Since 15.12.2021, many Belgium eID card identification applications suddenly stopped working.
Debugging the Issue
If you have debugging enabled in your Apache vhost, the error.log
might contain the following:
[Thu Dec 16 15:13:20.937279 2021] [ssl:debug] [pid 3262729] ssl_engine_kernel.c(1764):
[client 1.2.3.4:61752] AH02275: Certificate Verification, depth 3, CRL checking mode: none (0)
[subject: CN=Cybertrust Global Root,O=Cybertrust\, Inc / issuer: CN=Cybertrust Global Root,O=Cybertrust\, Inc / serial: 0400000000010F85AA2D48
/notbefore: Dec 15 08:00:00 2006 GMT / notafter: Dec 15 08:00:00 2021 GMT]
[Thu Dec 16 15:13:20.937341 2021] [ssl:info] [pid 3262729] [client 1.2.3.4:61752]
AH02276: Certificate Verification: Error (10): certificate has expired
[subject: CN=Cybertrust Global Root,O=Cybertrust\, Inc / issuer: CN=Cybertrust Global Root,O=Cybertrust\, Inc / serial: 0400000000010F85AA2D48
/ notbefore: Dec 15 08:00:00 2006 GMT / notafter: Dec 15 08:00:00 2021 GMT]
Why Did This Happen?
Affected integrations were based on Client Certificate Authentication, also called mTLS. In this setup:
- The web server requests the browser to present a certificate to authenticate the user.
- The certificate is read from the Belgium eID smart card.
- The TLS handshake is signed using the private key stored on the smart card.
Cross-Signed Certificates and Hidden Root
Belgium eID card public certificates are cross-signed, meaning they have two issuers. For example, examining the certificate at:
http://certs.eid.belgium.be/citizen202002.crt
You will find two issuers:
CN=Cybertrust Global Root
CN=Belgium Root CA4
However, in the actual certificate, Cybertrust may not even be listed. Using openssl
:
$ openssl x509 -in citizen202002.pem -text -noout
Output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4b:14:5d:e3:c0:ac:6b:75:fa:12:c1:bb:ae:5d:40:9f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = BE, CN = Belgium Root CA4
Validity
Not Before: Oct 22 10:00:00 2019 GMT
Not After : Jun 22 10:00:00 2031 GMT
Subject: C = BE, L = Brussels, O = Certipost N.V./S.A., CN = Citizen CA, serialNumber = 202002
How to Fix Belgium eID Card Login
If you set up Client Certificate Authentication and used the OS-provided truststore, it likely trusted the Cybertrust Global Root, and everything worked fine — until the Cybertrust certificate expired.
To fix this:
Certificates:
Belgium Root CA4
Belgium Root CA3
Download them from:
https://repository.eid.belgium.be/certificates.php?cert=Root&lang=en
For instructions on how to import a trusted root certificate to your system, see:
https://eideasy.com/import-new-trusted-root-ca-certificate/