Upload
dangliem
View
227
Download
2
Embed Size (px)
Citation preview
Annex 1
Certificate profile specifications
Certipost
eID certificate profiles
Version 8
Release date 25/04/2017
Document ID EID-DEL-004 Annex_1_eID certificate profile V8
© Certipost NV ALL RIGHTS RESERVED.
page 2 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
1. SUMMARY OF CHANGES .......................................................................................................................................................................................................... 4
1.1. CHANGES IN V8 ..........................................................................................................................................................................................................................................4 1.2. CHANGES IN V7.0.3 ..................................................................................................................................................................................................................................6
2. UNDER BRCA2 .............................................................................................................................................................................................................................. 7
2.1. EID ROLE CERTIFICATE PROFILE UNDER ADMINISTRATION CA (1024) – UNDER BELGIUM ROOT CA 2 .........................................................................................7
3. BELGIUM ROOT 4 ....................................................................................................................................................................................................................... 9
3.1. ROOT-SIGNED BELGIUM ROOT CA 4 .......................................................................................................................................................................................................9 3.2. EID HIERARCHY ........................................................................................................................................................................................................................................11
3.2.1. Self-Signed Belgium Root CA 4...............................................................................................................................................................................................11 3.2.1.1. Citizen CA – Under Belgium Root CA 4 – with O= in subject field ............................................................................................................................................... 13 3.2.1.2. Citizen - End user authentication certificate – under Belgium Root CA 4 with O= in issuer field .................................................................................... 16 3.2.1.3. Citizen - End user signature certificate – under Belgium Root CA 4 with O= in issuer field .............................................................................................. 19 Foreigner CA – under Belgium Root CA 4 with O= in subject field ................................................................................................................................................................. 22 3.2.1.4. Foreigner – End user authentication certificate – under Belgium Root CA 4 – with O in the issuer Field .................................................................... 25 3.2.1.5. Foreigner - End user signature certificate – under Belgium Root CA 4 with O= in issuer field ........................................................................................ 28
3.2.2. RRN signing certificate – under Belgium Root CA 4........................................................................................................................................................31 3.3. OTHER CA & CERTIFICATES .....................................................................................................................................................................................................................33
3.3.1. Administration CA (2048) – under Belgium Root CA 4 ..................................................................................................................................................33 3.3.1.1. eID Role certificate profile under Administration CA (2048) – under Belgium Root CA 4 .................................................................................................. 35
3.3.2. BRCA OCSP responder certificate ..........................................................................................................................................................................................37 3.3.3. Belgium OCSP responder certificate .....................................................................................................................................................................................39 3.3.4. TS Certificate – under Belgium Root CA 4 ..........................................................................................................................................................................41
3.4. TEST ENVIRONNEMENT ONLY !!!!!!! .............................................................................................................................................................................................43 3.4.1. Citizen CA – Under Belgium Root CA 4 – TEST ONLY !!!!!!! ........................................................................................................................................43 3.4.2. Citizen - End user authentication certificate – under Belgium Root CA 4 TEST ONLY !!!!! .............................................................................46 3.4.3. Citizen - End user signature certificate – under Belgium Root CA 4 TEST ONLY !!!!!!! ....................................................................................49 3.4.4. Foreigner CA – under Belgium Root CA 4 TEST ONLY !!!!!!! .......................................................................................................................................52
page 3 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.4.5. Foreigner – End user authentication certificate – under Belgium Root CA 4 TEST ONLY !!!!! .......................................................................55 3.4.6. Foreigner - End user signature certificate – under Belgium Root CA 4 TEST ONLY !!!!! ..................................................................................58
3.5. PRELIMINARY BUC IDS............................................................................................................................................................................................................................62
page 4 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
1. Summary of changes
1.1. Changes in V8
This document contains changes required by the Fedict/eGov audit, the WebTrust Point-in-time and Point-of-Time audit and the eIDAS audit of 2017. A
summary of the changes made is listed below:
General:
Changed http://repository.eid.belgium.be references to HTTPS where applicable.
Citizen/Foreigner CA’s:
Removal of NetScape type
The subject’s Organization field (O-field) is assigned the value: “Certipost N.V. / S.A.”
Qc Statements 4, 5 are added
The AIA attribute was added and points to the self-signed BRCA root certificate and new url for the OCSP responder
The LocalityName has been added to the subject field
Validity “until” date changed to 28 july 2028 12:00:00 GMT
End-user certificates:
Authentication:
Qc Statements 4, 5 are added
The subject’s Organization field (O-field) is assigned the value: “Certipost N.V. / S.A.”
AIA pointing to issuing sub-CA (Citizen / Foreigner CA)
An EKU is added to the authentication certificate (clientAuth)
The LocalityName has been added to the issuer field
page 5 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Signature:
Qc Statements 4, 5, 6 are added in addition to the Qc statement 1
The subject’s Organization field (O-field) is assigned the value: “Certipost N.V. / S.A.”
