These days it is relatively easy for sysadmins to copy-paste commands and add support for ID cards. This avoids middlemen and in some cases is most reasonable plan. However it also means that you need constant effort to keep everything up to date. Here are the things that need to be watched all the time.
Every country is adding new Certificate authorities periodically. Some are adding every month, like Belgium, whereas some are adding every couple of years, like Estonia. However every time new CA is created the server configuration needs to be refreshed or some people are unable to identify.
It is easy to test with your own ID card that identification is working. However it is much harder to make sure that blocked ID cards are not able to identify. How many of us have blocked cards at hand?
Many ID card configuration guides are available for example for Estonian ID card. Most of them tell everything how to configure identification and CRL revocation check however only directive is missing – activating revocation check with SSLCARevocationCheck. This means that everyone not knowing exactly what they are doing and the secure ID card is implemented unsecurely.
Even worse, latest official guide does not work on Apache 2.4 if SSLCARevocationCheck is enabled. If it is enabled then identification does not work at all and you can see these errors
Apache logs AH02039: Certificate Verification: Error (3): unable to get certificate CRL "Advanced" testing with openssl "openssl verify -CAfile id.pem -CRLfile all.crl -crl_check_all cert.pem" C = EE, O = AS Sertifitseerimiskeskus, CN = EE Certification Centre Root CA, emailAddress = firstname.lastname@example.org error 44 at 2 depth lookup:Different CRL scope Firefox An error occurred during a connection to ee.smartid.ee. Peer does not recognize and trust the CA that issued your certificate. Error code: SSL_ERROR_UNKNOWN_CA_ALERT Chrome This site can’t provide a secure connection ee.smartid.dev didn’t accept your login certificate, or one may not have been provided. Try contacting the system admin. ERR_BAD_SSL_CLIENT_AUTH_CERT
This error is quite hard to track down. See more info about it in http://www.bbc.co.uk/blogs/internet/entries/42d52ca4-5f48-450e-aec4-3fc8e6296929