Logo of the Belgian Federal Authorities
Download and install the eID software for electronic identity

IMPORTANT NOTICE CONCERNING PUBLIC TRUST

Update 5/11/2020:

Link to tool for the removal of these certificates from the Windows Certificate Store:  Cert Clean Tool (Right click: Open in new tab).

Link to tool for the removal of these certificates from the Windows Certificate Store:  Cert Clean Tool MSI (Right click: Open in new tab).

Script to run on MacOS:

#!/bin/bash
## Remove all root signed Belgian root CA's from the keychains, using the default search list

security delete-certificate -Z CFFA9C01EC59C29E718D0DD0EF5479F09B51C95780AFB7BD69D3C8054AFE4D28
security delete-certificate -Z F75A4D49A52B043FC7324B8F263AC8A9B7BD22A328868588BDFC937D3C396EB6
security delete-certificate -Z 8460CCAEA91B0E805AB51C7CD46DDF2E8C1C494806D88B1FE2ED313D1D487E2E

echo "certclean script completed"

3/11/2020:

Due to a policy change enforced by the CA/B forum (browser community and CA’s), the Belgian Root CA 2,3 and 4 will no longer be automatically trusted by the browsers. We’ve been allowed until November 6th 16h to take mitigating actions.

We wish to emphasize that these certificates are not part of the certificate chain on the eID.

Although this change should not impact the use of eID, side effects are possible depending on the end user configuration and browser behaviour.

To mitigate these potential side effects, the following certificates need to be removed from the “certificate stores” of the operating system (Windows, Mac, ...) and the Firefox browser (which has its own certificate store):

https://crt.sh/?id=6665598 BelgiumRootCA4 -> CybertrustGlobalRoot, serial #: 04:00:00:00:00:01:41:a1:e1:3d:26 

https://crt.sh/?id=4275055 BelgiumRootCA3 -> CybertrustGlobalRoot, serial #: 04:00:00:00:00:01:41:a1:e1:39:3e 

https://crt.sh/?id=2999247 BelgiumRootCA2 -> CybertrustGlobalRoot, serial #: 04:00:00:00:00:01:41:a1:e1:34:ba 

It is sufficient, as of November 5th, to install the latest version of the eID Middleware and to retry your login.

Manually deleting these certificates also resolves the issue. Firefox-user need to delete these certificates from the certificate store, after installing the latest version of the eID Middleware.

Companies may need to ask their IT department to push the eID Middleware to the PC’s.

If your application relies on eID authentication without making use of the FAS (Federal Authentication Service), we ask that you verify your application and take corrective actions.

We are working on the tools to automatically delete these certificates from the stores and will notify you once they are published.