AIA pointing to issuing sub-CA (Citizen / Foreigner CA)
An EKU is added to the signing certificate (emailProtection)
The OID to indicate it is a QCP-n +QSCD 0.4.0.194112.1.2 shall be present, in addition to the CPS/CP OID.
The LocalityName has been added to the Issuer field
New OCSP Certificate under BRCA: A new certificate profile is added for OCSP-responder certificates issued by the BRCA’s for sub-CA’s (Citizen/Foreigner)
page 6 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
1.2. Changes in V7.0.3
The document has been purge. Old CA, are no more in the document. If needed, please refer to older versions.
Sub CA and certificates will be produced under BRCA4 only (as consequence of the sha256 migration).
Citizen & Foreigner CA under BRCA 4
- Add Organization Name in the subject Field (O=http://repository.eid.belgium.be/)
Citizen & Foreigner EE Certificates under BRCA 4
As consequence of the previous, there are also profile change for each EE certificate
- Add Organization Name in the issuer Field (O=http://repository.eid.belgium.be/)
In the TEST Environment ONLY, we will create 2 supplementary CA to be able to test the following changes. Those Citizen/Foreigner CA will be mapped to
a separate BUC ID. The CAs also contain the (O = http://repository.eid.belgium.be/)
- End Entity Signing Certificate for Citizen & Foreigner
o Change qc statement syntax to v2
o "add 2 Qc Statements attributes :
{id-etsi-qcs-QcType} = {id-etsiqct-esign} (signature)
{id-etsi-qcs-QcPDS} = http://repository.eid.belgium.be, EN"
- Remove Netscape Properties New section for BUC IDs has been added Change OCSP responder certificate profile from SHA1 to SHA256
page 7 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
2. Under BRCA2
2.1. eID Role certificate profile under Administration CA (1024) – under Belgium Root CA 2 eID Role Certificate – Belgium Root CA 2
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.5 (SHA-1 with RSA Encryption) Fixed
SignatureValue X
TBSCertificate
Version X 2
SerialNumber X Dynamic
Signature X Sha-1WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X Key Generation Process Date + 1 year and 8 months
SubjectPublicKeyInfo X RSA 1024
Issuer
CountryName { id-at-6 } X BE Fixed
CommonName { id-at-3 } X Administration CA Fixed
serialNumber X <yyyy>1
Subject Required
countryName { id-at-6 } YES Dynamic
commonName { id-at-3 } YES Dynamic
serialNumber { id-at-5 } YES Dynamic
!!continues on next page!!
1 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 8 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
All others2 Optional Provided by PKCS10 request (it’s up to RRN) Dynamic
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.9.1.1.1.1 Fixed
policyQualifiers NA
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
KeyUsage {id-ce 15} X TRUE
digitalSignature Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
SubjectKeyIdentifier {id-ce 14} X FALSE
KeyIdentifier X SHA-1 Hash
Private Extensions OID Include Critical Value
RoleID 2.16.56.1.2.1.1 X NO 4 bytes provided by RRN3
RoleKeyReference 2.16.56.1.2.1.2 X YES 1 byte provided by RRN4
BasicConstraints YES
CA X FALSE
PathLenConstraint X NULL
2 Limited to the following directory attributes: CommonName; OrganizationUnit; Organization; Locality; State; Country
3 4 bytes (32 bits) to identify the used roles (1 bit corresponds with 1 role). A combination of roles concurrently is possible and will be reflected in the
RoleID by setting more bits.
4 1 byte to identify the application where the certificate is used.
page 9 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3. Belgium Root 4
3.1. Root-Signed Belgium Root CA 4 RootSigned Belgium Root CA 4
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X Generated by the CA at Key Generation Process Time
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X 12 may 2025 23:59:00 Z
Fixed
SubjectPublicKeyInfo X RSA 4096
Issuer
organisationName { id-at-10 } X Cybertrust, Inc Fixed
commonName { id-at-3 } X Cybertrust Global Root
Fixed
Subject
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } Belgium Root CA4 Fixed
!!continues on next page!!
page 10 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.12.1.1 Fixed
policyQualifiers NA5
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
KeyUsage {id-ce 15} X TRUE
CertificateSigning Set Fixed
crlSigning Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
subjectKeyIdentifier {id-ce 14} X FALSE
KeyIdentifier X SHA-1 Hash
cRLDistributionPoints {id-ce 31} X FALSE
distributionPoint
FullName X http://crl.omniroot.com/ctglobal.crl Fixed
BasicConstraints {id-ce 19} X TRUE
CA X TRUE Fixed
NetscapeCertType X FALSE
2.16.840.1.113730.1.1 sslCA - smimeCA - objectSigningCA Fixed
5 NA: Not Applicable
page 11 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.2. eID Hierarchy
3.2.1. Self-Signed Belgium Root CA 4
SelfSigned Belgium Root CA 4
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X Generated by the CA at Key Generation Process Time
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X 22 oct 2032 23:59:00 Z Fixed
SubjectPublicKeyInfo X RSA 4096
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Belgium Root CA4 Fixed
Subject
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } Belgium Root CA4 Fixed
!!continues on next page!!
