slotosSo, Polish government has recently added certificate based auth to the national invoicing system because it’s supposed to be secure, I guess.
There’s the right way of generating certificates for client auth - using CSRs.
Then there’s the one where certificate issuer retains the ability to steal the issued identity.
Guess which one the developers went with?