06May

Estonian ID-card (ID-kaart) and e-residency card identification

Written by in National ID cards

Easiest way to add free Estonian ID card and e-residency card support to your website is using Smart ID service over Oauth 2 protocol. However if you prefer to implement it yourself then here is the guide for you.

To be noted then Estonian ID card is one of the easiest to get working on your website.

SSLCACertificateFile directive is needed in the vhost to have Apache webserver request certificate from the browser . More information about national electronic ID card identification with Apache2 webserver.

Root certificate

CN=EE Certification Centre Root CA/emailAddress=pki@sk.ee
Download: https://sk.ee/upload/files/Juur-SK.pem.crt
CRL: https://sk.ee/crls/eeccrca/eeccrca.crl
Not Before: Oct 30 10:10:30 2010 GMT
Not After : Dec 17 23:59:59 2030 GMT
Serial Number: 54:80:f9:a0:73:ed:3f:00:4c:ca:89:d8:e3:71:e6:4a

Certificate authorities

  1. CN=ESTEID-SK 2011/emailAddress=pki@sk.ee
    Download: https://sk.ee/upload/files/ESTEID-SK_2011.pem.crt
    CRL: https://sk.ee/repository/crls/esteid2011.crl
    Not Before: Mar 18 10:14:59 2011 GMT
    Not After : Mar 18 10:14:59 2024 GMT
    Serial Number: 29:52:93:aa:fd:8c:c6:d4:4d:83:30:a3:c2:64:51:0d
  2. CN=ESTEID-SK 2015
    Download: https://sk.ee/upload/files/ESTEID-SK_2015.pem.crt
    CRL: https://sk.ee/crls/esteid/esteid2015.crl
    Not Before: Dec 17 12:38:43 2015 GMT
    Not After : Dec 17 23:59:59 2030 GMT
    Serial Number: 45:48:09:0b:87:9c:ef:21:56:72:ac:d3:de:6c:1b:5b
  3. CN=EID-SK 2011/emailAddress=pki@sk.ee
    Download: https://sk.ee/upload/files/EID-SK_2011.pem.crt
    CRL: https://sk.ee/repository/crls/eid2011.crl
    Not Before: Mar 18 10:11:11 2011 GMT
    Not After : Mar 18 10:11:11 2024 GMT
    Serial Number: 43:2b:d4:4e:62:43:6b:46:4d:83:2f:bf:7d:2d:2f:5a
Personal code can be found from serialNumber in SSL_CLIENT_S_DN. Some other interesting fields that can be read from the card are:
  "SSL_CLIENT_S_DN_OU" => "authentication"
  "SSL_CLIENT_S_DN_CN" => "LASTNAME,FIRSTNAME,IDCODE"
  "SSL_CLIENT_S_DN_S" => "LASTNAME"
  "SSL_CLIENT_S_DN_G" => "FIRSTNAME"
  "SSL_CLIENT_I_DN_C" => "EE"
  "SSL_CLIENT_I_DN_O" => "AS Sertifitseerimiskeskus"
  "SSL_CLIENT_I_DN_CN" => "ESTEID-SK 2015"
  "SSL_CLIENT_SAN_Email_0" => "government.issued.email@eesti.ee"
  "SSL_CLIENT_VERIFY" => "SUCCESS"
  "SSL_CLIENT_M_VERSION" => "3"
  "SSL_CLIENT_M_SERIAL" => "03158F4ADFC7E2CD577112A374596F9D"
  "SSL_CLIENT_V_START" => "Jun 27 18:59:46 2016 GMT"
  "SSL_CLIENT_V_END" => "Jul 27 20:59:59 2020 GMT"
  "SSL_CLIENT_S_DN" => "serialNumber=IDCODE,GN=FIRSTNAME,SN=LASTNAME,CN=LASTNAME\,FIRSTNAME\,IDCODE,OU=authentication,O=ESTEID,C=EE"
  "SSL_CLIENT_I_DN" => "CN=ESTEID-SK 2015,2.5.4.97=#0C0E4E545245452D3130373437303133,O=AS Sertifitseerimiskeskus,C=EE"

When configured correctly then openssl should show

 Acceptable client certificate CA names
 /C=EE/O=AS Sertifitseerimiskeskus/CN=EID-SK 2011/emailAddress=pki@sk.ee
 /C=EE/O=AS Sertifitseerimiskeskus/CN=ESTEID-SK 2011/emailAddress=pki@sk.ee
 /C=EE/O=AS Sertifitseerimiskeskus/CN=EE Certification Centre Root CA/emailAddress=pki@sk.ee
 /C=EE/O=AS Sertifitseerimiskeskus/2.5.4.97=NTREE-10747013/CN=ESTEID-SK 2015

More technical information from http://id.ee/index.php?id=10584 and government support e-mail abi@id.ee . There is also awesome official guide, best from all the other official guides at http://www.id.ee/public/Configuring_Apache_web_server_to_support_ID.pdf