page 12 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.12.1.1 Fixed
policyQualifiers NA6
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
KeyUsage {id-ce 15} X TRUE
CertificateSigning Set Fixed
crlSigning Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
subjectKeyIdentifier {id-ce 14} X FALSE
KeyIdentifier X SHA-1 Hash
BasicConstraints {id-ce 19} X TRUE
CA X TRUE Fixed
NetscapeCertType X FALSE
2.16.840.1.113730.1.1 sslCA - smimeCA - objectSigningCA Fixed
6 NA: Not Applicable
page 13 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.2.1.1. Citizen CA – Under Belgium Root CA 4 – with O= in subject field
Citizen CA - under Belgium Root CA 4
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X 16 Bytes Generated by the CA at Key Generation Process Time
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X 28 july 2028 12:00:00 GMT (UTC: 1848398400) Fixed
SubjectPublicKeyInfo X RSA 4096
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Belgium Root CA4 Fixed
Subject
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Citizen CA Fixed
Organisation OID: 2.5.4.10 X Certipost N.V./S.A. Fixed
LocalityName OID: 2.5.4.7 X Brussels Fixed
serialNumber OID: 2.5.4.5 X <yyyy><ss>7
!!continues on next page!!
7 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 14 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.12.1.1.2 Fixed
policyQualifiers NA
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
Qualified Certificate
Statement
{id-pe 3} X FALSE
qcStatement (QcSSCD) {id-etsi-qcs 4} X 0.4.0.1862.1.4 Fixed
qcStatement (QcPDS) {id-etsi-qcs 5} X 0.4.0.1862.1.5 Fixed
url IA5String X https://repository.eid.belgium.be/
language ISO 639-1 (1.0.639.1) X ‘en’
KeyUsage {id-ce 15} X TRUE
CertificateSigning Set Fixed
crlSigning Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
subjectKeyIdentifier {id-ce 14} X FALSE
KeyIdentifier X SHA-1 Hash
cRLDistributionPoints {id-ce 31} X FALSE
distributionPoint
FullName X http://crl.eid.belgium.be/belgium4.crl Fixed
BasicConstraints {id-ce 19} X TRUE
CA X TRUE Fixed
pathLenConstraint X 0 (Zero) Fixed
!!continues on next page!!
page 15 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Private Extensions OID Include Critical Value
AuthorityInfoAccess {id-pe 1} X FALSE
accessMethod { id-ad-2 } X
accessLocation X http://certs.eid.belgium.be/belgiumrs4.crt – Points to Root-Signed Belgium
Root CA.
Fixed
accessMethod { id-ad-1 } X
accessLocation X http://ocsp.eid.belgium.be/2
page 16 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.2.1.2. Citizen - End user authentication certificate – under Belgium Root CA 4 with O= in issuer field Citizen - End User Authentication Certificate – Belgium Root CA 4
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X Provided by the RRN Dynamic
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X Key Generation Process Date + 10 years and 3 months
SubjectPublicKeyInfo X RSA 2048
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Citizen CA Fixed
Organisation OID: 2.5.4.10 X Certipost N.V./S.A. Fixed
LocalityName OID: 2.5.4.7 X Brussels Fixed
serialNumber OID: 2.5.4.5 X <yyyy><ss>8
Subject Required
countryName { id-at-6 } Required provided by RRN Dynamic
commonName { id-at-3 } Required Concatenation of first given name, surname and certificate purpose between brackets Dynamic
Surname { id-at-4 } Required provided by RRN Dynamic
!!continues on next page!!
8 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 17 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
givenName { id-at-42 } optionally provided by RRN (0, 1 or 2 given names) Dynamic
serialNumber { id-at-5 } Required provided by RRN (11 Digits numeric value) Dynamic
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.12.1.1.2.2 Fixed
policyQualifiers NA
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
Qualified Certificate
Statement
{id-pe 3} X FALSE
qcStatement (QcSSCD) {id-etsi-qcs 4} X 0.4.0.1862.1.4 Fixed
qcStatement (QcPDS) {id-etsi-qcs 5} X 0.4.0.1862.1.5 Fixed
url IA5String X https://repository.eid.belgium.be/
language ISO 639-1 (1.0.639.1) X ‘en’
KeyUsage {id-ce 15} X TRUE
digitalSignature Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
cRLDistributionPoints {id-ce 31} X FALSE
distributionPoint
FullName X http://crl.eid.belgium.be/eidc<yyyy><ss>9.crl Fixed
ExtendedKeyUsage {id-ce 37} X FALSE
clientAuth { id-kp 2 } X Set Fixed
!!continues on the next page!!
