Germany's Country Signing Certificate Authority (CSCA) is operated by the Federal Office for Information Security. This authority regularly generates the German root certificates (CSCA certificates) whose private keys are used to sign the Document Signer certificates

that are in turn used by the producer of German passports and ID cards to sign the data files these documents contain. The respective Document Signer certificate is also stored on an identity document in electronic form.

With the help of the root certificate, it is then possible to verify whether an electronic identity document was actually officially produced on behalf of the nation that issued it (in this case, the Federal Republic of Germany) and whether the data it contains has been changed in any way since its production.

In technical terms, this is implemented by means of Passive Authentication as part of ID checks and border controls.

To ensure that the authenticity and integrity of identity documents from different countries can also be determined at the international level by means of Passive Authentication, countries must exchange their CSCA certificates in a trustworthy manner.

This occurs either through diplomatic exchanges or with the help of master lists that are shared (among other means) via the International Civil Aviation Organization Public Key Directory (ICAO-PKD). A master list of this kind contains valid root certificates that are considered trustworthy by the entity that issued the list. These root certificates are usually those that pertain to the identity documents of the nation that issued the list, or the corresponding root certificates of other nations.

Germany's master list contains the CSCA certificates that are currently valid and trusted root certificates from more than 80 other countries. The German master list is available here on our website.

Once two nations have exchanged their root certificates in a trustworthy manner, their subsequent root certificates can also be exchanged by means of link certificates. A link certificate contains the public key and the name of the owner of a new root certificate, but is signed with the private key of the preceding root certificate and references the same certificate authority. While the validity period of a link certificate can be as long as that of the new root certificate in question, it is usually shorter.

This makes it possible to verify the authenticity and integrity of the new (self-signed) root certificate using the preceding root certificate and the link certificate.

The current German root certificate and the corresponding link certificate can also be found here on our website.

Contacting the German CSCA

You can contact Germany's CSCA any time by sending an e-mail to csca-germany@bsi.bund.de.
To ensure encrypted communication, please use this S/MIME certificate. The e-mail address of the German CSCA can be found in the "SubjectAlternativeName" extension of the certificate.

You can also write to us here:

Bundesamt für Sicherheit in der Informationstechnik
Referat DI 14 / CSCA
Postfach 200363
53133 Bonn