Belgium eID card login broken - CyberTrust root expired

Belgium eID card identification apps failed after 15.12.2021 due to an expired Cybertrust Global Root certificate. Update trust settings to include "Belgium Root CA4" and "Belgium Root CA3".

17 Dec
,
2021
2 May
,
2025
# min read
Belgium Certipost Root Certificates Digital Security Graphic

Since 15.12.2021, many Belgium eID card identification applications suddenly stopped working.

Debugging the Issue

If you have debugging enabled in your Apache vhost, the error.log might contain the following:

[Thu Dec 16 15:13:20.937279 2021] [ssl:debug] [pid 3262729] ssl_engine_kernel.c(1764): 
[client 1.2.3.4:61752] AH02275: Certificate Verification, depth 3, CRL checking mode: none (0) 
[subject: CN=Cybertrust Global Root,O=Cybertrust\, Inc / issuer: CN=Cybertrust Global Root,O=Cybertrust\, Inc / serial: 0400000000010F85AA2D48 
/notbefore: Dec 15 08:00:00 2006 GMT / notafter: Dec 15 08:00:00 2021 GMT]

[Thu Dec 16 15:13:20.937341 2021] [ssl:info] [pid 3262729] [client 1.2.3.4:61752] 
AH02276: Certificate Verification: Error (10): certificate has expired 
[subject: CN=Cybertrust Global Root,O=Cybertrust\, Inc / issuer: CN=Cybertrust Global Root,O=Cybertrust\, Inc / serial: 0400000000010F85AA2D48 
/ notbefore: Dec 15 08:00:00 2006 GMT / notafter: Dec 15 08:00:00 2021 GMT]

Why Did This Happen?

Affected integrations were based on Client Certificate Authentication, also called mTLS. In this setup:

  • The web server requests the browser to present a certificate to authenticate the user.
  • The certificate is read from the Belgium eID smart card.
  • The TLS handshake is signed using the private key stored on the smart card.

Cross-Signed Certificates and Hidden Root

Belgium eID card public certificates are cross-signed, meaning they have two issuers. For example, examining the certificate at:

http://certs.eid.belgium.be/citizen202002.crt

You will find two issuers:

  • CN=Cybertrust Global Root
  • CN=Belgium Root CA4

However, in the actual certificate, Cybertrust may not even be listed. Using openssl:

$ openssl x509 -in citizen202002.pem -text -noout

Output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4b:14:5d:e3:c0:ac:6b:75:fa:12:c1:bb:ae:5d:40:9f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = BE, CN = Belgium Root CA4
        Validity
            Not Before: Oct 22 10:00:00 2019 GMT
            Not After : Jun 22 10:00:00 2031 GMT
        Subject: C = BE, L = Brussels, O = Certipost N.V./S.A., CN = Citizen CA, serialNumber = 202002

How to Fix Belgium eID Card Login

If you set up Client Certificate Authentication and used the OS-provided truststore, it likely trusted the Cybertrust Global Root, and everything worked fine — until the Cybertrust certificate expired.

To fix this:

Certificates:

  • Belgium Root CA4
  • Belgium Root CA3

Download them from:
https://repository.eid.belgium.be/certificates.php?cert=Root&lang=en

For instructions on how to import a trusted root certificate to your system, see:
https://eideasy.com/import-new-trusted-root-ca-certificate/

More latest articles

See all news
See all news