9 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 18 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Private Extensions OID Include Critical Value
AuthorityInfoAccess {id-pe 1} X FALSE
accessMethod { id-ad-2 } X
accessLocation X <url to the Issuing Citizen CA>
accessMethod { id-ad-1 } X
accessLocation X http://ocsp.eid.belgium.be/2
page 19 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.2.1.3. Citizen - End user signature certificate – under Belgium Root CA 4 with O= in issuer field
Citizen - End User Signature Certificate – Belgium Root CA 4
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X Provided by the RRN Dynamic
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X Key Generation Process Date + 10 years and 3 months
SubjectPublicKeyInfo X RSA 2048
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Citizen CA Fixed
Organisation OID: 2.5.4.10 X Certipost N.V./S.A. Fixed
LocalityName OID: 2.5.4.7 X Brussels Fixed
serialNumber OID: 2.5.4.5 X <yyyy><ss>10
Subject Required
countryName { id-at-6 } Required provided by RRN Dynamic
commonName { id-at-3 } Required Concatenation of first given name, surname and certificate purpose between brackets Dynamic
Surname { id-at-4 } Required provided by RRN Dynamic
!!continues on next page!!
10 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 20 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
givenName { id-at-42 } optionally provided by RRN (0, 1 or 2 given names) Dynamic
serialNumber { id-at-5 } Required provided by RRN (11 Digits numeric value) Dynamic
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE N/a
policyIdentifier X 2.16.56.12.1.1.2.1 Fixed
policyQualifiers N/a
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
policyQualifierId { id-qt-2 } X Fixed
Qualifier X Gebruik onderworpen aan aansprakelijkheidsbeperkingen, zie CPS - Usage
soumis à des limitations de responsabilité, voir CPS - Verwendung unterliegt
Haftungsbeschränkungen, gemäss CPS
Fixed
policyIdentifier X FALSE 0.4.0.194112.1.2 Fixed
Qualified Certificate
Statement
X FALSE
qcStatement (QcCompliance) { id-etsi-qcs 1 } X 0.4.0.1862.1.1 Fixed
qcStatement (QcSSCD) {id-etsi-qcs 4 } X 0.4.0.1862.1.4 Fixed
qcStatement (QcPDS) {id-etsi-qcs 5 } X 0.4.0.1862.1.5 Fixed
url IA5String X https://repository.eid.belgium.be/
language ISO 639-1 (1.0.639.1) X ‘en’
qcStatement (QcType) {id-etsi-qcs 6 } X 0.4.0.1862.1.6 Fixed
QcType {id-etsi-qcs-QcType 1} X 0.4.0.1862.1.6.1 Fixed
KeyUsage {id-ce 15} X TRUE N/a
nonRepudiation Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
cRLDistributionPoints {id-ce 31} X FALSE
distributionPoint
FullName X http://crl.eid.belgium.be/eidc<yyyy><ss>.crl Fixed
page 21 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
!!continues on next page!!
ExtendedKeyUsage {id-ce 37} X FALSE
emailProtection { id-kp 4 } X Set Fixed
Private Extensions OID Include Critical Value
AuthorityInfoAccess {id-pe 1} X FALSE
accessMethod { id-ad-2 } X
accessLocation X <url to the Issuing Citizen CA>
accessMethod { id-ad-1 } X
accessLocation X http://ocsp.eid.belgium.be/2
page 22 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Foreigner CA – under Belgium Root CA 4 with O= in subject field
Foreigner CA – Belgium Root CA 4
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X 16 Bytes Generated by the CA at Key Generation Process Time
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X 28 july 2028 12:00:00 GMT (UTC: 1848398400) Fixed
SubjectPublicKeyInfo X RSA 4096
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Belgium Root CA4 Fixed
Subject
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Foreigner CA Fixed
Organisation OID: 2.5.4.10 X Certipost N.V./S.A. Fixed
LocalityName OID: 2.5.4.7 X Brussels Fixed
serialNumber OID: 2.5.4.5 X <yyyy><ss>11
!!continues on next page!!
11 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 23 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.12.1.1.7 Fixed
policyQualifiers NA
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
Qualified Certificate
Statement
{id-pe 3} X FALSE
qcStatement (QcSSCD) {id-etsi-qcs 4} X 0.4.0.1862.1.4 Fixed
qcStatement (QcPDS) {id-etsi-qcs 5} X 0.4.0.1862.1.5 Fixed
url IA5String X https://repository.eid.belgium.be/
language ISO 639-1 (1.0.639.1) X ‘en’
KeyUsage {id-ce 15} X TRUE
CertificateSigning Set Fixed
crlSigning Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
subjectKeyIdentifier {id-ce 14} X FALSE
KeyIdentifier X SHA-1 Hash
cRLDistributionPoints {id-ce 31} X FALSE
distributionPoint
FullName X http://crl.eid.belgium.be/belgium4.crl Fixed
BasicConstraints {id-ce 19} X TRUE
CA X TRUE Fixed
pathLenConstraint X 0 (Zero) Fixed
!!continues on next page!!
page 24 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Private Extensions OID Include Critical Value
AuthorityInfoAccess {id-pe 1} X FALSE
accessMethod { id-ad-2 } X
accessLocation X http://certs.eid.belgium.be/belgiumrs4.crt – Points to Root-Signed Belgium
Root CA.
