ESTEID LDAP technical description

The directory service queries must be submitted using the LDAPS protocol. The service access is unrestricted (anonymous bind, simple authentication) around the clock. There is support only for data exchange with TLS encryption and TLS client authentication. Maximum of 50 certificate entries will be returned as a response.

Directory is available via port 636.

Below you will find a detailed description of the directory layout. Knowledge of the layout is necessary for conducting data searches in the directory.

ESTEID LDAP directory structure

Directory tree list (personal certificates)

Searching for personal certificates is restricted by certificate owner’s identity number (serialNumber) in the form „PNOEE-38001085718“ or by certificate’s CN (CommonName) field in the form „JÕEORG,JAAK-KRISTJAN,38001085718“.

LDAP query examples

Example query from the Linux or Mac command line to search for a personal certificate:

  1. Query without CA certificate chain of LDAP:

LDAPTLS_REQCERT=allow ldapsearch -H ldaps:// -x -b "c=EE" "(serialNumber=PNOEE-38001085718)"

  1. Query with CA certificate of LDAP (LDAP CA certificate can be found HERE):

    LDAPTLS_CACERT=ldapca.crt ldapsearch -H ldaps:// -x -b "c=EE" "(cn= JÕEORG,JAAK-KRISTJAN,38001085718)"