27Sep

Lithuanian ID card Asmens tapatybės kortelė authentication with Apache2

Written by in National ID cards

Lithuania ID card identification setup with Apache2 is really simple, there is one root certificate and 2 card signing CA certificates. It is different from many other in a sense that CRL only exists for root certificate and OSCP must be used to check validity of each ID card during the login. It is still possible to identify people even without CRL and most of the time you get correct identity but if the card is stolen and thief finds also PIN codes then there is possibility for identity theft. This is also logical as without CRL nor OCSP there is no way to check for blocked cards.

There are 3 acceptable CA names

$ openssl s_client -connect lt.smartid.ee:443 -servername lt.smartid.ee
Acceptable client certificate CA names
/C=LT/2.5.4.97=188778315/O=Asmens dokumentu israsymo centras prie LR VRM/CN=ADIC CA-A
/C=LT/2.5.4.97=188778315/O=Asmens dokumentu israsymo centras prie LR VRM/CN=ADIC CA-B
/C=LT/2.5.4.97=188778315/O=Asmens dokumentu israsymo centras prie LR VRM/CN=ADIC Root CA

Certificates can be downloaded from http://www.nsc.vrm.lt/downloads_en.htm.

Information that can be read out from the card is:

[SSL_CLIENT_S_DN_C] => LT
[SSL_CLIENT_S_DN_CN] => FIRSTNAME LASTNAME
[SSL_CLIENT_S_DN_S] => LASTNAME
[SSL_CLIENT_S_DN_G] => FIRSTNAME
[SSL_CLIENT_I_DN_C] => LT
[SSL_CLIENT_I_DN_O] => Asmens dokumentu israsymo centras prie LR VRM
[SSL_CLIENT_I_DN_CN] => ADIC CA-B
[SSL_CLIENT_VERIFY] => SUCCESS
[SSL_CLIENT_M_VERSION] => 3
[SSL_CLIENT_M_SERIAL] => 4DD4DF49BA4CD9F8000000043123
[SSL_CLIENT_V_START] => Nov 18 07:35:10 2016 GMT
[SSL_CLIENT_V_END] => Nov 18 07:35:10 2019 GMT
[SSL_CLIENT_V_REMAIN] => 890
[SSL_CLIENT_S_DN] => serialNumber=3YYMMDDXXXX,GN=FIRSTNAME,SN=LASTNAME,CN=FIRSTNAME LASTNAME,C=LT
[SSL_CLIENT_I_DN] => CN=ADIC CA-B,O=Asmens dokumentu israsymo centras prie LR VRM,2.5.4.97=#1309313838373738333135,C=LT
[SSL_CLIENT_A_KEY] => rsaEncryption
[SSL_CLIENT_A_SIG] => sha256WithRSAEncryption
[SSL_CLIENT_CERT_RFC4523_CEA] => { serialNumber 1578611014222755478699081436771890, issuer rdnSequence:"CN=ADIC CA-B,O=Asmens dokumentu israsymo centras prie LR VRM,2.5.4.97=#1309313838373738333135,C=LT" }

Now configure the Apache as described here Authenticating people with Apache2 and national electronic ID cards.  And dont forget to configure OSCP check!