Setting up Lithuanian ID card authentication with Apache2 is relatively simple compared to many other systems.
There is:
- One Root CA certificate.
- Two sets of Card Signing CA certificates with different validity periods.
Key Differences Compared to Other Countries
- CRL (Certificate Revocation List) exists only for the Root Certificate.
- OCSP (Online Certificate Status Protocol) must be used to check the validity of each ID card during login.
- Although you can identify users without using OCSP, it carries a security risk:
If an ID card is stolen and the PIN codes are compromised, identity theft becomes possible.
Downloading the Certificates
All necessary certificates can be downloaded from:
→ http://www.nsc.vrm.lt/downloads_en.htm
Checking Acceptable CA Names with OpenSSL
You can check which CA certificates are accepted by the server with the following OpenSSL command:
openssl s_client -connect lt.eideasy.com:443
The output will list Acceptable client certificate CA names, for example:
C = LT, organizationIdentifier = 188778315, O = Asmens dokumentu israsymo centras prie LR VRM, CN = ADIC CA-AC = LT, organizationIdentifier = 188778315, O = Asmens dokumentu israsymo centras prie LR VRM, CN = ADIC CA-BC = LT, organizationIdentifier = 188778315, O = Asmens dokumentu israsymo centras prie LR VRM, CN = ADIC Root CAClient Certificate Details
Supported Client Certificate Types
- RSA sign
- DSA sign
- ECDSA sign
Requested Signature Algorithms
- ECDSA+SHA256
- ECDSA+SHA384
- ECDSA+SHA512
- Ed25519
- Ed448
- RSA-PSS+SHA256
- RSA-PSS+SHA384
- RSA-PSS+SHA512
- RSA+SHA256
- RSA+SHA384
- RSA+SHA512
- (and others)
Peer Certificate Info (example)
- Peer signing digest: SHA256
- Peer signature type: RSA-PSS
- Server Temp Key: X25519, 253 bits
Information Read from the Lithuanian ID Card
When the card is used for login, the server can read the following fields:
Field: Example Value
SSL_CLIENT_S_DN_C: LT
SSL_CLIENT_S_DN_CN: FIRSTNAME LASTNAME
SSL_CLIENT_S_DN_S: LASTNAME
SSL_CLIENT_S_DN_G: FIRSTNAME
SSL_CLIENT_I_DN_C: LT
SSL_CLIENT_I_DN_O: Asmens dokumentu israsymo centras prie LR VRM
SSL_CLIENT_I_DN_CN: ADIC CA-B
SSL_CLIENT_VERIFY: SUCCESS
SSL_CLIENT_M_VERSION: 3
SSL_CLIENT_M_SERIAL: 4DD4DF49BA4CD9F8000000043123
SSL_CLIENT_V_START: Nov 18 07:35:10 2016 GMTSSL_CLIENT_V_ENDNov 18 07:35:10 2019 GMT
SSL_CLIENT_V_REMAIN: 890
SSL_CLIENT_S_DN: serialNumber=3YYMMDDXXXX, GN=FIRSTNAME, SN=LASTNAME, CN=FIRSTNAME LASTNAME, C=LT
SSL_CLIENT_I_DN: CN=ADIC CA-B, O=Asmens dokumentu israsymo centras prie LR VRM, 2.5.4.97=#1309313838373738333135, C=LT
SSL_CLIENT_A_KEY: rsaEncryption
SSL_CLIENT_A_SIG: sha256WithRSAEncryption
SSL_CLIENT_CERT_RFC4523_CEA{ serialNumber..., issuer rdnSequence:... }
Need Help with Lithuanian ID Card Integration?
If you need help integrating Lithuanian ID card authentication into your website,
you can chat with us here.
