Client certificate authentication allows users with national ID cards that have a smart chip to securely identify themselves on a website.
Certificates stored on the ID card can be used for online identification. In simple terms, the web server tells the browser what kind of certificates it accepts. If the browser finds a matching certificate (integrated through government-issued ID card software), the authentication process begins automatically.
The certificates from the smart card are added to the browser’s “Your Certificates” list.
Apache Configuration Requirements for Client Authentication
Beyond a basic HTTPS setup, you need to configure these additional Apache directives:
SSLCACertificateFileSSLCARevocationPathSSLVerifyClientSSLVerifyDepthSSLOptions
This guide is written for Ubuntu but can be applied to other Linux distributions with minor adjustments.
Building the Certificate Chain
First, you must gather the full certificate chain in PEM format.
This includes:
- The root certificate
- All intermediate certificates
- Any issuance certificates if necessary.
Where to find certificates?
- Trust service providers often make their public CA certificates available online.
- In the EU, for eIDAS-certified providers, you can find them here: EU Trust List Browser
If unsure which certificates are needed, you can monitor traffic on trusted government websites using Wireshark and analyze which certificates are requested.
Example Apache Configuration
SSLCACertificateFile /etc/ssl/cacerts/ca_and_root_certs.pem
# Optional
SSLCARevocationFile /etc/ssl/mycrl/all.crl
SSLCARevocationPath /etc/ssl/mycrl/
SSLCARevocationCheck leaf
SSLVerifyClient optional
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
Updating Certificate Revocation Lists (CRLs)
Since national ID card certificates can be revoked (if lost or stolen), it’s crucial to regularly check CRLs (Certificate Revocation Lists).
Most certificates contain a URL pointing to the relevant CRL. These CRLs are updated periodically, so you must automate fetching and updating them.
How to Convert and Prepare CRLs
1. Convert downloaded CRLs to PEM format:
for f in *.crl; do openssl crl -in $f -out $f -inform DER; done
2. Create symlinks based on filename hashes:
for f in *.crl; do ln -s $f `openssl crl -hash -noout -in $f`.r0; done
Example CRL Update Script
Below is an example script to automate CRL updates and reload Apache after updating:
#!/bin/bash
cd /etc/ssl/mycrl/
wget --timestamping --no-if-modified-since https://c.sk.ee/eeccrca.crl
wget --timestamping --no-if-modified-since https://c.sk.ee/esteid2011.crl
wget --timestamping --no-if-modified-since https://c.sk.ee/esteid2015.crl
wget --timestamping --no-if-modified-since https://c.sk.ee/EE-GovCA2018.crl
wget --timestamping --no-if-modified-since https://c.sk.ee/esteid2018.crl
wget --timestamping --no-if-modified-since https://c.sk.ee/eid2011.crl
# Convert CRLs to PEM
for f in *.crl; do openssl crl -in $f -out ${f%.crl}.pem.crl -inform DER; done
# Merge all CRLs into one
cat *.pem.crl > all.crl
# Create symlink for Apache
rm -f *.r?
ln -s all.crl `openssl crl -hash -noout -in all.crl`.r0
# Reload Apache to apply changes
/etc/init.d/apache2 reload
Debugging with Wireshark: TLS Client Certificate Requests
Using Wireshark, you can capture which CA certificates a website expects.
For example, on eesti.ee (Estonian government site) and Estonian ID Card, the following CAs are requested:
- EID-SK 2011
- ESTEID-SK 2011
- ESTEID-SK 2015
- ESTEID2018
- EE Certification Centre Root CA
- EE-GovCA2018
These distinguished names can be found in the TLS Handshake Protocol: Certificate Request section.
Where to Download the Correct CA Certificates
The certificates can be downloaded from the SK ID Solutions repository:
→ SK Certificates Repository
Alternative: Authentication Without Client Certificates
It is also possible to authenticate users directly via a browser plugin without using client certificates.
However, that approach is beyond the scope of this guide — we will cover it separately in another article.
