Why eID client certificate authentication?
This the main scenario where national ID card users that have smart card chip can be identified in the website.
Certificates stored on ID cards can be used to identify people online. In simplest terms the webserver tells browser what kind of certificates it accepts and if browser has them then authentication procedure is started. Official government issued ID card software integrates with browser and adds certificates from the hardware backed ID card to the “Your Certificates” list.
Apache configuration has a few points to keep in mind besides regular https setup. Directives that need to be added are SSLCACertificateFile, SSLCARevocationPath, SSLVerifyClient, SSLVerifyDepth and SSLOptions. This guide is meant for Ubuntu operating system but should work in any other Linux as well.
Build certificate chain file.
Firstly you need to get full CA chain in PEM format and merge it into one certificate chain file. This includes root certificate, all intermediate certificates and any other issuance certificates if needed. Each country and CA has its own sources were to find these certificates.
List of public CA certificates can be taken from trust service provider repository. In EU and eIDAS certified trust service providers list can be found from https://webgate.ec.europa.eu/tl-browser/.
Sometimes it can be hard to know which certificates are needed as there could be quite a many. In this case we assume that government websites have done it correctly and we can doublecheck from there. Easiest for that is to record your website traffic with Wireshark and see what kind of Client Certificates are requested. Once known you can compile them in PEM format into one file and add to apache2 config like that.
SSLCACertificateFile /etc/ssl/cacerts/ca_and_root_certs.pem #optional SSLCARevocationFile /etc/ssl/mycrl/all.crl SSLCARevocationPath /etc/ssl/mycrl/ SSLCARevocationCheck leaf SSLVerifyClient optional SSLVerifyDepth 3 SSLOptions +StdEnvVars +ExportCertData
Update certificate revocation lists
s the national ID card certificates can be revoked if the card gets stolen or lost then we must check also certificate revocation lists CRL to be sure that we don’t let any bad guys in. Usually each certificate has included path to the public CRL lists. These CRL-s are update periodically, for example once of twice a day so don’t forget to build a script to keep them updated. You can also use and modify script from the Estonian ID card renewal guide http://id.ee/public/renew.sh
Download all of these CRL-s and use following command to convert these to PEM format if needed
for f in *.crl; do openssl crl -in $f -out $f -inform DER; done
Make symlinks based on filename hash into same folder next to the PEM CRL-s
for f in *.crl; do ln -s $f `openssl crl -hash -noout -in $f`.r0; done
Now execute CRL update script periodically and reload apache2 after that. Example renew script could be like that
#!/bin/bash cd /etc/ssl/mycrl/ wget --timestamping --no-if-modified-since https://c.sk.ee/eeccrca.crl wget --timestamping --no-if-modified-since https://c.sk.ee/esteid2011.crl wget --timestamping --no-if-modified-since https://c.sk.ee/esteid2015.crl wget --timestamping --no-if-modified-since https://c.sk.ee/EE-GovCA2018.crl wget --timestamping --no-if-modified-since https://c.sk.ee/esteid2018.crl wget --timestamping --no-if-modified-since https://c.sk.ee/eid2011.crl openssl crl -in eeccrca.crl -out eeccrca.pem.crl -inform DER openssl crl -in esteid2011.crl -out esteid2011.pem.crl -inform DER openssl crl -in esteid2015.crl -out esteid2015.pem.crl -inform DER openssl crl -in EE-GovCA2018.crl -out EE-GovCA2018.pem.crl -inform DER openssl crl -in esteid2018.crl -out esteid2018.pem.crl -inform DER openssl crl -in eid2011.crl -out eid2011.pem.crl -inform DER cat *.pem.crl > all.crl rm -f *.r? ln -s all.crl `openssl crl -hash -noout -in all.crl`.r0 /etc/init.d/apache2 reload
Wireshark TLS Client Certificate debugging
eesti.ee and Estonian ID kaart (ID card) gives this list of CA certificates with Wireshark.
Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Certificate Request Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 675 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 647 Certificate types count: 3 Certificate types (3 types) Signature Hash Algorithms Length: 24 Signature Hash Algorithms (12 algorithms) Distinguished Names Length: 615 Distinguished Names (615 bytes) Distinguished Name Length: 99 Distinguished Name: (pkcs-9-at-emailAddressfirstname.lastname@example.org,id-at-commonName=EID-SK 2011,id-at-organizationName=AS Sertifitseerimiskeskus,id-at-countryName=EE) Distinguished Name Length: 102 Distinguished Name: (pkcs-9-at-emailAddressemail@example.com,id-at-commonName=ESTEID-SK 2011,id-at-organizationName=AS Sertifitseerimiskeskus,id-at-countryName=EE) Distinguished Name Length: 101 Distinguished Name: (id-at-commonName=ESTEID-SK 2015,joint-iso-itu-t.5.4.97=NTREE-10747013,id-at-organizationName=AS Sertifitseerimiskeskus,id-at-countryName=EE) Distinguished Name Length: 119 Distinguished Name: (pkcs-9-at-emailAddressfirstname.lastname@example.org,id-at-commonName=EE Certification Centre Root CA,id-at-organizationName=AS Sertifitseerimiskeskus,id-at-countryName=EE) Distinguished Name Length: 90 Distinguished Name: (id-at-commonName=ESTEID2018,joint-iso-itu-t.5.4.97=NTREE-10747013,id-at-organizationName=SK ID Solutions AS,id-at-countryName=EE) Distinguished Name Length: 92 Distinguished Name: (id-at-commonName=EE-GovCA2018,joint-iso-itu-t.5.4.97=NTREE-10747013,id-at-organizationName=SK ID Solutions AS,id-at-countryName=EE)
From that we read that CA certificates allowed are: EID-SK 2011, ESTEID-SK 2011, ESTEID-SK 2015, ESTEID2018 and finally 2 root CA-s EE-GovCA2018, EE Certification Centre Root CA.
From EU Trust list we found out that sk.ee is responsible for managing these certificates and we can download these from https://www.skidsolutions.eu/Repositoorium/SK-sertifikaadid/juursertifikaadid
It is possible to authenticate people directly in browser plugin also without Client certificate authentication but we will look into it in some other time.