Due to a policy change enforced by the CA/B forum (browser community and CA’s), the Belgian Root CA 2,3 and 4 will no longer be automatically trusted by the browsers. We’ve been allowed until November 6th 16:00 to take mitigating actions.
We wish to emphasize that these certificates are not part of the certificate chain on the eID.
Although this change should not impact the use of eID, side effects are possible depending on the end user configuration and browser behaviour.
To mitigate these potential side effects, the following certificates need to be removed from the “certificate stores” of the operating system (Windows, Mac, ...) and the Firefox browser (which has its own certificate store):
https://crt.sh/?id=6665598 Belgium Root CA4 -> Cybertrust Global Root, serial #: 04:00:00:00:00:01:41:a1:e1:3d:26
https://crt.sh/?id=4275055 Belgium Root CA3 -> Cybertrust Global Root, serial #: 04:00:00:00:00:01:41:a1:e1:39:3e
https://crt.sh/?id=2999247 Belgium Root CA2 -> Cybertrust Global Root, serial #: 04:00:00:00:00:01:41:a1:e1:34:ba
It is sufficient, as of November 5th, to install the latest version of the eID Middleware (on eid.belgium.be) and to retry your login.
Manually deleting these certificates also resolves the issue. Firefox-user need to delete these certificates from the certificate store, after installing the latest version of the eID Middleware.
Companies may need to ask their IT department to push the eID Middleware to the PC’s.
If your application relies on eID authentication without making use of the FAS (Federal Authentication Service), we ask that you verify your application and take corrective actions.
We are working on the tools to automatically delete these certificates from the stores and will notify you once they are published.