The eID infrastructure represents the foundation for use of the eID function. This infrastructure is in turn based on a public key infrastructure (PKI) for authorisation certificates, as well as on a card blocking system. The three components these elements require -- the PKI root, the authorisation certificate authorities, and the card blocking service -- make up the background system of the eID infrastructure.

PKI root

The German electronic ID cards currently in use require two public key infrastructures: a document PKI (CSCA) for verifying the authenticity of electronic ID cards and an authorisation PKI (CVCA-eID) to serve as a national trust anchor for attempts to access the eID function. The BSI operates the two PKI root authorities that issue the respective root certificates.

Development system

To support testing during development and the piloting of new specifications, the BSI runs a beta PKI. This infrastructure issues certificates that can be used during such tests. The BSI makes changes to the beta PKI when required.

Test system

For further testing and system integration purposes, the BSI also provides access to a test PKI. Before changes are made to the actual PKI, they are carried out in the test PKI. The test PKI then does not fully mirror the actual PKI for a brief period of time.

Active system

For the production system, the BSI provides the actual PKI. Alongside real-world operations, final positive tests can be conducted on individual components in the actual PKI.

Authorisation certificate providers

Authorisation certificate providers make technical authorisation certificates available to corresponding service providers. An authorisation certificate specifies the data a given service provider can request from an ID card when its holder is using the eID function.

Test and development system

Eligible interested parties can contact the BSI in order to be registered as authorisation certificate providers in both the beta PKI and the test PKI. Once registered, they will receive a Document Verifier (DV) certificate for operating a document verifier in the corresponding PKI. They will then be able to issue their customers technical authorisation certificates for the test or development system.

Further information on becoming registered as an authorisation certificate provider is available on the BSI website under CVCA-eID Test Certification.

Active system

Authorisation certificates for production operations can be obtained from the known authorisation certificate providers. The document verifiers registered in the production system must also make regular contributions to the test system and enable their customers to do the same.

Card blocking service

The card blocking service maintains a central list of blocking keys pertaining to lost ID cards for which the eID function was activated. Authorisation certificate providers can obtain this continuously updated block list from the Federal Office of Administration.

Development system

The development system does not require a test element for the card blocking service.

Test system

For the test system, a test element is not operated for the card blocking service.

Active system

The card blocking service in the production system is operated by the Federal Office of Administration (BVA). Further information is available (in German) on the website of the BVA under Sperrdienst und Sperrmanagement.