Fixed
accessMethod { id-ad-1 } X
accessLocation X http://ocsp.eid.belgium.be/2
page 25 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.2.1.4. Foreigner – End user authentication certificate – under Belgium Root CA 4 – with O in the issuer Field
Foreigner – End User Authentication Certificate – Belgium Root CA 4
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X Provided by the RRN Dynamic
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X Key Generation Process Date + 10 years and 3 months
SubjectPublicKeyInfo X RSA 2048
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Foreigner CA Fixed
Organisation OID: 2.5.4.10 X Certipost N.V./S.A. Fixed
LocalityName OID: 2.5.4.7 X Brussels Fixed
serialNumber OID: 2.5.4.5 X <yyyy><ss>12
Subject Required
countryName { id-at-6 } YES provided by RRN Dynamic
!!continues on next page!!
12 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 26 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
commonName { id-at-3 } YES Concatenation of first given name, surname and certificate purpose between
brackets
Dynamic
Surname { id-at-4 } YES provided by RRN Dynamic
givenName { id-at-42 } NO optionally provided by RRN (0, 1 or 2 given names) Dynamic
serialNumber { id-at-5 } YES provided by RRN (11 Digits numeric value) Dynamic
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.12.1.1.7.2 Fixed
policyQualifiers NA
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
Qualified Certificate
Statement
{id-pe 3} X FALSE
qcStatement (QcSSCD) {id-etsi-qcs 4} X 0.4.0.1862.1.4 Fixed
qcStatement (QcPDS) {id-etsi-qcs 5} X 0.4.0.1862.1.5 Fixed
url IA5String X https://repository.eid.belgium.be/
language ISO 639-1 (1.0.639.1) X ‘en’
KeyUsage {id-ce 15} X TRUE
digitalSignature Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
cRLDistributionPoints {id-ce 31} X FALSE
distributionPoint
FullName X http://crl.eid.belgium.be/eidf<yyyy><ss>13.crl Fixed
!!continues on next page!!
13 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 27 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
ExtendedKeyUsage {id-ce 37} X FALSE
clientAuth { id-kp 2 } X Set Fixed
Private Extensions OID Include Critical Value
AuthorityInfoAccess {id-pe 1} X FALSE
accessMethod { id-ad-2 } X
accessLocation X <url to the Issuing Foreigner CA>
accessMethod { id-ad-1 } X
accessLocation X http://ocsp.eid.belgium.be/2
page 28 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.2.1.5. Foreigner - End user signature certificate – under Belgium Root CA 4 with O= in issuer field
Foreigner - End User Signature Certificate – Belgium Root CA 4
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X Provided by the RRN Dynamic
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X Key Generation Process Date + 10 years and 3 months
SubjectPublicKeyInfo X RSA 2048
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Foreigner CA Fixed
Organisation OID: 2.5.4.10 X Certipost N.V./S.A. Fixed
LocalityName OID: 2.5.4.7 X Brussels Fixed
serialNumber OID: 2.5.4.5 X <yyyy><ss>14
Subject Required
countryName { id-at-6 } YES provided by RRN Dynamic
commonName { id-at-3 } YES Concatenation of first given name, surname and certificate purpose between
brackets
Dynamic
surname { id-at-4 } YES provided by RRN Dynamic
14 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 29 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
!!continues on next page!!
givenName { id-at-42 } NO optionally provided by RRN (0, 1 or 2 given names) Dynamic
serialNumber { id-at-5 } YES provided by RRN (11 Digits numeric value) Dynamic
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.12.1.1.7.1 Fixed
policyQualifiers NA
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
policyQualifierId { id-qt-2 } X Fixed
Qualifier X Gebruik onderworpen aan aansprakelijkheidsbeperkingen, zie CPS - Usage
soumis à des limitations de responsabilité, voir CPS - Verwendung unterliegt
Haftungsbeschränkungen, gemäss CPS
Fixed
policyIdentifier X FALSE 0.4.0.194112.1.2 Fixed
Qualified Certificate
Statement
X FALSE
qcStatement (QcCompliance) { id-etsi-qcs 1 } X 0.4.0.1862.1.1 Fixed
qcStatement (QcSSCD) {id-etsi-qcs 4 } X 0.4.0.1862.1.4 Fixed
qcStatement (QcPDS) {id-etsi-qcs 5 } X 0.4.0.1862.1.5 Fixed
url IA5String X https://repository.eid.belgium.be/
Language ISO 639-1 (1.0.639.1) X ‘en’
qcStatement (QcType) {id-etsi-qcs 6 } X 0.4.0.1862.1.6 Fixed
QcType {id-etsi-qcs-QcType 1} X 0.4.0.1862.1.6.1 Fixed
KeyUsage {id-ce 15} X TRUE
nonRepudiation Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
!!continues on next page!!
