Serbian id card Лична карта / Lična karta online authentication

Written by in National ID cards

Serbian ID card system has 5 CA certificates that need to be imported to your Apache2 configuration. Funny thing is that 2 of these certificate share exactly same name so there are only 4 different CA names sent. Still all the 5 certificates must be configured. In fact the CA name is only a string and there is no other information about the certificate. Actual certificates validity will be checked in later stages

CA names are as follows

$ openssl s_client -connect rs.smartid.ee:443 -servername rs.smartid.ee
Acceptable client certificate CA names
/C=RS/O=MUP Republike Srbije/OU=MUPCA/CN=MUPCA Root 3
/CN=MUPCA Gradjani/O=MUP Republike Srbije/L=Beograd/C=Republika Srbija (RS)
/emailAddress=ca@mup.gov.rs/C=RS/O=MUP Republike Srbije/OU=MUPCA/CN=MUPCA Gradjani 3
/CN=MUPCA Root/O=MUP Republike Srbije/L=Beograd/C=RS

All of these 5 CA certificates can be downloaded from http://ca.mup.gov.rs/sertifikati-lat.html . For some reason this site does not support https.

CRL lists are available from http://ca.mup.gov.rs/CRL-lat.html   . For 5 certificates can only 4 CRL-s be found! Interesting is that intermediate certificates reference their signed Root CA CRL-s

Now when you have downloaded all of the CA certificates and their CRL-s then configure your Apache2 as decribed at https://smartid.ee/authenticating-people-apache2-national-electronic-id-cards/

Information that can be read from the Serbian national ID card is in following format

[SSL_CLIENT_S_DN_CN] => АЛЕКСАНДАР ВУЧИЋ 0101006500006-0101006500006
[SSL_CLIENT_I_DN_O] => MUP Republike Srbije
[SSL_CLIENT_I_DN_L] => Beograd
[SSL_CLIENT_I_DN_C] => Republika Srbija (RS)
[SSL_CLIENT_V_START] => Sep 18 06:54:28 2017 GMT
[SSL_CLIENT_V_END] => Sep 17 21:59:59 2022 GMT
[SSL_CLIENT_S_DN] => C=RS,CN=АЛЕКСАНДАР ВУЧИЋ 0101006500006-0101006500006
[SSL_CLIENT_I_DN] => C=Republika Srbija (RS),L=Beograd,O=MUP Republike Srbije,CN=MUPCA Gradjani
[SSL_CLIENT_A_KEY] => rsaEncryption
[SSL_CLIENT_A_SIG] => sha1WithRSAEncryption
[SSL_CLIENT_CERT_RFC4523_CEA] => { serialNumber 4313123, issuer rdnSequence:"C=Republika Srbija (RS),L=Beograd,O=MUP Republike Srbije,CN=MUPCA Gradjani" }