Since 15.12.2021 suddenly many Belgium eID card identification applications broke down. If you have debugging turned on in your Apache vhost then you will see something like that in the error.log
[Thu Dec 16 15:13:20.937279 2021] [ssl:debug] [pid 3262729] ssl_engine_kernel.c(1764): [client 1.2.3.4:61752] AH02275: Certificate Verification, depth 3, CRL checking mode: none (0) [subject: CN=Cybertrust Global Root,O=Cybertrust\, Inc / issuer: CN=Cybertrust Global Root,O=Cybertrust\, Inc / serial: 0400000000010F85AA2D48 /
notbefore: Dec 15 08:00:00 2006 GMT / notafter: Dec 15 08:00:00 2021 GMT]
[Thu Dec 16 15:13:20.937341 2021] [ssl:info] [pid 3262729] [client 1.2.3.4:61752] AH02276: Certificate Verification: Error (10): certificate has expired [subject: CN=Cybertrust Global Root,O=Cybertrust\, Inc / issuer: CN=Cybertrust Global Root,O=Cybertrust\, Inc / serial: 0400000000010F85AA2D48 / notbefore: Dec 15 08:00:00 2006 GMT / notafter: Dec 15 08:00:00 2021 GMT]
Affected integrations where based on Client Certification Authentication also called mTLS. This means that web server requests browser to present certificate to authenticate the user. Certificate in this case is read from Belgium eID card and to make sure the user is really the one he has then TLS handshake is signed using the private key on the smart card.
Belgium eID card public certificates are Cross Signed, meaning there are 2 issuers. Lets examine http://certs.eid.belgium.be/citizen202002.crt . One issuer is “CN=Cybertrust Global Root” and another one is “Issuer: C = BE, CN = Belgium Root CA4”. At the same time CyberTrust is not even visible.
$ openssl x509 -in citizen202002.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4b:14:5d:e3:c0:ac:6b:75:fa:12:c1:bb:ae:5d:40:9f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = BE, CN = Belgium Root CA4
Validity
Not Before: Oct 22 10:00:00 2019 GMT
Not After : Jun 22 10:00:00 2031 GMT
Subject: C = BE, L = Brussels, O = Certipost N.V./S.A., CN = Citizen CA, serialNumber = 202002
How to make Belgium eID card login work?
If you set up the Client Certificate Authentication then you might have used OS provided truststore that has CyberTrust Global Root enabled and everything worked well. Now after it is expired you need to explicitly trust self signed “Belgium Root CA4” and “Belgium Root CA3” instead. You can download these from http://repository.eid.belgium.be/certificates.php?cert=Root&lang=en
More info on how to add another trusted certificate to your Ubuntu or other system can be found from here https://eideasy.com/import-new-trusted-root-ca-certificate/