page 30 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
cRLDistributionPoints {id-ce 31} X FALSE
distributionPoint
FullName X http://crl.eid.belgium.be/eidf<yyyy><ss>15.crl Fixed
ExtendedKeyUsage {id-ce 37} X FALSE
emailProtection { id-kp 4 } X Set Fixed
Private Extensions OID Include Critical Value
AuthorityInfoAccess {id-pe 1} X FALSE
accessMethod { id-ad-2 } X
accessLocation X <url to the Issuing Foreigner CA>
accessMethod { id-ad-1 } X
accessLocation X http://ocsp.eid.belgium.be/2
15 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2.1
page 31 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.2.2. RRN signing certificate – under Belgium Root CA 4
RRN Signing Certificate – Belgium Root CA 4
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X 11 bytes Generated by the CA at Key Generation Process Time
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X Key Generation Process Date + 11 years and 5 months Fixed
SubjectPublicKeyInfo X RSA 2048
Issuer
CountryName { id-at-6 } X BE Fixed
CommonName { id-at-3 } X Belgium Root CA4 Fixed
Subject Required
CommonName { id-at-3 } YES RRN Fixed
CountryName { id-at-6 } YES BE Fixed
All others YES RRN Fixed
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
PolicyIdentifier X 2.16.56.12.1.1.4 Fixed
PolicyQualifiers NA
!!continues on next page!!
page 32 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
PolicyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
KeyUsage {id-ce 15} X TRUE
NonRepudiation X Set Fixed
DigitalSignature X Set Fixed
AuthorityKeyIdentifier {id-ce 35} X FALSE
SubjectkeyIdentifier X FALSE SHA-1 Hash Fixed
CRLDistributionPoints {id-ce 31} X FALSE
DistributionPoint X
FullName X http://crl.eid.belgium.be/belgium4.crl Fixed
Basic contraints
CA X FALSE Fixed
page 33 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.3. Other CA & certificates
3.3.1. Administration CA (2048) – under Belgium Root CA 4
Administration CA – Belgium Root CA 4
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.5 SHA-1 with RSA Encryption Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X 16 Bytes Generated by the CA at Key Generation Process Time
Signature X Sha-256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X Key Generation Process Date + 11 years and 8 month Fixed
SubjectPublicKeyInfo X RSA 2048
Issuer
CountryName { id-at-6 } X BE Fixed
CommonName { id-at-3 } X Belgium Root CA4 Fixed
Subject
CountryName { id-at-6 } X BE Fixed
CommonName { id-at-3 } X Administration CA Fixed
serialNumber X <yyyy>16
!!continues on next page!!
16 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 34 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.12.1.1.1 Fixed
policyQualifiers NA
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
KeyUsage {id-ce 15} X TRUE
CertificateSigning Set Fixed
crlSigning Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
subjectKeyIdentifier {id-ce 14} X FALSE
KeyIdentifier X SHA-1 Hash
cRLDistributionPoints {id-ce 31} X FALSE
distributionPoint
FullName X http://crl.eid.belgium.be/belgium4.crl Fixed
BasicConstraints {id-ce 19} X TRUE
CA X TRUE Fixed
pathLenConstraint X 0 (Zero) Fixed
page 35 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.3.1.1. eID Role certificate profile under Administration CA (2048) – under Belgium Root CA 4
eID Role Certificate – Belgium Root CA 4
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.5 SHA-1 with RSA Encryption Fixed
SignatureValue X
TBSCertificate
Version X 2
SerialNumber X Dynamic
Signature X Sha-1WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X Key Generation Process Date + 11 years and 5 months
SubjectPublicKeyInfo X RSA 2048
Issuer
CountryName { id-at-6 } X BE Fixed
CommonName { id-at-3 } X Administration CA Fixed
serialNumber X <yyyy>17
Subject Required
countryName { id-at-6 } YES Dynamic
commonName { id-at-3 } YES Dynamic
!!continues on next page!!
