Link to tool for the removal of these certificates from the Windows Certificate Store: Cert Clean Tool (Right click: Open in new tab).
Link to tool for the removal of these certificates from the Windows Certificate Store: Cert Clean Tool MSI (Right click: Open in new tab).
Script to run on MacOS:
#!/bin/bash ## Remove all root signed Belgian root CA's from the keychains, using the default search list security delete-certificate -Z CFFA9C01EC59C29E718D0DD0EF5479F09B51C95780AFB7BD69D3C8054AFE4D28 security delete-certificate -Z F75A4D49A52B043FC7324B8F263AC8A9B7BD22A328868588BDFC937D3C396EB6 security delete-certificate -Z 8460CCAEA91B0E805AB51C7CD46DDF2E8C1C494806D88B1FE2ED313D1D487E2E echo "certclean script completed"
Due to a policy change enforced by the CA/B forum (browser community and CA’s), the Belgian Root CA 2,3 and 4 will no longer be automatically trusted by the browsers. We’ve been allowed until November 6th 16h to take mitigating actions.
We wish to emphasize that these certificates are not part of the certificate chain on the eID.
Although this change should not impact the use of eID, side effects are possible depending on the end user configuration and browser behaviour.
To mitigate these potential side effects, the following certificates need to be removed from the “certificate stores” of the operating system (Windows, Mac, ...) and the Firefox browser (which has its own certificate store):
https://crt.sh/?id=6665598 Belgium Root CA4 -> Cybertrust Global Root, serial #: 04:00:00:00:00:01:41:a1:e1:3d:26
https://crt.sh/?id=4275055 Belgium Root CA3 -> Cybertrust Global Root, serial #: 04:00:00:00:00:01:41:a1:e1:39:3e
https://crt.sh/?id=2999247 Belgium Root CA2 -> Cybertrust Global Root, serial #: 04:00:00:00:00:01:41:a1:e1:34:ba
It is sufficient, as of November 5th, to install the latest version of the eID Middleware and to retry your login.
Manually deleting these certificates also resolves the issue. Firefox-user need to delete these certificates from the certificate store, after installing the latest version of the eID Middleware.
Companies may need to ask their IT department to push the eID Middleware to the PC’s.
If your application relies on eID authentication without making use of the FAS (Federal Authentication Service), we ask that you verify your application and take corrective actions.
We are working on the tools to automatically delete these certificates from the stores and will notify you once they are published.