Why eID client certificate authentication?

This the main scenario where national ID card users that have smart card chip can be identified in the website.

Certificates stored on ID cards can be used to identify people online. In simplest terms the webserver tells browser what kind of certificates it accepts and if browser has them then authentication procedure is started. Official government issued ID card software integrates with browser and adds certificates from the hardware backed ID card to the “Your Certificates” list.

Apache configuration has a few points to keep in mind besides regular https setup. Directives that need to be added are SSLCACertificateFile, SSLCARevocationPath, SSLVerifyClient, SSLVerifyDepth and SSLOptions. This guide is meant for Ubuntu operating system but should work in any other Linux as well.

Build certificate chain file.

Firstly you need to get full CA chain in PEM format and merge it into one certificate chain file. This includes root certificate, all intermediate certificates and any other issuance certificates if needed. Each country and CA has its own sources were to find these certificates.

List of public CA certificates can be taken from trust service provider repository. In EU and eIDAS certified trust service providers list can be found from https://webgate.ec.europa.eu/tl-browser/.

Sometimes it can be hard to know which certificates are needed as there could be quite a many. In this case we assume that government websites have done it correctly and we can doublecheck from there. Easiest for that is to record your website traffic with Wireshark and see what kind of Client Certificates are requested. Once known you can compile them in PEM format into one file and add to apache2 config like that.

    SSLCACertificateFile /etc/ssl/cacerts/ca_and_root_certs.pem
    #optional SSLCARevocationFile /etc/ssl/mycrl/all.crl
    SSLCARevocationPath /etc/ssl/mycrl/
    SSLCARevocationCheck  leaf

    SSLVerifyClient optional
    SSLVerifyDepth 3
    SSLOptions +StdEnvVars +ExportCertData

Update certificate revocation lists

s the national ID card certificates can be revoked if the card gets stolen or lost then we must check also certificate revocation lists CRL to be sure that we don’t let any bad guys in. Usually each certificate has included path to the public CRL lists. These CRL-s are update periodically, for example once of twice a day so don’t forget to build a script to keep them updated. You can also use and modify script from the Estonian ID card renewal guide http://id.ee/public/renew.sh

Download all of these CRL-s and use following command to convert these to PEM format if needed

for f in *.crl; do openssl crl -in $f -out $f -inform DER; done

Make symlinks based on filename hash into same folder next to the PEM CRL-s

for f in *.crl; do ln -s $f `openssl crl -hash -noout -in $f`.r0; done

Now execute CRL update script periodically and reload apache2 after that. Example renew script could be like that

cd /etc/ssl/mycrl/

wget --timestamping --no-if-modified-since https://c.sk.ee/eeccrca.crl
wget --timestamping --no-if-modified-since https://c.sk.ee/esteid2011.crl
wget --timestamping --no-if-modified-since https://c.sk.ee/esteid2015.crl
wget --timestamping --no-if-modified-since https://c.sk.ee/EE-GovCA2018.crl
wget --timestamping --no-if-modified-since https://c.sk.ee/esteid2018.crl
wget --timestamping --no-if-modified-since https://c.sk.ee/eid2011.crl

openssl crl -in eeccrca.crl -out eeccrca.pem.crl -inform DER
openssl crl -in esteid2011.crl -out esteid2011.pem.crl -inform DER
openssl crl -in esteid2015.crl -out esteid2015.pem.crl -inform DER
openssl crl -in EE-GovCA2018.crl  -out EE-GovCA2018.pem.crl  -inform DER
openssl crl -in esteid2018.crl  -out esteid2018.pem.crl  -inform DER
openssl crl -in eid2011.crl  -out eid2011.pem.crl  -inform DER

cat *.pem.crl > all.crl

rm -f *.r?

ln -s all.crl `openssl crl -hash -noout -in all.crl`.r0

/etc/init.d/apache2 reload

Wireshark TLS Client Certificate debugging

eesti.ee and Estonian ID kaart (ID card) gives this list of CA certificates with Wireshark.

Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Certificate Request
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 675
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Length: 647
Certificate types count: 3
Certificate types (3 types)
Signature Hash Algorithms Length: 24
Signature Hash Algorithms (12 algorithms)
Distinguished Names Length: 615
Distinguished Names (615 bytes)
Distinguished Name Length: 99
Distinguished Name: (pkcs-9-at-emailAddress=pki@sk.ee,id-at-commonName=EID-SK 2011,id-at-organizationName=AS Sertifitseerimiskeskus,id-at-countryName=EE)
Distinguished Name Length: 102
Distinguished Name: (pkcs-9-at-emailAddress=pki@sk.ee,id-at-commonName=ESTEID-SK 2011,id-at-organizationName=AS Sertifitseerimiskeskus,id-at-countryName=EE)
Distinguished Name Length: 101
Distinguished Name: (id-at-commonName=ESTEID-SK 2015,joint-iso-itu-t.5.4.97=NTREE-10747013,id-at-organizationName=AS Sertifitseerimiskeskus,id-at-countryName=EE)
Distinguished Name Length: 119
Distinguished Name: (pkcs-9-at-emailAddress=pki@sk.ee,id-at-commonName=EE Certification Centre Root CA,id-at-organizationName=AS Sertifitseerimiskeskus,id-at-countryName=EE)
Distinguished Name Length: 90
Distinguished Name: (id-at-commonName=ESTEID2018,joint-iso-itu-t.5.4.97=NTREE-10747013,id-at-organizationName=SK ID Solutions AS,id-at-countryName=EE)
Distinguished Name Length: 92
Distinguished Name: (id-at-commonName=EE-GovCA2018,joint-iso-itu-t.5.4.97=NTREE-10747013,id-at-organizationName=SK ID Solutions AS,id-at-countryName=EE)

From that we read that CA certificates allowed are: EID-SK 2011, ESTEID-SK 2011, ESTEID-SK 2015, ESTEID2018 and finally 2 root CA-s EE-GovCA2018, EE Certification Centre Root CA.

From EU Trust list we found out that sk.ee is responsible for managing these certificates and we can download these from https://www.skidsolutions.eu/Repositoorium/SK-sertifikaadid/juursertifikaadid

It is possible to authenticate people directly in browser plugin also without Client certificate authentication but we will look into it in some other time.


Leave a Reply