17 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 36 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
serialNumber { id-at-5 } YES Dynamic
All others18 Optional Provided by PKCS10 request (it’s up to RRN) Dynamic
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.12.1.1.1.1 Fixed
policyQualifiers NA
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
KeyUsage {id-ce 15} X TRUE
digitalSignature Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
SubjectKeyIdentifier {id-ce 14} X FALSE
KeyIdentifier X SHA-1 Hash
Private Extensions OID Include Critical Value
RoleID 2.16.56.1.2.1.1 X NO 4 bytes provided by RRN19
RoleKeyReference 2.16.56.1.2.1.2 X YES 1 byte provided by RRN20
BasicConstraints YES
CA X FALSE
PathLenConstraint X NULL
18 Limited to the following directory attributes: CommonName; OrganizationUnit; Organization; Locality; State; Country
19 4 bytes (32 bits) to identify the used roles (1 bit corresponds with 1 role). A combination of roles concurrently is possible and will be reflected in the
RoleID by setting more bits.
20 1 byte to identify the application where the certificate is used.
page 37 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.3.2. BRCA OCSP responder certificate
Belgium OCSP Responder
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm 1.2.840.113549.1.1.5 X SHA-256 with RSA Encryption Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X Generated by the CA at Key Generation Process Time
Signature X Sha-256WithRSAEncryption
Validity
NotBefore X Key Certification Process Date
NotAfter X Key Certification Process Date + 1 y 3m Fixed
SubjectPublicKeyInfo X RSA 2048
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X BRCA 4 Fixed
serialNumber X <yyyy><ss>21
Subject
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } BRCA OCSP Responder Fixed
!!continues on next page!!
21 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 38 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Standard Extensions OID Include Critical Value
KeyUsage {id-ce 15} X TRUE N/a
DigitalSignature Set Fixed
ExtendedKeyUsage {id-ce 37} FALSE
ocspSigning 1.3.6.1.5.5.7.3.9 X
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
subjectKeyIdentifier {id-ce 14} X FALSE
KeyIdentifier X SHA-1 Hash
ocspNoCheck { id-pkix-ocsp 5 }
1.3.6.1.5.5.7.48.1.5
FALSE
Null X
page 39 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.3.3. Belgium OCSP responder certificate
Belgium OCSP Responder
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm 1.2.840.113549.1.1.5 X SHA-256 with RSA Encryption Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X Generated by the CA at Key Generation Process Time
Signature X Sha-256WithRSAEncryption
Validity
NotBefore X Key Certification Process Date
NotAfter X Key Certification Process Date + 1 y 3m Fixed
SubjectPublicKeyInfo X RSA 2048
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X <Issuing CA> Fixed
serialNumber X <yyyy><ss>22
Subject
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } Belgium OCSP Responder Fixed
Standard Extensions OID Include Critical Value
!!continues on next page!!
22 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 40 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
KeyUsage {id-ce 15} X TRUE N/a
DigitalSignature Set Fixed
ExtendedKeyUsage {id-ce 37} FALSE
ocspSigning 1.3.6.1.5.5.7.3.9 X
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
subjectKeyIdentifier {id-ce 14} X FALSE
KeyIdentifier X SHA-1 Hash
ocspNoCheck { id-pkix-ocsp 5 }
1.3.6.1.5.5.7.48.1.5
FALSE
Null X
page 41 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.3.4. TS Certificate – under Belgium Root CA 4
TS Certificate – Belgium Root CA 4
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature Dynamic
TBSCertificate
Version X 2 Fixed
SerialNumber X 11 Bytes Generated by the CA at Key Generation Dynamic
Signature X Sha256WithRSAEncryption Dynamic
Validity
notBefore X Key Generation Process Date Dynamic
notAfter X Key Generation Process Date + 5 years and 3 months Dynamic
SubjectPublicKeyInfo X RSA 2048 Dynamic
Issuer
CountryName { id-at-6 } X BE Fixed
CommonName { id-at-3 } X Belgium Root CA4 Fixed
Subject Required
CountryName { id-at-6 } YES BE Dynamic
CommonName { id-at-3 } YES Time Stamping Authority Dynamic
serialNumber <yyyy>
Organisation Belgium Federal Government
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
PolicyIdentifier X 2.16.56.12.1.1.5 Fixed
!!continues on next page!!
page 42 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
PolicyQualifiers NA
PolicyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.pki.belgium.be Fixed
KeyUsage {id-ce 15} X TRUE
NonRepudiation X Set Fixed
DigitalSignature X Set Fixed
ExtendedKeyUsage {id-ce 37} X TRUE
Timestamping { id-kp 1 } X Set Fixed
BasicConstraints {id-ce 19} X FALSE
CA
X FALSE Fixed
PathLenConstraint X None Fixed
AuthorityKeyIdentifier {id-ce 35} X FALSE
keyIdentifier X SHA-1 Hash Fixed
subjectKeyIdentifier {id-ce 14} X FALSE
KeyIdentifier X SHA-1 Hash
CRLDistributionPoints {id-ce 31} X FALSE
DistributionPoint X
FullName X http://crl.pki.belgium.be/belgiumrs4.crl Fixed
page 43 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.4. TEST ENVIRONNEMENT ONLY !!!!!!!
