Lithuania ID card identification setup with Apache2 is really simple, there is one root certificate and 2+2 card signing CA certificates. there are 2 sets of card signing certificates with different validity times.

It is different from many other in a sense that CRL only exists for root certificate and OSCP must be used to check validity of each ID card during the login. It is still possible to identify people even without CRL and most of the time you get correct identity but if the card is stolen and thief finds also PIN codes then there is possibility for identity theft.

Certificates can be downloaded from http://www.nsc.vrm.lt/downloads_en.htm.

Acceptable CA names can be checked with openssl s_client like that.

openssl s_client -connect lt.eideasy.com:443
Acceptable client certificate CA names
C = LT, organizationIdentifier = 188778315, O = Asmens dokumentu israsymo centras prie LR VRM, CN = ADIC CA-A
C = LT, organizationIdentifier = 188778315, O = Asmens dokumentu israsymo centras prie LR VRM, CN = ADIC CA-B
C = LT, organizationIdentifier = 188778315, O = Asmens dokumentu israsymo centras prie LR VRM, CN = ADIC Root CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

Information that can be read out of the card is

[SSL_CLIENT_S_DN_C] => LT
[SSL_CLIENT_S_DN_CN] => FIRSTNAME LASTNAME
[SSL_CLIENT_S_DN_S] => LASTNAME
[SSL_CLIENT_S_DN_G] => FIRSTNAME
[SSL_CLIENT_I_DN_C] => LT
[SSL_CLIENT_I_DN_O] => Asmens dokumentu israsymo centras prie LR VRM
[SSL_CLIENT_I_DN_CN] => ADIC CA-B
[SSL_CLIENT_VERIFY] => SUCCESS
[SSL_CLIENT_M_VERSION] => 3
[SSL_CLIENT_M_SERIAL] => 4DD4DF49BA4CD9F8000000043123
[SSL_CLIENT_V_START] => Nov 18 07:35:10 2016 GMT
[SSL_CLIENT_V_END] => Nov 18 07:35:10 2019 GMT
[SSL_CLIENT_V_REMAIN] => 890
[SSL_CLIENT_S_DN] => serialNumber=3YYMMDDXXXX,GN=FIRSTNAME,SN=LASTNAME,CN=FIRSTNAME LASTNAME,C=LT
[SSL_CLIENT_I_DN] => CN=ADIC CA-B,O=Asmens dokumentu israsymo centras prie LR VRM,2.5.4.97=#1309313838373738333135,C=LT
[SSL_CLIENT_A_KEY] => rsaEncryption
[SSL_CLIENT_A_SIG] => sha256WithRSAEncryption
[SSL_CLIENT_CERT_RFC4523_CEA] => { serialNumber 1578611014222755478699081436771890, issuer rdnSequence:"CN=ADIC CA-B,O=Asmens dokumentu israsymo centras prie LR VRM,2.5.4.97=#1309313838373738333135,C=LT" }

If you need Lithuanian ID card integration with your site then get in touch with the chat from bottom right of the screen or fill in the form at https://eideasy.com/get-in-touch/

Categories: e-ID

0 Comments

Leave a Reply