Lock service for a certificate generated by an ID token

The invention relates to a method for checking the validity of a certificate (167) generated by an ID token (106) of a user (102) for a security token (156) of the same user (102), the ID token (106) being protected Storage area (183) in which at least a first private key (182) is stored, and wherein the ID token (106) is associated with a certificate (103) of a document PKI (300), wherein the security token (156) Certificate (160) is associated with an authorization PKI (302) and stored on the security token (156), wherein the security token (156) stores at least a first sector-specific identifier (304) associated with the ID token (106) the first private key (182) of the ID token (106) and the public sector key (176) of the security token (156), the certificate (160) of the entitlement PKI (302) having a public sector key (17 6) associated with one of a plurality of predefined sectors and identical for all security tokens of the same sector, the certificate (167) generated by the ID token (106) being one of the certificate (103) of the document PKI ( 300) and stored on the security token (167), including the public sector key (176) or a value derived cryptographically therefrom, the method comprising: - performing a first database query of a first lock database (318) a first check computer system (310) for determining a lock status of the ID token (106), wherein the first lock database (318) is configured to interrogate the lock status of the ID token (106), - generating a first test signal by the first check computer system (310) indicating the result of the first database query, - executing a second database query of a second one A blackout database (328) by a second check computer system (320) for determining a revocation status of the generated certificate (167), wherein the second blackout database (328) is configured to interrogate the revocation status of the generated certificate (167); Generating a second test signal by the second test computer system (320) indicating the result of the second database query, - generating a validity signal indicating the validity of the generated certificate (167) on condition that the first test signal indicates that the ID Token (106) is not disabled, and the second check signal indicates that the generated certificate (167) is not locked.