Portugese Cartão de Cidadão Electronic Identification Online

Explore the complex certification chain of Portugal's national ID card, featuring root and intermediate certificates, and learn how to integrate them for authentication.

14 May
,
2020
28 Apr
,
2025
# min read
Portuguese Citizen Card on a wooden table, showcasing personal identification details and national emblem

The certification chain for Portugal's national ID card (Cartão de Cidadão) is notably complex and requires careful setup. Here’s a structured breakdown:

Root Certificates

There are two root certificates you need to be aware of:

  1. ECRaizEstado.crt
    • Signed by: Baltimore CyberTrust Root
    • Download: BaltimoreCyberTrustRoot.crt
    • Serial Number: 120050507 (0x727d34b)
    • Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
    • Validity: Sep 9, 2015 – Sep 30, 2022
    • Subject: C=PT, O=SCEE, CN=ECRaizEstado
  2. ECRaizEstado002.crt
    • A newer, self-signed root certificate introduced in April 2020.

You can find both certificates and more details at Portugal's eID certificates repository.

Verifying the Root Certificate

Before proceeding, verify that you have the correct root certificates:

$ openssl x509 -in ECRaizEstado.crt -out ECRaizEstado.crt.pem -inform DER -outform PEM
$ openssl x509 -in BaltimoreCyberTrustRoot.crt -out BaltimoreCyberTrustRoot.crt.pem -inform DER -outform PEM
$ openssl verify -CAfile BaltimoreCyberTrustRoot.crt.pem ECRaizEstado.crt.pem
# Output should be: ECRaizEstado.crt.pem: OK

Intermediate Certificates

There are currently six intermediate certificates, although one is expired.
Download them from this repository.

Valid certificates include:

  • Cartão de Cidadão 002: 30/05/2013 – 30/05/2025
  • Cartão de Cidadão 003: 22/04/2014 – 22/04/2026
  • Cartão de Cidadão 004: 15/09/2017 – 15/09/2029
  • Cartão de Cidadão 005: 19/07/2019 – 09/06/2030
  • Cartão de Cidadão 006: 20/03/2020 – 20/03/2034

(One intermediate certificate has expired and can be ignored.)

Card Authentication Certificates (Subordinate CAs)

The intermediate certificates above issue authentication certificates for the actual ID cards.
You can download the current ones from this repository.

Examples of valid authentication certificates:

  • EC de Autenticação do Cartão de Cidadão 0013: Valid until 17/08/2029
  • EC de Autenticação do Cartão de Cidadão 0014: Valid until 01/03/2030
  • EC de Autenticação do Cartão de Cidadão 0015: Valid until 27/06/2030
  • EC de Autenticação do Cartão de Cidadão 0016: Valid until 14/05/2031
  • EC de Autenticação do Cartão de Cidadão 0017: Valid until 06/02/2032
  • (Older/expired ones like 0009–0012 can be ignored.)

Final Setup

To complete your setup:

  1. Compile the following into one PEM file:
    • Baltimore CyberTrust Root
    • 2x Root certificates (ECRaizEstado and ECRaizEstado002)
    • 5x Intermediate certificates
    • 9x Card signing certificates
  2. Configure CRLs or OCSP checking for certificate validity.
  3. Integrate with your server (for example, using this Apache2 e-ID client certificate guide).

Need Help?

If you need any assistance integrating the Portuguese Cartão de Cidadão into your system, feel free to reach out at info@eideasy.com.
We're ready to support your project!

More latest articles

See all news
See all news