Federal Office for Information Security (BSI)

The German Country Signing Certificate Authority (CSCA)

This website contains information on the German CSCA operated by the Federal Office for Information Security (BSI).

The distinguished name of the CSCA is C=DE, O=bund, OU=bsi, CN=csca-germany.

CSCA Public Key Certificates

The CSCA uses two types of key pairs: a main key pair and a number of backup key pairs. The main key pair is used to issue Document Signer certificates. Backup key pairs are only used for disaster-recovery, i.e. in the unlikely case that the main key pair becomes unusable, the first backup key pair will become the new main key pair etc.

DER encoded certificates for the CSCA public keys can be found below. The information required to verify the authenticity of the following certificates is also available in authentic printed form upon request.

Certificate Rollover

The next rollover of the CSCA certificate is planned for 2019.

Main Public Key Certificate (Certificate 08/2016)

The current main public key is available as self-signed certificate, and as link certificate, verifiable by the previous public key (i.e. with relative distinguished name SN=101).

The public key has the relative distinguished name SN=103 and the SHA-1 fingerprint 1B:C7:50:B1:47:A7:55:FA:2F:25:79:20:6E:55:D2:2F:E2:E4:27:9E.

The self-signed certificate of the main public key has the
SHA-1 fingerprint 2C:EE:4F:E5:3C:85:99:E1:6D:96:BD:2C:15:0A:2A:25:CB:07:5C:F8.

The link certificate of the main public key has the
SHA-1 fingerprint 6D:AD:7A:DC:65:30:17:53:30:96:02:EE:12:3F:05:6D:F0:CC:6F:DC.

Previous Public Key Certificate(s)

CSCA Master List

The current German CSCA Master List can be downloaded here as a zip archive.

Certificate Revocation List (CRL)

The certificate revocation list is empty.
If you encounter any problems while downloading the CRL, please contact the CSCA (see below).

Arrival Attestation Signer Certificate

The certificate for verifying the signature of the barcode printed on the Arrival Attestation has the
SHA-1 fingerprint AA:1D:96:2E:45:29:BD:D8:66:25:2E:12:83:04:30:E1:24:33:CE:8B

The certificate for verifying the signature of the barcode printed on the Arrival Attestation (valid since 15th November 2016) has a
SHA-1 "fingerprint" 9D:93:7F:B1:95:ED:5A:AE:DC:D3:FC:79:92:F4:BB:74:0B:E2:09:1E

Communication with the CSCA

The primary communication channel with the CSCA is email csca-germany@bsi.bund.de.
You can also encrypt your messages to the specified email address S/MIME Zertifikat. The addresses for the primary communication channel is indicated in the SubjectAlternativeName extension of the certificates. The secondary communication channel is fax: +49228 9582 5722.

Incoming Information

The information the CSCA is prepared to receive includes, but is not limited to, CSCA link certificates, CRLs and Certification Requests. All received information will be acknowledged.

Outgoing Information

The information the CSCA sends out includes, but is not limited to, DS certificates, CRLs and notifications after backup key activation.

Unless a communication channel with a relying party is already established (e.g. the email address is known from the SubjectAlternativeName extension contained in a CSCA certificate) registration with the CSCA is required to receive such information. The registration should include at least an email address and a proof of origin.

Note on the use of cookies

Cookies facilitate the provision of our services. By using our services, you agree that we use cookies. For more information on privacy, please visit the following link Data protection statement