What is in my COVID-19 vaccination certificate?

Published: Sep 22 2021

Updated: Sep 22 2021

Manually inspecting the content of a French COVID-19 vaccination certificate QR code. The main intent is to show with a concrete example which data is actually included in the certificate.

All's right with the world!

— Robert Browning, Pippa Passes

Table of content

Table of content
Overview
Example
Second French QR code
Conclusion
Appendix, French revocation list
Appendix, trusted signing keys
References

Overview

European COVID-19 certificates are defined in the following documents:

Digital Covid Certificate Schema which describes the core data model;
Electronic Health Certificates which specifies how the core data is signed by a signing authority using the CBOR Web token (CWT) format as well as the QR code based storage;
Technical Specifications for Digital Green Certificates Volume 1
Technical Specifications for Digital Green Certificates Volume 3, Interoperable 2D Code;
Technical Specifications for EU Digital COVID Certificates JSON Schema Specification;
Value Sets for Digital Green Certificates.

Payload

The information present on the european COVID-19 vaccination certificate is roughly made of:

name (given name, surname);
date of birth;
number of doses and total number of doses;
type of vaccination (manufacturer, product);
date of vaccination;
a unique identifier for the vaccination certificate (UVCI).

Security

All the information in the certificate is easily available to anyone scanning the QR code. No encryption is used. Moreover, the specification is publicly available. Decoding the content of the QR code can be done in a few lines of code.

A digital signature (ECDSA with P-256 and SHA-256) is used to protect against forgery. Each european signing authority has its own key pair(s).

Structure

The structure of the QR code is summarized in a diagram accompanying the Electronic Health Certificates Digital Covid Certificate (EHC DCC) specification:

the content of the certificate is represented a JSON-compatible CBOR object;
this is included (as a claim) in a CWT which includes a digital signature from a european signing authority;
this CWT is compressed with zlib;
this is then encoded in base-45 (a encoding designed to encapsulate arbitrary binary data in QR codes);
a prefix is then prepended;
this is then encoded in QR code.

Overview of the COVID QR code structure
Layer	Content
EHC-DCC	name, date of birth, vaccinations (or tests, recoveries), etc.
CWT	issuers, validity period, digital signature, etc.
zlib compression
base-45 encoding
prefix (HC1:)
QR code encoding

Example

In this section, we will describe the different steps for decoding an example QR code. This example is a censored version of a real COVID-19 certificate. It is signed with a locally generated ECDSA key pair using ehn-sign-verify-python-trivial: this means that (of course) it won't be accepted by a validating applications.

QR code containing a COVID-19 certificate for Luke Skywalker — An (invalid, self-issued) example of european COVID-19 certificate

Warning: invalid certificate

This certificate it is not signed with a private keys of a signing authority. As a consequence it won't be accepted by a validating application such as TousAntiCovidVerif. Do not try to use it. It won't work.

Note: QR code vs 2D-DOC

The first French vaccination COVID-19 certificates were using 2D-DOC. This is a French format based on Data matrix (instead of QR code). The new French certificates use the european standard (based on QR code) and should be interoperable with other european countries.

QR code decoding

The PDF issued by the French authorities actually contains two QR codes: one QR code which you are supposed to show to other people; one QR code which is used to add the certificate in the TousAntiCovid application. We will focus on the first one for now.

We can extract the content of QR code with zbar for example. I'm actually using the following script for convenience:

#/bin/sh

set -e

file="$(tempfile)"
trap "rm $file" EXIT

xfce4-screenshooter -r -s "$file"
zbarimg "$file"

The content of the QR code is a string starting with "HC1:". This prefix identifies the type of data and version of data (Health Certificate Version 1).

HC1:NCFOXN%TSMAHN-H.SK.SLOCV*$V34UEB2I:IR0L8YV8VVJ59/A184Q-RINWA/6K-MPW$NLEEMJC7ZS2%KYZP5ORK34JWLG56H0API0VN5%54E11%AK8II0 JP$SBZI0PIBZIXJA  CG8C5DL$9C.PDS1JQBBJ%6L95OD6%28%%BPHQOGOJ236RD:XIBEIVG395EV3EVCK09D5WCFVA.QO5VA81K0ECM8CXVDC8C90JK.A96UJBC.P2R9CWZJ$7K+ CZEDB2M-9C.PDPOJI7JSTNB95N/55FRFJ6INQ2WRL353X7Q-O-+QZW6+Y5MN0POJZ0KYB0G%5TW5A 6+O67N6F7EIA7HOD%5DC/8NDNC8JT3O:X3G67.*G /IN7LA9T0V468TUCTG17+WLJ/RJBPMOQA+S+QOX97%9O2%6DBVRTMW4H*7696OW%O7$TUZ3VGC16E

expected_prefix = "HC1:"
if not data.startswith(expected_prefix):
    raise Exception("Invalid prefix")
data = data[len(expected_prefix):]

The remaining of the string is base-45 encoded. This encoding format is designed to be used for encoding arbitrary binary data in QR code. We can decode it with the base45 Python package but it is quite simple to implement base-45 decoding directly:

digits = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ $%*+-./:"
digit2num = { digit: i for i, digit in enumerate(digits) }
assert len(digits) == 45

def decode_base45(data: str) -> bytes:

    ochunks = []
    for i in range(0, len(data), 3):
        chunk = data[i:i+3]
        if len(chunk) == 2:
            c = digit2num[chunk[0]]
            d = digit2num[chunk[1]]
            n = c + d * 45
            ochunk = bytes([n])
        elif len(chunk) == 3:
            c = digit2num[chunk[0]]
            d = digit2num[chunk[1]]
            e = digit2num[chunk[2]]
            n = c + d * 45 + e * 45 * 45
            ochunk = bytes([n // 256, n % 256])
        else:
            raise Exception("invalid length")
        ochunks.append(ochunk)

    res = b"".join(ochunks)
    return res

decoded = decode_base45(data)

We get:

b"x\xda\xbb\xd4\xe2\xbb\x88Q\x8d\xc5\xa3J\xab3\xf7k\xfb\xdf\xee\x05\x11\xcf\x960\xa68\xfb9\xfa\xb2H%\t\xd6\xcef\x93JT\xd1\x9fm\xc9\xc8\xbc\x90qIbY\xe3\xaa\xa4\xe4\xcc\n\xd9\xd0 ?\xab\xd00gO+\x03C+\xb7 \xab\x08$\xa0\x1c\x91\x94\x9c\x9f\xe4\x16\x94\x94\x92\xc7\x94\x94R\x92ed`d\xa8k`\xa6kd\x96\x94Y\x0c67)71\xd7?\xc8]\xd7\xd0\xc0\xc0\xc0\x18(k\x9a\x94[\x90\xe3\x1a\xaao\xa8od\xa0ohjd\x91T\x9c\xc2\x94T\x92\x9eiab`jli``\x96TV\x90\xeee`\xee\x14a`\x9c\x9c\x92\x9f\x94ehin\xaek`\xaakd\x9a\x9c\x97\x98\xbb$)-/3\xd8;2\xdc\xd1\xc7\xdb5()=/\xc5'\xd4\xdb59-\xaf\x04!\x9a\x9c\x9eW\x02\x11.K-J5\xd43\xd63\x88p\x0893k\x1eg\xdcF\xe3\xb8O\x97\xbf\xbe|\x1d\xb48}\x85\x95\x96\x15\xa7o\xe7\x04%\x17\xe6\xd3\xe7\x9f7\x9c\xab\xe5\xdd5\xc7\xc3\xd1\xf8\xe4\x8e\xc2\x929\x15\xbf\x936&\xf73\xb3:\x87M0\xd8\xbe\xef\xc4\xa6\xeb\xed\x1e\x00a\xdbo\xcd"

This content is compressed with zlib. We can decompress it with:

decompressed = zlib.decompress(decoded)

b'\xd2\x84M\xa2\x01&\x04Hz*\x89m\xf5\x87\xfd\x8b\xa0X\xe6\xa4\x01dCNAM\x04\x1ab\x11}\x9b\x06\x1aa$/\x9b9\x01\x03\xa1\x01\xa4av\x81\xaabcix\x1dURN:UVCI:01:FR:XXXXXXXXXXXX#XbcobFRbdn\x02bdtj2021-06-26bisdCNAMbmamORG-100030215bmplEU/1/20/1528bsd\x02btgi840539006bvpgJ07BX03cdobj1977-05-25cnam\xa4bfniSKYWALKERbgndLUKEcfntiSKYWALKERcgntdLUKEcvere1.3.0X@T\xcc\x9a\x9e\t^\xb13^\xf2\xd3\xf5\xe9\xebR\xa3g\xa8:*:\tM\x89\x90"D\x03\xcb\xcf\xe7\x80\xce}\r\xba\x9cHA3\xc9\xb8qt\x9cx\xfbb\xb1c\x8f\x03\x05CV\x900\xb7\xbe\xc8\xb2\xd7\x87H'

CWT

We now have CWT content which can be decoded with:

import cbor
cose = cbor.loads(decompressed)

Tag(18, [b'\xa2\x01&\x04Hz*\x89m\xf5\x87\xfd\x8b', {}, b'\xa4\x01dCNAM\x04\x1ab\x11}\x9b\x06\x1aa$/\x9b9\x01\x03\xa1\x01\xa4av\x81\xaabcix\x1dURN:UVCI:01:FR:XXXXXXXXXXXX#XbcobFRbdn\x02bdtj2021-06-26bisdCNAMbmamORG-100030215bmplEU/1/20/1528bsd\x02btgi840539006bvpgJ07BX03cdobj1977-05-25cnam\xa4bfniSKYWALKERbgndLUKEcfntiSKYWALKERcgntdLUKEcvere1.3.0', b'T\xcc\x9a\x9e\t^\xb13^\xf2\xd3\xf5\xe9\xebR\xa3g\xa8:*:\tM\x89\x90"D\x03\xcb\xcf\xe7\x80\xce}\r\xba\x9cHA3\xc9\xb8qt\x9cx\xfbb\xb1c\x8f\x03\x05CV\x900\xb7\xbe\xc8\xb2\xd7\x87H'])

The content is wrapped using the CBOR tag 18. According to the CBOR IANA registry, this is the tag for COSE_Sign1 which contains an array of four elements:

protected, informations about the COSE (such as the signature alogrithm);
unprotected, is not used in our case and it an empty CBOR map;
payload, contains the CWT claims;
signature, signature for both the claims and the protected field.

assert cose.tag  == 18
protected, unprotected, payload, signature = cose.value

The protected header is CBOR encoded:

cbor.loads(protected)

{1: -7, 4: b'z*\x89m\xf5\x87\xfd\x8b'}

We can find the meaning of the fields in the COSE registry:

The 1 entry describes the cryptographic algorithm used to secure the CWT. For european COVID-19 certificates, ECDSA with SHA-256 signature is used. This protects the certificate against forgery.
The 4 entry defines the identifier of the key used for the digital signature. This key identifier is supposed to reference a public key in a list of public signing keys of trusted signing authorities.

Warning: signature verification

This post does not include any the code for verifying the validity of the certificate (digital signature, expiration, etc.).

Claims

The payload is encoded in CBOR and is a set of CWT claims.

claims = cbor.loads(payload)

{1: 'CNAM', 4: 1645313435, 6: 1629761435, -260: {1: {'v': [{'ci': 'URN:UVCI:01:FR:XXXXXXXXXXXX#X', 'co': 'FR', 'dn': 2, 'dt': '2021-06-26', 'is': 'CNAM', 'ma': 'ORG-100030215', 'mp': 'EU/1/20/1528', 'sd': 2, 'tg': '840539006', 'vp': 'J07BX03'}], 'dob': '1977-05-25', 'nam': {'fn': 'SKYWALKER', 'gn': 'LUKE', 'fnt': 'SKYWALKER', 'gnt': 'LUKE'}, 'ver': '1.3.0'}}}

The meaning of the claims can be found in the CWT registry:

1, issuer;
4 expiration time (for my real certificate, this is 2023-06-04);
6, issued at;
-260, Health Certificate, described below.

Health Certificate content

The health certificate content is a JSON-compatible CBOR map. All the actual information is included in the field 1, for EU Digital Covid Certificate v1.

print(json.dumps(claims[-260]))

{
  "1": {
    "v": [
      {
        "ci": "URN:UVCI:01:FR:XXXXXXXXXXXX#X",
        "co": "FR",
        "dn": 2,
        "dt": "2021-06-26",
        "is": "CNAM",
        "ma": "ORG-100030215",
        "mp": "EU/1/20/1528",
        "sd": 2,
        "tg": "840539006",
        "vp": "J07BX03"
      }
    ],
    "dob": "1977-05-25",
    "nam": {
      "fn": "SKYWALKER",
      "gn": "LUKE",
      "fnt": "SKYWALKER",
      "gnt": "LUKE"
    },
    "ver": "1.3.0"
  }
}

The content is defined in the EU Digital COVID Certificates JSON spec:

v, a list of vaccination doses;
dob, date of birth;
nam, person names;
ver, schema version.

Each vaccination dose is made of:

ci, unique vaccination certificate identifier (UVCI);
co, country;
dn, current dose number;
dt, date of vaccination;
is, certificate issuer;
ma, manufacturer (in our example Biontech Manufacturing GmbH);
mp, vaccine product (in our example Comirnaty);
sd, total number of doses;
tg, disease (this is the SNOMED-CT code for COVID-19);
vp, type of vaccine (in our example this is "covid-19 vaccines").

Some values are described in Value Sets for Digital Green Certificates.

See the appendix of the guidelines on verifiable vaccination certificates for the structure of the UVCI.

Second French QR code

The second QR code in the french PDF is a deep link to the TousAntiCovid application with the same HC1 data included as a URI fragment:

https://bonjour.tousanticovid.gouv.fr/app/walletdcc#HC1:NCFOXN…

Conclusion

The French verification application only displays a limited set of information: given name, surname, birth date and validity. However, all the other information can be ontabined very easily from the QR code. In particular, you can know if the subject has been vaccinated ("v"), has been tested ("t") or has recovered from the virus ("r"). For vaccinations, it is moreover possible to know how many doses have been injected and which vaccine has been used: this information may be used to infer whether the subject has a comorbidity.

Appendix, French revocation list

The (French) TousAntiCodeVerif application includes a revocation list for revoking health certificates. This is implemented by downloading the revocation list from a remote server as part of a synchronization procedure. The applications does not query a remote server each time a certificate is scanned. The publication of revocation lists still creates privacy concerns.

val configurationService = WSConf.getConfigurationService(context)

configurationService.callSync(WSConf.getConfigurationBaseUrl() + URI_SYNC).enqueue(
    object : Callback<SyncResult> {
        // [...]
        override fun onResponse(
            call: Call<SyncResult>,
            response: Response<SyncResult>
        ) {
            // [...]
            when (response.code()) {
                200 -> {
                    Log.d(tag, "OK :")
                    val syncResult = response.body()
                    view.saveResult(syncResult)
                }
                else -> {
                    // [...]
                }
            }
        }
    }
)

The revocation list is apparently a list of SHA-256 hashes of the certificate identifier (ci) and country code (co):

val hash = getHashDcc(ci, co)
val isHashBlacklisted = Blacklist.isBlacklisted(context, Blacklist.BlacklistType.BLACKLIST_DCC, hash)

private fun getHashDcc(ci: String, co: String): String {
    val toHash = co.trim().uppercase()+ci.trim()
    return toSha256(toHash)
}

One intended usage of this revocation list is to reject certificates which have fraudulently used (i.e. by someone which is not the intended user of the certificate). This is problematic since you need to show your QR code and let other people scan it in order to use it: when you present your certificate to someone, you cannot prevent this person (or a bystander) from (maliciously) copying your certificate for his own usage.

Appendix, trusted signing keys

We can extract the list of authorities recognized by the TousAntiCovidVerif application. This is the list of all entities which can emit COVID-19 certificates which will be recognized by the TousAntiCovidVerif application.

import base64
import requests
import cryptography.x509

url = "https://gitlab.inria.fr/tousanticovid-verif/tousanticovid-verif-ios/-/raw/master/Anticovid%20Verify/resources/prod/certs.json?inline=false"
for value in requests.get(url).json()["certificatesDCC"].values():
    cert = cryptography.x509.load_der_x509_certificate(base64.b64decode(base64.b64decode(value)))
    sub = cert.subject.rfc4514_string()
    print(sub)

ST=Berlin,2.5.4.5=CSM026414197,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
CN=DSC AN EU 4,O=Norwegian Institute of Public Health,C=NO
C=ES,O=Consellería de Sanidad,2.5.4.97=VATES-S1511001H,OU=SELLO ELECTRONICO,2.5.4.5=S1511001H,CN=ConselleriadeSanidade.XuntadeGalicia
ST=Berlin,2.5.4.5=CSM026413994,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026413231,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026414212,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026382791,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
CN=Croatia DGC DS 001,O=AKD d.o.o.,C=HR
CN=DSC_FR_001,OU=26750045200011,O=APHP,C=FR
C=ES,O=Servicio Cántabro de Salud,2.5.4.97=VATES-Q3900738J,OU=SELLO ELECTRONICO,2.5.4.5=Q3900738J,CN=Servicio Cántabro de Salud
ST=Berlin,2.5.4.5=CSM026413286,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026382931,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
CN=DGC DSC 1,OU=Health Information System,O=Ministry of Health,L=Sofia,C=BG
CN=Belgium Covid19 DSC 01,O=eHealth - Belgium,C=BE
ST=Berlin,2.5.4.5=CSM026383125,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
CN=DSC_FR_017,OU=120036017,O=DGS,C=FR
ST=Berlin,2.5.4.5=CSM026382843,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026382898,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
C=ES,O=COMUNIDAD AUTONOMA DE LA REGION DE MURCIA,2.5.4.97=VATES- S3011001l,OU=DIRECCION GENERAL INFORMATICA CORPORATIVA,OU=SELLO ELECTRONICO,2.5.4.5=S3011001l,CN=DIRECCIÓN GENERAL DE SALUD PÚBLICA Y ADICCIONES
C=ES,O=SERVICIO ANDALUZ DE SALUD,2.5.4.97=VATES-Q9150013B,OU=SERVICIO ANDALUZ DE SALUD,OU=SELLO ELECTRONICO,2.5.4.5=Q9150013B,CN=SELLO SAS PARA CERTIFICADO COVID DE LA UE
ST=Berlin,2.5.4.5=CSM026414115,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026460071,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
CN=DSC_FR_004,OU=26750045200011,O=APHP,C=FR
CN=Italy DGC DSC 1,O=Ministero della Salute,C=IT
CN=AT DGC DSC 1,2.5.4.5=001001,O=BMSGPK,C=AT
CN=DSC AN EU 5,O=Norwegian Institute of Public Health,C=NO
CN=DSC_FR_020,OU=180035024,O=CNAM,C=FR
CN=DSC_FR_025,OU=180035024,O=CNAM,C=FR
ST=Berlin,2.5.4.5=CSM026164168,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
1.2.840.113549.1.9.1=webmaster@llv.li,CN=DGC-NB-DSC-TEST-PROD-20210608,O=Liechtensteinische Landesverwaltung,L=Vaduz,C=LI
ST=Berlin,2.5.4.5=CSM026413213,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
C=ES,O=Departament de Salut de la Generalitat de Catalunya,2.5.4.97=VATES-S0811001G,OU=Departament de Salut,OU=SELLO ELECTRONICO,2.5.4.5=S0811001G,CN=CERT-GENCAT-1S-21
C=ES,O=SERVICIO MADRILEÑO DE SALUD,2.5.4.97=VATES-Q2801221I,OU=DG SISTEMAS DE INFORMACION Y EQUIPAMIENTOS SANITARIOS,OU=SELLO ELECTRONICO,2.5.4.5=Q2801221I,CN=FIRMA CERTIFICADO COVID DIGITAL UE 1
1.2.840.113549.1.9.1=webmaster@llv.li,CN=DGC-NB-DSC-VACCINATION-PROD-20210608,O=Liechtensteinische Landesverwaltung,L=Vaduz,C=LI
C=ES,O=CIUDAD AUTONOMA DE CEUTA,2.5.4.97=VATES-S6100007A,OU=CIUDAD AUTONOMA DE CEUTA,OU=SELLO ELECTRONICO,2.5.4.5=S6100007A,CN=CEUTA
ST=Berlin,2.5.4.5=CSM026383019,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
C=ES,O=DIRECCION GENERAL DE SALUD PUBLICA\, CONSUMO Y CUIDADOS,2.5.4.97=VATES-S2633001I,OU=DIRECCIÓN GENERAL DE SALUD PUBLICA\, CONSUMO Y CUIDADOS,OU=SELLO ELECTRONICO,2.5.4.5=S2633001I,CN=Gobierno de La Rioja
CN=DSC_FR_002,OU=26750045200011,O=APHP,C=FR
ST=Berlin,2.5.4.5=CSM026460044,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026414081,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
CN=LT_DGC_DSC_1,O=Ministry of Health of The Republic of Lithuania,ST=Lithuania,C=LT
CN=CZ DSC 2,O=MZCR,C=CZ
CN=CZ DSC 1,O=MZCR,C=CZ
CN=Grand Duchy of Luxembourg DS DCC 4,O=Ministry of Health,C=LU
ST=Berlin,2.5.4.5=CSM026414133,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
CN=DIRECCIÓN DE SALUD PÚBLICA Y ADICCIONES,2.5.4.97=VATES-S4833001C,OU=SELLO ELECTRONICO,O=EUSKO JAURLARITZA - GOBIERNO VASCO,C=ES
CN=Slovenian Digital Covid Certificate Signer,OU=NIJZ eHealth,O=NIJZ\, National Institute of Public Health of Slovenia,C=SI
ST=Berlin,2.5.4.5=CSM026382995,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
CN=DSC_FR_018,OU=120036017,O=DGS,C=FR
CN=DSC_FR_013,OU=120036017,O=DGS,C=FR
C=ES,O=SERVICIO DE SALUD DE LAS ISLAS BALEARES,2.5.4.97=VATES-Q0719003F,OU=SELLO ELECTRONICO,2.5.4.5=Q0719003F,CN=IBSALUT-CVD-SELLO
CN=DSC_FR_012,OU=120036017,O=DGS,C=FR
ST=Berlin,2.5.4.5=CSM026460026,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026414160,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026317104,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026413347,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
CN=DSC_FR_019,OU=180035024,O=CNAM,C=FR
ST=Berlin,2.5.4.5=CSM026413569,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026413639,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
C=ES,O=Servicio Navarro de Salud-Osasunbidea,2.5.4.97=VATES-Q3150004D,OU=Servicio Navarro de Salud-Osasunbidea,OU=SELLO ELECTRONICO,2.5.4.5=Q3150004D,CN=Sello Electrónico del Servicio Navarro de Salud-Osasunbidea
CN=DSC_FR_016,OU=120036017,O=DGS,C=FR
C=ES,O=Servicio de Salud de Castilla-La Mancha,2.5.4.97=VATES- Q4500146H,OU=SELLO ELECTRONICO,2.5.4.5=Q4500146H,CN=SESCAM Certificado Digital COVID UE
ST=Berlin,2.5.4.5=CSM026460008,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
CN=DSC_FR_022,OU=180035024,O=CNAM,C=FR
ST=Berlin,2.5.4.5=CSM026413417,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026460123,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
C=LV,O=Nacionālais veselības dienests,CN=LV DSC 001
ST=Berlin,2.5.4.5=CSM026164195,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
C=PT,O=Republica Portuguesa - Portuguese Republic,2.5.4.5=001,CN=DGC DS
CN=DSC_FR_014,OU=120036017,O=DGS,C=FR
CN=DSC_FR_003,OU=26750045200011,O=APHP,C=FR
C=PL,O=Ministry of Health,OU=eHealth Centre,CN=Recovery DGC Service 1
1.2.840.113549.1.9.1=kontakt@sundhedsdata.dk,CN=PROD_DSC_DGC_DK_01,OU=The Danish Health Data Authority,O=The Danish Health Data Authority,C=DK
C=ES,O=GOBIERNO DE ARAGON,2.5.4.97=VATES-S5011001D,OU=DEPARTAMENTO DE SANIDAD,OU=SELLO ELECTRONICO,2.5.4.5=S5011001D,CN=DEPARTAMENTO DE SANIDAD DEL GOBIERNO DE ARAGON
ST=Berlin,2.5.4.5=CSM026382773,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026414054,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026383046,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026413462,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
CN=DSC_FR_023,OU=180035024,O=CNAM,C=FR
1.2.840.113549.1.9.1=webmaster@llv.li,CN=DGC-NB-DSC-RECOVERY-PROD-20210608,O=Liechtensteinische Landesverwaltung,L=Vaduz,C=LI
C=ES,O=MINISTERIO DE SANIDAD,2.5.4.97=VATES-S2827001E,OU=SELLO MINISTERIO DE SANIDAD CERTIFICACION COVID19,OU=SELLO ELECTRONICO,2.5.4.5=S2827001E,CN=SELLO MINISTERIO DE SANIDAD CERTIFICACION COVID19
CN=DSC_FR_015,OU=120036017,O=DGS,C=FR
CN=Grand Duchy of Luxembourg DS DCC 2,O=Ministry of Health,C=LU
C=ES,O=GENERALITAT VALENCIANA,2.5.4.97=VATES-S4611001A,OU=CONSELLERIA DE SANITAT UNIVERSAL I SALUT PÚBLICA,OU=SELLO ELECTRONICO,2.5.4.5=S4611001A,CN=GENERALITAT VALENCIANA
C=PL,O=Ministry of Health,OU=eHealth Centre,CN=Poland Vaccination DGC Service 1
CN=Todistuspalvelu,2.5.4.5=1.2.246.556.12.21.2,OU=Kanta,O=Kansanelakelaitos,L=Helsinki,ST=Finland,C=FI
C=ES,O=Servicio Extremeño de Salud,2.5.4.97=VATES-Q0600413I,OU=SSII,OU=SELLO ELECTRONICO,2.5.4.5=Q0600413I,CN=Servicio Extremeño de Salud
C=ES,O=Principado de Asturias,2.5.4.97=VATES- S3333001J,OU=SELLO ELECTRONICO,2.5.4.5=S3333001J,CN=Consejería de Salud del Principado de Asturias
ST=Berlin,2.5.4.5=CSM026413860,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
CN=Grand Duchy of Luxembourg DS DCC 3,O=Ministry of Health,C=LU
CN=Grand Duchy of Luxembourg DS DCC 1,O=Ministry of Health,C=LU
ST=Berlin,2.5.4.5=CSM026413897,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
C=ES,O=GERENCIA REGIONAL DE SALUD DE CASTILLA Y LEON,2.5.4.97=VATES- Q4700608E,OU=GERENCIA REGIONAL DE SALUD DE CASTILLA Y LEON,OU=SELLO ELECTRONICO,2.5.4.5=Q4700608E,CN=GERENCIA REGIONAL DE SALUD CASTILLA Y LEÓN (SACYL)
ST=Berlin,2.5.4.5=CSM026382968,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
CN=DCC Signer,2.5.4.97=202100-6552,O=Swedish eHealth Agency,C=SE
C=ES,O=Ministerio de Defensa,2.5.4.97=VATES-S2830001J,OU=Inspección General de Sanidad de la Defensa,OU=SELLO ELECTRONICO,2.5.4.5=S2830001J,CN=Inspección General de Sanidad de la Defensa
C=ES,O=CIUDAD AUTÓNOMA DE MELILLA,2.5.4.97=VATES-S7900010E,OU=DIRECCIÓN GENERAL DE LA SOCIEDAD DE LA INFORMACIÓN,OU=SELLO ELECTRONICO,2.5.4.5=S7900010E,CN=SELLO ELECTRONICO DE LA CIUDAD AUTÓNOMA DE MELILLA
CN=BSC,O=Ministerul Sanatatii,C=RO
CN=DSC_FR_024,OU=180035024,O=CNAM,C=FR
C=ES,O=Servicio Canario de la Salud,2.5.4.97=VATES-Q8555011I,OU=Secretaría General del Servicio Canario de la Salud,OU=SELLO ELECTRONICO,2.5.4.5=Q8555011I,CN=Secretaría General del Servicio Canario de la Salud
CN=DSC HN EU 2,O=Norwegian Institute of Public Health,C=NO
ST=Berlin,2.5.4.5=CSM026460099,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
OU=Health and Welfare Information Systems Centre,O=Estonia,C=EE,2.5.4.5=02-2021,CN=02-2021_DCC
CN=grnet.gr,C=GR
ST=Berlin,2.5.4.5=CSM026382913,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
C=PL,O=Ministry of Health,OU=eHealth Centre,CN=Poland Test DGC Service 1
C=IS,O=Directorate of Health,OU=Directorate of Health,2.5.4.5=1,CN=IS-DSC-1
ST=Berlin,2.5.4.5=CSM026413541,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026413693,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
ST=Berlin,2.5.4.5=CSM026383107,2.5.4.97=DT:DE-3023531445,STREET=Nordufer 20,2.5.4.17=13353,L=Berlin,CN=Robert Koch-Institut,OU=Elektronischer Impfnachweis,O=Robert Koch-Institut,C=DE
CN=DSC_FR_021,OU=180035024,O=CNAM,C=FR

References

Electronic Health Certificates, define the CWT and its encoding
Digital Covid Certificate JSON Schema, the payload of the CWT
Python code for signing and verifying HC1
Technical Specifications for Digital Green Certificates Volume 1
Technical Specifications for Digital Green Certificates Volume 2, European Digital Green Certificate Gateway
Technical Specifications for Digital Green Certificates Volume 3, Interoperable 2D Code
Technical Specifications for EU Digital COVID Certificates JSON Schema Specification
Value Sets for Digital Green Certificates
eHealth and COVID-19
TousAntiCovid Verif Android, source code
TousAntiCovid Verif iOS, source code
Base 45 draft
RFC8392, CBOR Web Token (CWT)
RFC8152, CBOR Object Signing and Encryption (COSE)
RFC7049, Concise Binary Object Representation (CBOR)
Pass sanitaire : existe-t-il une «liste noire» des QR codes frauduleux ?