Support for AusweisIDent, eID Service and Authorisation Certificates

AusweisIDent Online and the D-Trust eID service for online service providers can be used with the following ID documents:  

Customers with an ID card with an activated online ID function, an electronic German residence permit or a Union citizen card can identify themselves via an online ID for your service.

The online ID card function has been automatically activated on all new ID cards since 2017. The online ID function is always activated for electronic German residence permits and Union citizen cards. This means that the function is activated on most ID cards in circulation.

AusweisIDent On-Site and the D-Trust eID service for on-site service providers can be used with the following ID documents:  

Data from customers with an ID card, an electronic German residence permit or a Union citizen card can identify themselves via an online ID for your service. The online identification feature does not have to be activated.

The electronic storage medium in the ID card provides all data necessary for electronic proof of identity according to Sec. 18 (3) PAuswG [Personal ID Act].

1. Surname
2. Birth name
3. First name(s)
4. Doctorate
5. Date of birth
6. Location of birth
7. Address
8. Citizenship
9. Document type
10. Last date of validity period
11. Service and card-specific identifier
12. Abbreviation “D” for the Federal Republic of Germany
13. Indication as to whether a certain age is exceeded or not
14. Indication as to whether a place of residence corresponds to the queried place of residence
15. Religious name, artist’s name

Reading Out the ID Card Data Electronically 

The required electronic data can be read from the chip of the ID card, electronic residence permit or Union citizen card using an NFC-enabled smartphone or a card reader. By entering the 6-digit ID PIN, the customer agrees to the transmission of his/her data. 

Providing the Identification Data 

The electronic data read out is provided to your service by the ID card or eID service via a standardised web interface.

Pairing and “Smartphone as Card Reader” function:  

The “Smartphone as Card Reader” function of the AusweisApp2 allows a suitable smartphone to be paired with a PC/laptop (Windows or Mac), an iPad or a non-NFC-capable Android device. This function is relevant for service providers who offer a service that is typically used on laptops, iPads or other non-NFC-enabled end devices.

There are two ways to use the smartphone as a card reader and pair the devices:

1. Pairing by connecting both devices with the same Wi-Fi network
   (Note: You must allow all devices on your network to communicate with each other, including your smartphone. You can usually set this up in the router or in the network settings.)
2. Pairing via a mobile hotspot: One of the devices opens a hotspot and the other connects to it.

Requirements for suitable smartphones:

1. A smartphone or tablet with Android version 5.0 or higher or an iPhone 7 with version 13.1 or higher.
2. The smartphone must support the NFC function. For a stable connection during data transmission, the NFC chip installed in the smartphone must have a sufficient field strength.
3. The device’s firmware / operating system must support extended length communication. Extended length enables the transmission of data packets longer than 261 bytes to and from the online ID and allows the data to be encrypted.

This is how it works – step-by-step:

1. Connect both devices to the same Wi-Fi or mobile hotspot.
   (Note: You must allow all devices on your network to communicate with each other, including your smartphone. You can usually set this up in the router or in the network settings.)
2. If necessary, switch on NFC on the smartphone that is to be connected as a card reader.
3. Initiate remote access in the AusweisApp2 on the smartphone that is to be connected as a card reader.
4. Start pairing and connect the devices by entering the pairing code.

Detailed instructions on pairing the AusweisApp2 with a smartphone can be found here.

Connecting to the AusweisIDent test system:

The AusweisIDent test system is available to you free of charge. Connecting to it requires a signed confidentiality agreement with D-Trust. You can obtain this from us by sending a request to vertrieb@d-trust.net. Once this has been done, we will send you the interface documentation and the order form for access to the test system. After successfully implementating the interface, you can try out the AusweisIDent system with test ID cards. The reference system is functionally equivalent to the live system, but only works with test ID cards or the PersoSim simulator. More information on test cards and the PersoSim simulator can be found on the BSI website.

Connecting to the AusweisIDent live system:

After a successful test, we will provide you with a service contract describing services and obligations and specifying the data fields that are to be read out. The current price list is included at the end. Merely concluding the contract will not trigger any services or payments. It is not until you commission us and send us our order form for access to the functional system that will we set up access for you – after we have validated your organisation as stipulated by regulations. Once this has been done, we will charge you the annual fee and, in the following months, the fees for the monthly transactions. AusweisIDent is integrated via an OpenID Connect web interface – an open web standard based on OAuth2.0. To learn more, click here.

In addition, AusweisApp2 must be integrated as well. You have two options for this:

1. Fully integrating AusweisApp2 into your application
2. Redirecting the user to AusweisApp2 from your application

You can find more information on AusweisApp2 on the AusweisApp website. The open source code is also available to you for downloading.

