Where Can Businesses Find the Necessary Certificates for ePassport Verification?

Processing electronic identity documents isn't just for border control and aviation any more. Banks, for instance, are increasingly finding themselves in need of such technology.

Let’s take the case of European banking. This sector operates under the guidelines developed by the European Telecommunications Standards Institute (ETSI), which oversees all aspects of identity verification. These standards recommend the use of electronic documents as the most secure method for verifying identities.

Electronic documents store personal and biometric data that is digitally signed. To verify the authenticity of the data, you need to verify both the data signature and the full certificate chain up to the root certificate. Without the right certificates for each issuing country whose citizens you do business with, you cannot reliably verify electronic documents.

This article clarifies what these certificates are, and how businesses can get them to make sure their electronic documents are verified correctly.

A certificate is a public key from an asymmetric key pair and its metadata: who made it, who signed it, how long it will be valid, the origin, and so on. Any certificate consists of metadata, a key, and a signature so that it can be verified.

A certificate is required to verify electronic documents (eMRTDs), and enables secure authentication and integrity checks. The standard pipeline for authentication of data encoded in a chip includes two certificate types:

• Document Signer (DS) certificate — used for digitally signing the data files the personalized document contains. A DS certificate is required to verify the digital signature on an eMRTD. The document signature is an encrypted hash of data that can only be decrypted with a public key.

• Country Signing Certificate Authority (CSCA) certificate — used to sign all DS certificates in the country for specific needs. CSCA certificates are the root of trust certificates in the chain of trust for electronic document signature processes.

When issuing an electronic document, the CSCA private key digitally signs the DS Certificate. The DS private key digitally signs the document’s Document Security Object (SOD). Together, these signatures create a chain of trust. 

To fully trust an electronic document, say an ePassport, and confirm the authenticity of the entire process, you need to retrieve the Document Security Object from the chip and verify the signature against the DS certificate, and the DS certificate signature against the CSCA certificate provided by the particular country's issuing authority.

For convenience, all available certificates are usually grouped into several lists. Here are the most important ones:

• Master list. This is a compilation of the CSCA certificates that are considered trustworthy by the entity that issued the list, as it is digitally signed by an issuing party. The entity that provides the Master list should also be considered trustworthy.

• Certificate Revocation List (CRL). This is a file that lists which certificates were revoked by issuing authority and are no longer trusted. Simply put, if you take all available certificates and then subtract the relevant CRLs from them, you’ll get the current list that can be used for document verification.

The process of verifying the chip data, including its authenticity and integrity, is called Passive Authentication. It’s done by verifying the digital signature on the document using the public keys of the issuing state. Actually, that’s what access to the corresponding DS and CSCA certificates is needed for.

According to the BSI Technical Guideline, the process of passive authentication includes four steps: 

1. Read the Document Security Object from the document chip. This is a file that stores hash values of all files stored in the chip (picture, fingerprint, etc.) and a digital signature of these hashes.

2. Retrieve the corresponding DS, CSCA Certificates, and the corresponding Certificate Revocation List. 

3. Verify the DS Certificate and the signature of the Document Security Object.

4. Compute hash values of read data groups and compare them to the hash values in the Document Security Object.

There are several ways to obtain the necessary certificates for electronic document verification. Below, we’ll cover all of them, but whether any particular one is sufficient for passing particular certifications is left to your discretion.

The ICAO PKD is a central repository for the global exchange of the information required to authenticate electronic documents, such as ePassports and electronic ID cards. Given the internationally recognized authority of the ICAO organization and the transparency of the sources, this is the most trustworthy centralized hub for obtaining certificates. 

Initially, the service was intended for the aviation industry. The idea was to create a single trusted database where countries issuing electronic documents would share the certificates so other countries could easily verify them.

As of now, the ICAO PKD database has certificates from 109 states/entities, and the ICAO is working to get certificates from as many countries as possible. Despite the efforts, not every country is a PKD member. For instance, Portugal, Malta, and Guatemala aren’t yet on the list.

ICAO provides downloadable master lists and software to inspect them. 

• The ICAO Master List with CSCA public key certificates from ICAO PKD members. At the moment of publishing this article, the latest ICAO’s Master List was issued in March 2026 and contains 547 certificates. 

• The ICAO Health Master List, which is used for electronic health proofs, such as vaccination, testing, or recovery certificates used in international travel. This is separate from ePassport verification.

To work with these lists, ICAO offers ML Explorer. The software can read ICAO Master Lists and extract certificates from them. 

The ICAO CA certificate and the Certificate Revocation List are also available separately on ICAO’s site. These help verify the signing certificate used for the ICAO Health Master List.

Here’s the tricky part. In general, access to the PKD is open, so you can access the current certificate lists at any moment and download them to your computer. 

However, the Terms and Conditions explicitly state that you can not use this access for commercial purposes. In fact, this open resource serves testing and trial purposes, but cannot be used in any product/service of a commercial nature. You cannot use any means of automation to scrape or parse these files either.

This is the option for large-scale businesses that operate in highly regulated industries such as Banking and Finance. 

If you need to have access to the ICAO PKD to pass official certifications and use it for document verification processes at scale, there’s no other workaround but to enlist the support of your national authorities that issue identity documents, and who might be PKD members. Since the ICAO doesn’t restrict what a government authority might do with PKD data, such an authority might agree to provide you with data under that membership process.

As an alternative to the ICAO PKD, there’s a German organization called the Federal Office for Information Security (BSI), which provides a CSCA master list. The current BSI master list contains CSCA certificates from 114 countries. 

Commercial use may be permitted as long as it isn’t used for advertising or creates the appearance of cooperation with the BSI. 

As always, however, there’s one “but”:

Although the BSI is a well-known trusted organization, one peculiarity of using their master list is that its management and maintenance are less transparent compared to the ICAO PKD. The organization doesn’t disclose their sources, nor can you find a change log of the master list to get an idea of how often it’s updated. 

For some companies, that might prevent them from using the data in their procedures. For example, if you use the BSI master list, you won't be compliant with the ETSI requirements for qualified electronic signatures (QES).

In this case, you need to individually apply to each country’s authorities for current certificates and wait till they send you a file with a certificate via diplomatic channels. Although this method isn’t impossible, it’s only feasible for a small number of organizations.

However, there’s an easier approach: many countries provide their CSCA certificates for public access. For example:

If your company operates worldwide, manually scraping information from various countries’ passport office sites might not be the most convenient option. But if you target just one country and it provides its CSCA to the public, that might not be a big issue.

Regula Document Reader SDK supports electronic document authentication using CSCA and DS certificates from the ICAO PKD or other trusted sources. With Regula's solutions, businesses can establish fully remote workflows that not only comply with the ETSI and eIDAS standards, but also provide outstanding customer onboarding experience.

If you’re looking to achieve a significant upgrade in how you verify your customers, reach out to the Regula team, and we’ll be more than happy to assist you with this important task.