02May

Latvian ID card Personas apliecība with Apache2

Written by in National ID cards

Easiest way to add free Latvian ID card support to your website is using Smart ID service over Oauth 2 protocol. However if you prefer to implement it yourself then here is the guide for you.

Latvian ID Card Certificate authority certificate chain has 1 root certificate, 2 policy certificates and 6 valid issuance certificates. New issuance certificates are added approx twice a year. Certificates can be downloaded from https://www.eparaksts.lv site in certificate chain p7b format. You need to extract the needed certificates from there.

Note that naming scheme is very confusing for latvian CA certificates but if you get all the needed certificates then identification will work fine.

SSLCACertificateFile directive is needed in the vhost to have Apache webserver request certificate from the browser. Below CA certificates need to be downloaded and added toSSLCACertificateFile directive . More information about national electronic ID card identification with Apache2 webserver.

Root certificate

CN=E-ME SSI (RCA)
Download: https://www.eparaksts.lv/files/ca7.p7b (Extract RCA certificate from this chain)
CRL: http://www.eme.lv/cdp/E-ME%20SSI%20(RCA).crl
Not Before: May 19 08:45:56 2009 GMT
Not After : May 19 08:48:15 2027 GMT
Serial Number: 2e:ef:db:fb:d8:89:3d:8f:49:1c:93:72:fe:45:df:ed

Policy certificates

  1. CN=E-ME PSI (PCA)
    Download: https://www.eparaksts.lv/files/ca7.p7b (Extract PCA certificate from this chain)
    CRL: http://www.eme.lv/cdp/E-ME%20PSI%20(PCA).crl
    Not Before: May 19 11:22:49 2009 GMT
    Not After : May 19 11:22:49 2021 GMT
    Serial Number: 16:bb:ce:e8:fc:a9:37:f1:00:00:00:00:00:02
  2. CN=E-ME PSI (PCA)
    Download: https://www.eparaksts.lv/files/ca5.p7b (Extract PCA certificate from this chain)
    CRL: http://www.eme.lv/cdp/E-ME%20PSI%20(PCA)(1).crl
    Not Before: Apr 22 08:21:27 2015 GMT
    Not After : Apr 22 08:31:27 2027 GM
    Serial Number: 58:70:35:a3:00:00:00:00:00:0a

Issuance certificates

  1. CN=E-ME SI (CA1)
    Download: https://www.eparaksts.lv/files/chain_2.p7b
    CRL: http://www.eme.lv/cdp/E-ME%20SI%20(CA1)(2).crl
    Not Before: Oct 4 20:58:36 2013 GMT
    Not After : Oct 4 21:08:36 2019 GMT
    Serial Number: 11:a7:02:3e:00:00:00:00:00:1f
  2. CN=E-ME SI (CA1)
    Download: https://www.eparaksts.lv/files/ca4.p7b
    CRL: http://www.eme.lv/cdp/E-ME%20SI%20(CA1)(3).crl
    Not Before: Mar 1 02:30:17 2014 GMT
    Not After : Mar 1 02:40:17 2020 GMT
    Serial Number: 17:dd:83:21:00:00:00:00:00:22
  3. CN=E-ME SI (CA1)
    Download: https://www.eparaksts.lv/files/ca4_chain.p7b
    CRL: http://www.eme.lv/cdp/E-ME%20SI%20(CA1)(4).crl
    Not Before: Aug 9 00:18:53 2014 GMT
    Not After : Aug 9 00:28:53 2020 GMT
    Serial Number: 44:85:11:fc:00:00:00:00:00:23
  4. CN=E-ME SI (CA1)
    Download: https://www.eparaksts.lv/files/ca5.p7b
    CRL: http://www.eme.lv/cdp/E-ME%20SI%20(CA1)(5).crl
    Not Before: Feb 21 01:15:24 2015 GMT
    Not After : Feb 21 01:25:24 2021 GMT
    Serial Number: 36:18:2d:91:00:00:00:00:00:24
  5. CN=E-ME SI (CA1)
    Download: https://www.eparaksts.lv/files/ca6.p7b
    CRL: http://www.eme.lv/cdp/E-ME%20SI%20(CA1)(6).crl
    Not Before: Sep 25 21:49:27 2015 GMT
    Not After : Sep 25 21:59:27 2021 GMT
    Serial Number: 12:df:9a:75:00:01:00:00:00:2b
  6. CN=E-ME SI (CA1)
    Download: https://www.eparaksts.lv/files/ca7.p7b
    CRL: http://www.eme.lv/cdp/E-ME%20SI%20(CA1)(7).crl
    Not Before: May 12 22:01:41 2016 GMT
    Not After : May 12 22:11:41 2022 GMT
    Serial Number: 33:62:5f:1d:00:01:00:00:00:2c

Personal code can be found from serialNumber in SSL_CLIENT_S_DN. Some other interesting fields that can be read from the card are:
[SSL_CLIENT_S_DN_C] => LV
[SSL_CLIENT_S_DN_CN] => FIRSTNAME LASTNAME
[SSL_CLIENT_S_DN_S] => LASTNAME
[SSL_CLIENT_S_DN_G] => FIRSTNAME
[SSL_CLIENT_I_DN_C] => LV
[SSL_CLIENT_I_DN_OU] => Sertifikacijas pakalpojumu dala
[SSL_CLIENT_I_DN_CN] => E-ME SI (CA1)
[SSL_CLIENT_M_SERIAL] => 55D1C11161FF867B0007002C01A2
[SSL_CLIENT_S_DN] => serialNumber=DDMMYY-12345,GN=FIRSTNAME,SN=LASTNAME,CN=FIRSTNAME LASTNAME,C=LV
[SSL_CLIENT_I_DN] => CN=E-ME SI (CA1),OU=Sertifikacijas pakalpojumu dala,C=LV

More technical information from https://www.eparaksts.lv/en/Assistance/izstradatajiem/certificates_for_developers/ and government support e-mail pmlp@pmlp.gov.lv