Certificate Authority (CA): The Trust Anchors of the EUDI Wallet Ecosystem

A Certificate Authority (CA) is a trusted organization that issues digital certificates. These certificates bind a cryptographic public key to the identity of an entity -- whether a person, organization, or device. The CA verifies the identity of the certificate requestor before issuance, acting as a guarantor of authenticity within a Public Key Infrastructure (PKI). In the EUDI Wallet ecosystem, government-approved CAs are central to the trust framework that enables secure, cross-border identity verification.

Certificate Authorities operate within a hierarchical trust model. At the top sits a Root CA, whose certificate is self-signed and implicitly trusted by software and operating systems. Below the root, Intermediate CAs (also called Subordinate CAs) receive their authority from the Root CA and issue end-entity certificates to individuals, servers, or organizations.

The process of obtaining a certificate involves several steps. First, the entity generates a cryptographic key pair (public and private key). Then, it sends a Certificate Signing Request (CSR) containing the public key and identity information to the CA. The CA validates the identity through various means -- ranging from domain validation for web certificates to in-person identity checks for high-assurance certificates. Once validated, the CA signs the certificate with its own private key, creating a cryptographically verifiable chain of trust.

Each certificate contains critical information: the subject name, the public key, the validity period, the issuer (CA) name, and the digital signature. When anyone needs to verify the certificate, they check the CA signature against the CA's known public key, tracing the chain up to a trusted root. This mechanism allows parties who have never met to establish trust through a common CA.

The EUDI Wallet architecture under eIDAS 2.0 relies heavily on Certificate Authorities to establish trust between all participants. The regulation introduces several key roles for CAs in this ecosystem:

• 1.Credential Issuer Certificates: Government agencies and authorized organizations that issue verifiable credentials (such as national IDs, driving licenses, or diplomas) must hold certificates from a trusted CA. These certificates prove that the issuer is legitimately authorized to create such credentials.
• 2.Wallet Provider Certificates: The software providers building EUDI Wallet applications must be certified. Their certificates, issued by approved CAs, prove the wallet implementation meets the security and compliance requirements set by the EU.
• 3.Relying Party Certificates: Organizations that verify credentials (banks, airlines, government portals) also hold certificates that identify them. This ensures the wallet holder knows who is requesting their data and can make informed consent decisions.

The EU Trusted Lists serve as the authoritative registry of approved CAs for the EUDI ecosystem. Each member state maintains its own Trusted List, and these are aggregated at the EU level. Only CAs appearing on these lists can issue certificates that are recognized across the entire European Union, providing the foundation for cross-border interoperability.

Certificates have a finite lifecycle. They are issued with a validity period (typically one to three years for end-entity certificates, longer for root and intermediate CAs). Before expiration, certificates must be renewed. If a security breach occurs, a private key is compromised, or an entity's authorization changes, the CA can revoke the certificate before its natural expiration.

Revocation is communicated through two primary mechanisms. Certificate Revocation Lists (CRLs) are periodically published lists of all revoked certificates. The Online Certificate Status Protocol (OCSP) provides real-time, per-certificate status checks. EUDI Wallet implementations typically support both methods, with OCSP preferred for time-sensitive verifications and CRLs cached for offline scenarios.

For the EUDI ecosystem, effective revocation is especially critical. If a credential issuer's certificate is compromised, all credentials signed with that certificate could be fraudulent. Rapid revocation and propagation of revocation status protects hundreds of millions of EU citizens relying on the wallet system for identity verification.

• •National Identity Credential: A German citizen receives a digital ID credential in their EUDI Wallet. The credential is signed by the Bundesdruckerei (Federal Printing Office), whose signing certificate was issued by a CA on the German Trusted List. When the citizen uses this credential at a French bank, the bank traces the certificate chain to the EU Trusted Lists to confirm authenticity.
• •University Diploma: A university issues a verifiable diploma. Its signing certificate, issued by a national education CA, proves the university is authorized to issue academic credentials within the EUDI framework.
• •Wallet Attestation: When an EUDI Wallet app connects to a verifier, it presents a Wallet Trust Evidence certificate proving the wallet implementation is certified and unmodified, traceable to a CA on the Trusted List.