The certification chain for Portugal's national ID card (Cartão de Cidadão) is notably complex and requires careful setup. Here’s a structured breakdown:
Root Certificates
There are two root certificates you need to be aware of:
- ECRaizEstado.crt
- Signed by: Baltimore CyberTrust Root
- Download: BaltimoreCyberTrustRoot.crt
- Serial Number: 120050507 (0x727d34b)
- Issuer:
C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
- Validity: Sep 9, 2015 – Sep 30, 2022
- Subject:
C=PT, O=SCEE, CN=ECRaizEstado
- ECRaizEstado002.crt
- A newer, self-signed root certificate introduced in April 2020.
You can find both certificates and more details at Portugal's eID certificates repository.
Verifying the Root Certificate
Before proceeding, verify that you have the correct root certificates:
$ openssl x509 -in ECRaizEstado.crt -out ECRaizEstado.crt.pem -inform DER -outform PEM
$ openssl x509 -in BaltimoreCyberTrustRoot.crt -out BaltimoreCyberTrustRoot.crt.pem -inform DER -outform PEM
$ openssl verify -CAfile BaltimoreCyberTrustRoot.crt.pem ECRaizEstado.crt.pem
# Output should be: ECRaizEstado.crt.pem: OK
Intermediate Certificates
There are currently six intermediate certificates, although one is expired.
Download them from this repository.
Valid certificates include:
- Cartão de Cidadão 002: 30/05/2013 – 30/05/2025
- Cartão de Cidadão 003: 22/04/2014 – 22/04/2026
- Cartão de Cidadão 004: 15/09/2017 – 15/09/2029
- Cartão de Cidadão 005: 19/07/2019 – 09/06/2030
- Cartão de Cidadão 006: 20/03/2020 – 20/03/2034
(One intermediate certificate has expired and can be ignored.)
Card Authentication Certificates (Subordinate CAs)
The intermediate certificates above issue authentication certificates for the actual ID cards.
You can download the current ones from this repository.
Examples of valid authentication certificates:
- EC de Autenticação do Cartão de Cidadão 0013: Valid until 17/08/2029
- EC de Autenticação do Cartão de Cidadão 0014: Valid until 01/03/2030
- EC de Autenticação do Cartão de Cidadão 0015: Valid until 27/06/2030
- EC de Autenticação do Cartão de Cidadão 0016: Valid until 14/05/2031
- EC de Autenticação do Cartão de Cidadão 0017: Valid until 06/02/2032
- (Older/expired ones like 0009–0012 can be ignored.)
Final Setup
To complete your setup:
- Compile the following into one PEM file:
- Baltimore CyberTrust Root
- 2x Root certificates (ECRaizEstado and ECRaizEstado002)
- 5x Intermediate certificates
- 9x Card signing certificates
- Configure CRLs or OCSP checking for certificate validity.
- Integrate with your server (for example, using this Apache2 e-ID client certificate guide).
Need Help?
If you need any assistance integrating the Portuguese Cartão de Cidadão into your system, feel free to reach out at info@eideasy.com.
We're ready to support your project!