Card Verifiable Certificate
SecurityA compact certificate format defined by BSI TR-03110 used in eID and ePassport applications, optimized for smart card storage and verification without a full X.509 PKI stack.
What Is a Card Verifiable Certificate?
A Card Verifiable CertificateCard Verifiable CertificateSecurityCompact certificate format for eIDeIDIdentityNational ID with embedded chip.Click to view →/ePassportePassportApplicationPassport with embedded contactless chip.Click to view → smart cards.Click to view → (CVC) is a compact digital certificate format designed specifically for smart card environments where storage space and processing power are constrained. Defined by BSI TR-03110 for European eID and ePassport applications, CVCs provide public-key authentication without the overhead of a full X.509 PKI stack.
CVCs are used extensively in PACE terminal authentication and chip authentication protocols, enabling a smart card to verify that the terminal requesting access is authorized -- and vice versa.
CVC vs X.509 Certificates
The key advantage of CVCs over X.509 certificates is their compact size and parsing simplicity:
| Attribute | CVC (TR-03110) | X.509 v3 |
|---|---|---|
| Typical size | 200-500 bytes | 1-3 KB |
| Encoding | Compact TLV | ASN.1 DER |
| Extensions | Minimal (role, validity) | Extensive |
| Parsing complexity | Low | High |
| Certificate chain | 2-3 levels | Unbounded |
| Target environment | Smart card chip | General purpose |
Structure
A CVC contains a minimal set of fields encoded in a compact TLV structure:
- Certificate Authority Reference (CAR) -- identifies the issuing CA
- Certificate Holder Reference (CHR) -- identifies the certificate subject
- Public key -- the subject's ECC or RSA public key
- Certificate Holder Authorization Template (CHAT) -- encodes the access rights granted to the holder (e.g., read DG1, read DG2, read fingerprint)
- Effective date and expiration date -- validity period
- Signature -- CA's signature over the certificate body
Application in eID and ePassport
In ePassport systems compliant with ICAO 9303, CVCs play two critical roles:
- Terminal Authentication -- the inspection terminal presents its CVC chain to the passport chip, proving it is authorized to read sensitive biometric data groups (fingerprints, iris). The chip verifies the CVC signature against the country's CVCA root.
- Chip Authentication -- the passport chip uses its own key pair (referenced by a CVC) to prove its authenticity to the terminal, preventing chip cloning.
eID cards extend this model with additional CHAT roles for age verification, municipality identification, and restricted identity operations, all governed by the access rights encoded in the terminal's CVC.
الأسئلة الشائعة
The smart card glossary is a comprehensive reference of technical terms, acronyms, and concepts used in smart card technology. It covers protocols (APDU, T=0, T=1), security (Common Criteria, EAL, HSM), hardware (SE, EEPROM, contact pad), and applications (EMV, ePassport, eSIM). It serves developers, product managers, and engineers.
Yes. SmartCardFYI provides glossary definitions in 15 languages including English, Korean, Japanese, Chinese, Spanish, Portuguese, Hindi, Arabic, French, Russian, German, Turkish, Vietnamese, Indonesian, and Thai.