Where are the government issued certificates?
35 views
Skip to first unread message
Last Piece
Feb 12, 2025, 9:07:18 AMFeb 12
to eID Middleware Dev
Hey there,
I need to validate signature against the government issued certificates, but I'm not sure which on to use?
Or these?
Frederik Vernelen
Feb 12, 2025, 9:08:02 AMFeb 12
to eID Middleware Dev
Hello,
Both of them,
The newer certificates (EC), issued under Belgian rootCA6 can be found here:
https://repository.eidpki.belgium.be/#/download
The older ones (RSA) can be found here:
https://repository.eid.belgium.be/certificates.php?cert=Citizen&lang=en
https://repository.eid.belgium.be/certificates.php?cert=Root&lang=en
Both of them,
The newer certificates (EC), issued under Belgian rootCA6 can be found here:
https://repository.eidpki.belgium.be/#/download
The older ones (RSA) can be found here:
https://repository.eid.belgium.be/certificates.php?cert=Citizen&lang=en
https://repository.eid.belgium.be/certificates.php?cert=Root&lang=en
--
You received this message because you are subscribed to the Google Groups "eID Middleware Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eid-middleware-...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/eid-middleware-dev/ec34c50a-e43b-476e-b7b2-95591723549cn%40googlegroups.com.
Last Piece
Feb 20, 2025, 2:46:08 AMFeb 20
to eID Middleware Dev
Sorry for the late reply, thanks a lot! So basically, eID past 2021 still verify against the old certificates (RSA) whereas the new ones verify against EC?
Wouter Verhelst
Feb 20, 2025, 3:38:06 AMFeb 20
to eid-middl...@googlegroups.com
It's slightly more complicated than that.
The first new eID cards were issued in 2020 (as you can see on the repository.eidpki.belgium.be site). However, some certificates have continued to be issued under the old root CA until 2021.
More recently, Applet 1.7 cards (with RSA keys) that needed to have certificates reissued for some reason have also had their certificates issued under the BRCA6 EC root certificate.
In other words, what you need to do is make sure that all currently-valid root certificates are accepted as a trust root. The certificates all have the correct issuer certificate listed, and the issuer and root certificates are both stored on the eID to
aid with trust path building. You should not try to figure out which root certificate is the one for the current card based on properties of the card (i.e., do not limit yourself to the RSA root certificates if the card is an older RSA-only card), but instead
you should read all the certificates from the card and pass them to your certificate validation library; such a library will be able to build the path of the certificate and then figure out what the correct root certificate is.
Kind regards,
'Last Piece' via eID Middleware Dev schreef op wo 19-02-2025 om 23:46 [-0800]:
CAUTION: This email originated from outside of the organization.
Do not click links or open attachments unless you recognize the sender and you expect to receive them.
When in doubt, please report to CSIRT via the Report Message > Phishing button.
Last Piece
Mar 10, 2025, 4:45:01 AMMar 10
to eID Middleware Dev
Thanks a lot. That is clea, already doing that. I have built an app where I need people to sign with their eID. Currently only works with older eID versions. The cryptographic process of the signature is different, isn't it?
Reply all
Reply to author
Forward
0 new messages