Serbian ID card system has 5 CA certificates that need to be imported to your Apache2 configuration.

All of these 5 CA certificates can be downloaded from http://ca.mup.gov.rs/sertifikati-lat.html. For some reason this site does not support https. This poses security issue as you want to be sure that the CA certificates are correct and these will not be modified on the way.

Another issue is with two CA certificates MUPCAGradjani.crt and MUPCARoot.crt that malformed. The serial number is not only a negative number, but a badly formed negative number. This means it will not work with newer OpenSSL implementations. See more info from here https://github.com/openssl/openssl/issues/4320. To be able to use Client Authentication with cards signed with this certificate takes ugly hacking and accepting older OpenSSL version or building custom version for yourself.

$ openssl x509 -inform der -in MUPCAGradjani.crt -text -noout
unable to load certificate
140630104798528:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal padding:../crypto/asn1/a_int.c:187:
140630104798528:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=serialNumber, Type=X509_CINF
140630104798528:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:Field=cert_info, Type=X509

You come to right place if you are having trouble with Serbian ID card as we are able to help. Get in touch in the chat below.

Categories: e-ID

0 Comments

Leave a Reply