Language:
An illustration with hands on a notebook.

Connection to the system for authorisation certificates

Whether dealing with the authorities digitally, taking out insurance or opening an account – many online services require citizens to identify themselves clearly. The eID services allow users to verify their identity in a particularly secure and simple way by means of the online ID function. In order to operate an eID server as an eID service provider or to integrate an eID service into their own systems, however, public authorities and businesses need to be connected to the authorisation certificate system, referred to as the BerCA.

ID card data only accessible with permission

Would you like to integrate the online ID function into your own digital applications as an electronic method of identification for your customers and users? Are you interested in operating an eID server and offer it as a service for public authorities and companies? This means you are a service provider or eID service provider and need a connection to the system for authorisation certificates.

Connecting to the BerCA as a Service Provider

Service providers require authorisation to access data from the online ID card. The first step in obtaining authorisation is to go to the Federal Office of Administration (BVA), or more specifically, to its Issuing Office for Authorisation Certificates (VfB). Organisations wishing to become service providers must apply to the VfB for authorisation allowing them to access the ID card data. The VfB will decide which data you are allowed to access as a service provider, according to your business model.

After receiving your authorisation notice from the VfB, you can request connection to the BerCA of D-Trust. A BerCA is a system – called a public key infrastructure – for issuing authorisation certificates. The BerCA is thus technologically implementing what the VfB decided in the authorisation notice.

Whenever an online service requests data from the online ID card for identification purposes, the service’s authorisation certificate is checked. Authorisation certificates are reissued to service providers on a daily basis. In addition, the global blacklist is processed and made available on a service-provider-specific basis. As a service provider, this means you can be sure that a presented ID card is not blocked.

Connecting to the BerCA as an eID Service Provider

As an eID service provider, you operate the hardware and software of an eID server and offer this as a service for integrating the online ID function for service providers. The eID server handles communication with the eID client (e.g., AusweisApp), the eID card chip and the service provider’s application. To check the authorisation of the application and the eID card, the eID server regularly obtains authorisation certificates and updated blacklists from the system for authorisation certificates. The connection to the BerCA needed by the eID service provider can be ordered from D-Trust.

Your benefits at a glance

  • Reliable security – daily generation of authorisation certificates and service-specific blacklists
  • Centralised – essential, technical element of the eID infrastructure required for identification services with online ID cards
  • Legally secure – certified BerCA complies with all applicable legal and technical requirements 
  • Complete package – authorisation certificate and eID service from a single source – only available from D-Trust

Product details

The BerCA is a core element of the German eID infrastructure and has to fulfil a large number of legal and technical requirements. D-Trust runs and maintains the system for authorisation certificates in accordance with BSI specifications, among other things.

Full legal certainty with BerCA provided by D-Trust

D-Trust’s BerCA complies with the technical BSI guidelines TR-03145 and TR-03129. Compliance is also maintained with the Certificate Policy formulated by the BSI Root Certification Authority CVCA-eID regarding the issuance of authorisation certificates.

Different use cases for digital identification

Depending on the use case, the German Act on Identity Cards and Electronic Identification specifies three different types of authorisation certificates. D-Trust offers all of them.

For online service providers: Identifying the customer on the Internet

  • You are an online service provider and have a corresponding notice from the authorisation certificate issuing agency according to Sec. 21 PAuswG.

For on-site service providers: Reading the customer’s ID card data at the POS

  • You are an on-site service provider and have a corresponding notice from the authorisation certificate issuing agency according to Sec. 21a PAuswG.

For identification service providers: Identifying customers on the Internet for third parties

  • You are an identification service provider and have a corresponding notice from the authorisation certificate issuing agency according to Sec. 21b PAuswG.

Frequently asked questions

You must first apply to the Issuing Office for Authorisation Certificates (VfB) of the Federal Office of Administration (BVA) to obtain an authorisation that allows service providers to read ID card data digitally. You can apply for an authorisation certificate on the BVA websiteAfter receiving an approval notice from the VfB, you can then apply to D-Trust for connection to BerCA.

An Authorisation Certificate Authority (BerCA) is a Public Key Infrastructure (PKI) provider. BerCA providers such as D-Trust use this PKI to create, distribute and check authorisation certificates. BerCA generates authorisation certificates on a daily basis according to the Issuing Office for Authorisation Certificates (VfB) notices of the respective service providers. In essence, the authorisation certificates are the technical counterpart of the notice.

Service providers who wish to use an eID service or who offer the operation of their own eID server require authorisation certificates and a connection to BerCA. Learn more about the D-Trust eID service.

No, BerCA does not make decisions about access authorisation. The authorisation certificates generated by BerCA are merely a technical reflection of the authorisation from VfB. The decision as to which ID card data a service provider may access is made by the Issuing Office for Authorisation Certificates (VfB).

Got questions about BerCA?

Our sales team will be happy to assist you.

Please feel free to contact us:

Piktogramm Kommunikation
D-Trust
Team
+49 (0)30 2598 - 0

These products might also interest you:

Authorisation certificates are used here: