ICP-Brasil — architecture
Technical and institutional topology of ICP-Brasil. ITI operates the AC Raiz (Root CA); level 1 and 2 ACs issue certificates to holders; ARs identify holders in person (or via approved videoconference).
Institutional hierarchy
┌────────────────────────────────┐
│ ICP-Brasil Steering Committee │ ← Decree 3.996/2001
│ (CG-ICP, Casa Civil) │ defines standards
└──────────────┬─────────────────┘
│
┌──────────────▼─────────────────┐
│ ITI — AC Raiz │ ← Federal autarchy
│ AC Raiz V5 / V10 (current) │ operates offline HSM
└──────────────┬─────────────────┘
│
┌─────────────────────┼──────────────────────┐
▼ ▼ ▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ Level 1 AC │ │ Level 1 AC │ … │ Level 1 AC │ ← each is a legal
│ (e.g. Serpro)│ │ (Serasa) │ │ (Soluti) │ entity, accredited
└───────┬───────┘ └───────┬───────┘ └───────┬───────┘
│ │ │
┌────┴────┐ ┌────┴────┐ ┌────┴────┐
▼ ▼ ▼ ▼ ▼ ▼
┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐
│ AC2 │ │ AC2 │ │ AC2 │ │ AC2 │ │ AC2 │ │ AC2 │ ← specialized sub-CAs
└──┬──┘ └──┬──┘ └──┬──┘ └──┬──┘ └──┬──┘ └──┬──┘ (e-CPF / e-CNPJ / NF-e)
│ │ │ │ │ │
▼ ▼ ▼ ▼ ▼ ▼
AR (Registration Authorities)
│
▼
Holders (individuals + legal entities)Active level 1 ACs (≈2026)
Full list at iti.gov.bricp-brasilestrutura.
Main ones by volume:
| Level 1 AC | Operator | Dominant specialty |
|---|---|---|
| AC Serpro | Serpro (government) | e-CPF/e-CNPJ for civil servants and agencies |
| AC Caixa | Caixa Econômica Federal | Banking, FGTS |
| AC Certisign | Certisign Certificadora | General market, corporate e-CNPJ |
| AC SERASA-Experian | Serasa Experian | Mass market, retail |
| AC Soluti | Soluti Net (Valid today) | Digital retail, remote A1 |
| AC Bry | Bry Tecnologia | Remote A1, SaaS integration |
| AC Imprensa Oficial SP | Imprensa Oficial-SP | SP state |
| AC Notarial | Anoreg-BR | Notary offices |
| AC Boa Vista | Boa Vista Serviços | Market |
| AC PRODEMGE | Prodemge (MG state) | MG civil servants and citizens |
| AC SOLUTI Múltipla | Valid/Soluti | Remote A1 operation at scale |
AC Raiz ICP-Brasil — keys
Periodically, the ITI holds a public ceremony to generate a new root. History:
- V1, V2, V3, V4 — discontinued
- V5 — RSA-4096; certificates issued through ~2023
- V10 — RSA-4096 — current; ceremony in 2023, valid through 2034 with a 2031–2034 transition
Distribution: Mozilla NSS, Microsoft Windows Update, Apple, and Java cacerts include the AC Raiz ICP-Brasil. Linux distros include it via ca-certificates.
Cross-signing with a commercial root program does not exist — ICP-Brasil is a chain parallel to the public TLS trust store. An ICP-Brasil cert is not automatically accepted as a TLS cert for a web site (and vice versa). They serve disjoint purposes: ICP is "digital signature with legal value"; public TLS is "web server authentication".
ICP-Brasil chain validation
An application validating an ICP signature needs to:
- Load the ICP-Brasil chain bundle — all level 1 and 2 ACs + root. The ITI publishes it at acraiz.icpbrasil.gov.brcredenciadasCertificadosAC.
- Build the path from the signer's cert up to the root.
- Check revocation via LCR (Lista de Certificados Revogados, equivalent to a CRL) — each AC publishes at
acraiz.icpbrasil.gov.br/LCR/…. OCSP is optional in ICP-Brasil (present, but less reliable than the LCR for LTV). - Check policy OIDs — each type (A1, A3, A4, e-CPF, e-CNPJ) has a specific OID in the
2.16.76.1.…namespace.
Common pitfalls in client applications
- Stale bundle: ACs come and go; the chain bundle must be updated monthly. Libraries such as BryToolbox automate this.
- Heavy LCR: some ICP LCRs exceed 100 MB. Local caching is mandatory; do incremental re-download via
nextUpdate. - Rare OCSP: it exists but not every AC operates it. It cannot be trusted as a single source.
- Non-LDAP-clean DN: holder names use UTF-8 parsing + Brazil-specific profiles.
OU=CPF=...:..., etc. Spec in DOC-ICP-04. - Timestamp via ACT: for LTVarchival, embed a timestamp from an accredited ACT (Authority of Certification of Time) — see `08-timestamping` (planned).
Implications for Koder
If a Koder product is to read/validate an ICP-Brasil signature (typical case: receiving a signed PDF to attach to a case file):
- Embed an up-to-date ICP bundle in the product (monthly auto-update).
- Use an off-the-shelf lib — DSS (Java) or Lacuna RestPKI (proprietary, REST). In Go/Dart the ecosystem is weaker; likely an FFI bridge or a Go service wrapping DSS.
- Never implement ICP-Brasil DN parsing from scratch — use a lib that already handles the
OID 2.16.76.1.3.xprofiles.
If the goal is to issue ICP-Brasil certs: see 03-legislation/01-brazil-mp-2200-2.kmd §"Implications for Koder products" — becoming an AC is expensive; the common path is partnership with an existing AC via API.