ID cards are more than just plastic—they’re smart cards equipped with a chip or NFC technology, making them capable of secure digital identification and electronic signing.
To use an ID card for online authentication or signing, you need a card reader and software known as eID Middleware, which is typically provided by the government. This software allows applications to interact with the chip on the card to read certificates and generate cryptographic signatures.
The Browser Challenge: Limited Access to Smart Cards
Here’s the challenge:
Browsers like Chrome, Firefox, and Edge run JavaScript in isolated environments, which means they don’t have direct access to your device’s smart card drivers or eID Middleware.
In many countries, the browser integration components needed for digital signing with national ID cards simply don’t exist or aren’t maintained.
Estonia’s Solution: Chrome Token Signing
Recognizing this gap, Estonia developed a flexible, cross-border solution: Chrome Token Signing
This installable software package (available for Windows, Linux, and macOS) bridges the gap between the browser and the ID card. It allows secure digital signing directly in the browser using the PKCS #11 protocol and your local eID Middleware.
- Works with popular browsers: Chrome, Firefox, Edge, and others based on the same engines
- Uses the card’s chip to create real cryptographic signatures
- Reads certificates securely from the ID card
Supported eID Cards
The Chrome Token Signing component is tested and proven to work with several European ID cards:
- Estonian ID Card
- Finnish ID Card
- Latvian ID Card
- Lithuanian ID Card
- Belgian ID Card
- LuxTrust Smartcard (Luxembourg)
- Romanian Aladdin eToken
If your national eID card supports PKCS #11, there’s a good chance it can be used with this solution.
How to Use It in the Browser
From the front-end, adding eID signing capabilities is simple:
- Import
hwcrypto.jsinto your web app. - Read the certificate from the ID card.
- Prepare a digest (hash) of the document to be signed.
- Use the card’s chip to sign the hash directly.
This enables seamless, secure qualified electronic signing (QES) directly in your browser.
Creating EU-Compliant Signed Containers
Digital signatures are only part of the process. You also need to bundle signed documents into a container that meets EU standards.
We recommend the ASIC-E container format, which complies with eIDAS requirements and supports:
- XAdES LT profile (Long-Term Signature)
- Time-stamping
- OCSP response inclusion (to prove certificate validity at signing time)
To create these containers, the CEF Digital eSignature Building Block is a powerful tool. You can find it here: https://github.com/esig/dss
Note: This library is very feature-rich, but it can be overwhelming for non-experts.
For Easier Integration: Use digidoc4j
If you’re looking for a more developer-friendly starting point, we recommend using the Estonian-developed wrapper: https://github.com/open-eid/digidoc4j
It’s a simplified Java library designed to handle all the complex steps involved in creating and managing ASIC-E containers.
Need Help with eID Integration?
If you're building digital signing or eID functionality into your app and these resources aren’t quite enough, we’re here to help.
eID Easy specializes in:
- Cross-border eID and signature integrations
- Support for multiple countries and signature types
- Simplified SDKs and documentation
- Custom solutions tailored to your needs
