10/15/2025 · 3 min read
EuroCert.al — A Live Certificate Verification Platform That Made ISO Fraud Nearly Impossible
How I built a full-stack certificate verification system with cryptographic tokens, QR scanning, and bilingual UI for an Albanian certification body.
The problem
Every year, thousands of companies receive ISO certifications. And every year, thousands of fake ones circulate undetected. Suppliers lie, documents get forged, auditors get fooled, and businesses make critical decisions based on certificates that mean nothing.
The certification body I worked with was watching their authentic certificates get cloned and resold. They had no way to prove which were real. Every dispute became their problem.
A well-designed forged certificate takes about 20 minutes to make. They needed a system to expose it in 2 seconds.
What I built
EuroCert is a full-stack certificate verification platform that makes ISO fraud nearly impossible.
The verification flow:
- Every issued certificate gets a unique 256-bit cryptographic token
- A QR code is embedded directly into the printed certificate PDF
- Anyone (client, partner, auditor) can scan it and instantly verify authenticity
- The system returns the full certificate details: company, ISO standards covered, scope, dates, issuer
- No login required. No friction. Just truth.
Supports 7 ISO standards: ISO 9001, 14001, 45001, 27001, 22000, 13485, and 50001.
Bilingual UI: Full Albanian + English support, switchable on every page.
Production-grade security:
- CSRF protection on every form
- bcrypt password hashing (12 rounds)
- Rate limiting on verification endpoint (prevent enumeration)
- Prepared statements throughout (SQL injection prevention)
- Input sanitization at every layer
- Encrypted token storage
The hardest part
The hardest technical decision wasn't the cryptography — it was the token format. I needed something that:
- Was short enough to fit on a printed certificate's QR code
- Couldn't be guessed or enumerated
- Couldn't collide even with millions of issued certificates
- Could be quickly verified server-side without expensive lookups
I landed on a 256-bit token, base64-encoded, with the first 8 characters used as a database index for fast lookup. Verification is O(1) — under 50ms even with millions of records.
The stack and why
I chose PHP + MySQL intentionally over a "modern" Node.js setup. The client's existing infrastructure ran on cPanel, the team would maintain it long-term, and PHP's deployment story on shared hosting is unmatched. Sometimes the best choice is the boring one.
For the frontend I used vanilla JavaScript + Bootstrap. No SPA. No client-side routing. Every page renders server-side, ships less than 30KB of JavaScript total, and works perfectly on slow connections — which matters when verifying a certificate from a factory floor with poor wifi.
Outcome
The platform is live and being used today at eurocert.al. Anyone can scan a EuroCert-issued QR code and verify a certificate in 2 seconds.
What surprised me most during development: most certification bodies still use PDFs, paper stamps, and email threads to manage this. No central verification. No audit trail. The gap between current practice and what's actually possible is embarrassing — and fixable.
What I'd do differently
If I built v2 today, I'd:
- Move to a serverless architecture for the verification endpoint (it's read-heavy, cache-friendly)
- Add a public API so partners could verify certificates programmatically
- Build a mobile app for inspectors who need to verify certificates offline
But for v1, the constraint was "ship something that works in production with the client's existing infrastructure." That constraint produced the right architecture.