Document Verifiers (DV)

Creating domestic Document Verifiers (DVs) is as straightforward as creating a SubCA to your CVCA, using a SubCA certificate profile.

You can sign foreign DVs by treating them as regular End Entities and create an end entity and choose SubCA certificate profiles when adding the end entity. You can then process the certificate requests received by the foreign DV as a regular end entity certificate request:

  • Using the Public Web GUI
  • Using the WS CLI clientToolBox CvcWsRaCli
  • Using the WS-API cvcRequest method from your own client

You can also create foreign DVs as external SubCAs. Note however that an advantage of handling foreign DVs as end entities is that you can process and renew them using the same WS-API as you can use for inspection systems.

You can create a DV to be signed by a foreign CVCA by creating a new CA and selecting Signed By=External CA. You need the CVCA certificate of the foreign CVCA to create the request to be sent. When creating this CA a self-signed CV certificate request is created.

You can at any time create a CV certificate request from a DV by going into Edit Certificate Authorities and click Make Certificate Request. This generates a CSR created by the CAs keystore. When receiving the signed certificate back, you can feed that to your IS-system. There is no need (or way) to import it into EJBCA.

You can renew a DV by going into Edit Certificate Authorities and click Renew CA. By uploading the CA certificate supposed to sign the certificate, you can get a new CSR created. You can import the received certificate by clicking Receive Certificate Response. You only have to (or can) import one issued certificate to make your DV operational. If you get a DV signed by multiple CVCAs you can distribute the other than the main DV certificate to the IS's (or AT or ST) by other means. 

By specifying the CA tokens password and enabling Renew Keys, the DV will generate new keys. This works for both soft CA tokens and PKCS#11 CA tokens. The renewal CSR is not signed with the old keys, but that can be done manually.

DVs have short validity periods and it can be useful to have them automatically renewed. You can use the EJBCA service Renew CA Service to automatically renew CAs. For more information, see Renew CA Service.

DV Naming Conventions

An important feature of Extended Access Control (EAC) PKI is creating DVs for multiple foreign countries. This is the case where one country, in order to read fingerprints from other countries' travel documents, have (one or more) DVs signed by the other countries CVCA. The standards are deliberately open-ended as to how to implement this, and which naming conventions to use.

The recommended way to configure this in EJBCA is to create one DV for each foreign country whose fingerprints should be read. That is, having one DV (SubCA) for each country, signed by that country's CVCA (Root CA).

The following naming conventions can be used to create DVs in EJBCA, where each DV is signed by an External CA, being the other country's CVCA (Country/Mnemonic/Sequence), where the Mnemonic can be arbitrary.

Some examples:

  • SE/NDVCA01/GR001 (DV set up in Sweden, to be signed by Greek CVCA)
  • SE/NDVCA02/NO001 (DV set up in Sweden, to be signed by Norwegian CVCA)
  • SE/ESDVCA01/00001 (DV set up in Sweden, to be signed by Spanish CVCA)
  • etc

There is flexibility in the Mnemonic, which can be 1-9 characters long. There is also flexibility in the Sequence, that can use pure numeric sequences of 5 characters (00001, 00002, etc), or country code + numeric (SE001, SE002, etc), or country code + alphanumeric (hex) (SEA01, SEB01, SEB0F, etc). Each DV (SubCA) needs to have a unique combination of country and mnemonic, i.e. C and CN when creating the DV (SubCA).