The developer’s manual, which you will receive from us after you have sent us the confidentiality agreement, contains code fragments that describe how to integrate AusweisIDent.

You can find more information on AusweisApp2 on the AusweisApp2 website. The open source code is also available to you for downloading.

Connecting to the eID service reference environment:

The reference environment of the D-Trust eID service is available for you to test. Connecting to it requires a signed service contract with D-Trust. You can obtain the contract from us by sending a request to vertrieb@d-trust.net. Once this has been done, we will send you the interface documentation and the technical order form for access to the test system. In addition, you can also purchase the required authorisation certificate for the eID reference environment from D-Trust.

After successfully implementating the interface, you can test the eID service reference environment with test ID cards. The reference system is functionally equivalent to the live system, but only works with test ID cards or the PersoSim simulator. More details on both can be found on the BSI website here.

Connecting to the eID service productive environment:

To access the productive environment, you must conclude a service contract with D-Trust, which describes services and obligations and specifies the data fields that are to be read out. The current price list is included at the end. Along with the service contract, you can also purchase the technical authorisation certificate from us. To do this, you will need a notice from the Federal Office of Administration. You can apply for the authorisation at the Issuing Office for Authorisation Certificates (VfB) of the Federal Office of Administration (BVA). You can also do this online.

Merely concluding the contract will not trigger any services or payments. It is not until you commission us and send us our technical order form for access to the functional system that will we set up access for you. Once this has been done, we will charge you the annual fee and, in the following months, the fees for the monthly transactions. The D-Trust eID service is integrated via a SOAP or SAML interface. You can find out more about this in the Integration Manual.

In addition, AusweisApp2 must be integrated as well. You have two options for this:

1. Fully integrating AusweisApp2 into your application
2. Redirecting the user to AusweisApp2 from your application

You can find out more about AusweisApp2 and the source code here.

Your web service is connected to the D-Trust eID service via an interface according to the SOAP or SAML standard.  D-Trust uses Governikus software (Autent or Panstar) for the eID service. You will be given access to the SDK via our service portal after concluding the contract. 

The device used for online identification must have AusweisApp2 installed (Windows, Android, iOS) or an app of yours that has the AusweisApp2 SDK (Android, iOS) integrated.  The AusweisApp2 is available to you open-source: https://www.ausweisapp.bund.de/home/

The manual and the SDK, which you will receive from us after you have sent us the NDA, contains code fragments that describe how to integrate the D-Trust eID Service.

You will find the source code for integrating AusweisApp2 here.

You can apply for an authorisation certificate at the Issuing Office for Authorisation Certificates (VfB) of the Federal Office of Administration (BVA).

As soon as the initial notice has been submitted and approved, the notice data will be transmitted to D-Trust automatically. Based on this data (VfB identifier), you can then order the authorisation certificate from D-Trust.

You will receive the application form in our service portal under “Applications & Forms” after concluding the contract.

You can change an existing authorisation certificate at the Issuing Office for Authorisation Certificates (VfB) of the Federal Office of Administration (BVA).

As soon as the change request has been submitted and approved, the changed notice data will be transmitted to D-Trust automatically. Based on this changed notice (VfB identifier), you will then be able to order the changes for the authorisation certificate from D-Trust.

You will receive the change order form in our service portal under “Applications & Forms” after concluding the contract.

The notice for an authorisation certificate issued by the Issuing Office for Authorisation Certificates (VfB) of the Federal Office of Administration (BVA) is valid for 3 years.
The authorisation certificate itself has a validity of 48 hours and is renewed daily within the validity of the underlying notice.
A renewal application should be submitted to the VfB in good time before the certificate expires.

As soon as the renewal notice has been submitted and approved, the notice data will be transmitted to D-Trust automatically. The service provider concerned (applicant) will subsequently receive an invoice from D-Trust for a flat-rate change fee of 250 euros. A separate change request does not have to be submitted to D-Trust.

You can find the online application as well as information on the procedure and deadlines on the federal portal:  https://verwaltung.bund.de/leistungsverzeichnis/DE/leistung/99008003001000/herausgeber/LeiKa-584864/region/00

A step-by-step guide on how to become a service provider as a public authority can be found on the ID card portal: https://www.personalausweisportal.de/Webs/PA/DE/verwaltung/diensteanbieter-werden/diensteanbieter-werden-node.html

A step-by-step guide on how to become a service provider as a private company can be found on the ID card portal: https://www.personalausweisportal.de/Webs/PA/DE/wirtschaft/diensteanbieter-werden/diensteanbieter-werden-node.html