10Jul

Why choose Identification as a Service provider instead of doing on your own?

Written by in National ID cards

These days it is relatively easy for sysadmins to copy-paste commands and add support for ID cards. This avoids middlemen and in some cases is most reasonable plan. However it also means that you need constant effort to keep everything up to date. Here are the things that need to be watched all the time.

New Certificate authorities.

Every country is adding new Certificate authorities periodically. Some are adding every month, like Belgium, whereas some are adding every couple of years, like Estonia. However every time new CA is created the server configuration needs to be refreshed or some people are unable to identify.

Testing

It is easy to test with your own ID card that identification is working. However it is much harder to make sure that blocked ID cards are not able to identify. How many of us have blocked cards at hand?

Configuration mistakes

Many ID card configuration guides are available for example for Estonian ID card. Most of them tell everything how to configure identification and CRL revocation check however only directive is missing – activating revocation check with SSLCARevocationCheck. This means that everyone not knowing exactly what they are doing and the secure ID card is implemented unsecurely.
Even worse, latest official guide does not work on Apache 2.4 if SSLCARevocationCheck is enabled. If it is enabled then identification does not work at all and you can see these errors

Apache logs
AH02039: Certificate Verification: Error (3): unable to get certificate CRL

"Advanced" testing with openssl "openssl verify  -CAfile id.pem -CRLfile all.crl -crl_check_all  cert.pem"
C = EE, O = AS Sertifitseerimiskeskus, CN = EE Certification Centre Root CA, emailAddress = pki@sk.ee
error 44 at 2 depth lookup:Different CRL scope

Firefox
An error occurred during a connection to ee.smartid.ee. Peer does not recognize and trust the CA that issued your certificate. Error code: SSL_ERROR_UNKNOWN_CA_ALERT 

Chrome
This site can’t provide a secure connection 
ee.smartid.dev didn’t accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT

This error is quite hard to track down. See more info about it in http://www.bbc.co.uk/blogs/internet/entries/42d52ca4-5f48-450e-aec4-3fc8e6296929