure called the
Te German BSI has a list of CSCs in a so-called CSCA Master List.
Adam Laurie also maintains a
list of DSCs
read from passports from different countries.
A Certificate Revocation List (CRL) contains certificates which
should no longer be used for document verification. Those countries
publishing CSCs also publish CRLs.
The ICAO PKD also contains CRLs.
Some other countries, while not offering their CSC certificate for
download, do provide some information. (In some cases this information
is given in the form of a distinguished name, serial number, and certificate
thumbprint which may be enough to check whether a claimed CSC is valid.)
Philippe Teuwen did some research into which manufacturers provide technology for which countries.
Using the ICAO PKD files with OpenLDAP
The ICAO PKD currently provides
dumps of the read-only PKD for download (for non-commercial personal
Importing these into OpenLDAP is easy:
- Download the
slapd and setup
slapd.conf to use suffix
- In the ldif file replace
slapadd the resulting ldif file and start
A JNDI interface to such
a PKD LDAP server is supported in the latest version of JMRTD.
To access the CSA master lists (cross signed lists containing the root CSCs)
a new schema has to be added to OpenLDAP:
objectidentifier id-icao-mrtd-security 2.23.136
objectidentifier id-icao-cscaMasterList 220.127.116.11
objectidentifier id-icao-cscaMasterListSigningKey 18.104.22.168
attributetype (22.214.171.124.1.2 NAME 'CscaMasterListData'
DESC 'CSCA Master List Data'
SYNTAX 126.96.36.199.4.1.14188.8.131.52.5 SINGLE-VALUE )
objectclass (184.108.40.206 NAME 'CscaMasterList'
DESC 'CSCA Master List'
MUST ( CscaMasterListData ) )
The suffix for the CSCA master lists is
Other open source LDAP servers
work as well.
Certificate validation with OpenSSL
If you wish to verify the signature of the CSC (in file
on some DSC (in file
dsc.cer), without relying on JMRTD, here's
how to do it with OpenSSL:
openssl x509 -in csc.cer -inform DER -out csc.pem
openssl x509 -in dsc.cer -inform DER -out dsc.pem
openssl verify -CAfile csc.pem dsc.pem