3.4.1. Citizen CA – Under Belgium Root CA 4 – TEST ONLY !!!!!!!
Citizen CA - under Belgium Root CA 4 -TEST ONLY
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X 16 Bytes Generated by the CA at Key Generation Process Time
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X 28 july 2028 12:00:00 GMT (UTC: 1848398400) Fixed
SubjectPublicKeyInfo X RSA 4096
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Belgium Root CA4 Fixed
Subject
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } Citizen CA Fixed
Organisation OID: 2.5.4.10 X Certipost N.V./S.A. Fixed
LocalityName OID: 2.5.4.7 X Brussels Fixed
!!continues on next page!!
page 44 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
serialNumber OID: 2.5.4.5 <yyyy><ss>23 Fixed
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.12.1.1.2 Fixed
policyQualifiers NA
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
Qualified Certificate
Statement
{id-pe 3} X FALSE
qcStatement (QcSSCD) {id-etsi-qcs 4} X 0.4.0.1862.1.4 Fixed
qcStatement (QcPDS) {id-etsi-qcs 5} X 0.4.0.1862.1.5 Fixed
url IA5String X https://repository.eid.belgium.be/
language ISO 639-1 (1.0.639.1) X ‘en’
KeyUsage {id-ce 15} X TRUE
CertificateSigning Set Fixed
crlSigning Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
subjectKeyIdentifier {id-ce 14} X FALSE
KeyIdentifier X SHA-1 Hash
cRLDistributionPoints {id-ce 31} X FALSE
distributionPoint
FullName X http://crl.eid.belgium.be/belgium4.crl Fixed
BasicConstraints {id-ce 19} X TRUE
CA X TRUE Fixed
pathLenConstraint X 0 (Zero) Fixed
!!continues on next page!!
23 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 45 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Private Extensions OID Include Critical Value
AuthorityInfoAccess {id-pe 1} X FALSE
accessMethod { id-ad-2 } X
accessLocation X http://certs.eid.belgium.be/belgiumrs4.crt – Points to Root-Signed Belgium
Root CA.
Fixed
accessMethod { id-ad-1 } X
accessLocation X http://ocsp.eid.belgium.be/2
page 46 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.4.2. Citizen - End user authentication certificate – under Belgium Root CA 4 TEST ONLY !!!!!
Citizen - End User Authentication Certificate – Belgium Root CA 4 – TEST ONLY
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X Provided by the RRN Dynamic
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X Key Generation Process Date + 10 years and 3 months
SubjectPublicKeyInfo X RSA 2048
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Citizen CA Fixed
Organisation OID: 2.5.4.10 X Certipost N.V./S.A. Fixed
LocalityName OID: 2.5.4.7 X Brussels Fixed
serialNumber OID: 2.5.4.5 X <yyyy><ss>24 Fixed
Subject Required
countryName { id-at-6 } YES provided by RRN Dynamic
commonName { id-at-3 } YES Concatenation of first given name, surname and certificate purpose between
brackets
Dynamic
!!continues on next page!!
24 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 47 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Surname { id-at-4 } YES provided by RRN Dynamic
givenName { id-at-42 } NO optionally provided by RRN (0, 1 or 2 given names) Dynamic
serialNumber { id-at-5 } YES provided by RRN (11 Digits numeric value) Dynamic
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.12.1.1.2.2 Fixed
policyQualifiers NA
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
Qualified Certificate
Statement
{id-pe 3} X FALSE
qcStatement (QcSSCD) {id-etsi-qcs 4} X 0.4.0.1862.1.4 Fixed
qcStatement (QcPDS) {id-etsi-qcs 5} X 0.4.0.1862.1.5 Fixed
url IA5String X https://repository.eid.belgium.be/
language ISO 639-1 (1.0.639.1) X ‘en’
KeyUsage {id-ce 15} X TRUE
digitalSignature Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
cRLDistributionPoints {id-ce 31} X FALSE
distributionPoint
FullName X http://crl.eid.belgium.be/eidc<yyyy><ss>25.crl Fixed
ExtendedKeyUsage {id-ce 37} X FALSE
clientAuth { id-kp 2 } X Set Fixed
!!continues on next page!!
25 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 48 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Private Extensions OID Include Critical Value
AuthorityInfoAccess {id-pe 1} X FALSE
accessMethod { id-ad-2 } X
accessLocation X <url to the Issuing Citizen CA>
accessMethod { id-ad-1 } X
accessLocation X http://ocsp.eid.belgium.be/2
page 49 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.4.3. Citizen - End user signature certificate – under Belgium Root CA 4 TEST ONLY !!!!!!!
Citizen - End User Signature Certificate – Belgium Root CA 4 – TEST ONLY
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X Provided by the RRN Dynamic
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X Key Generation Process Date + 10 years and 3 months
SubjectPublicKeyInfo X RSA 2048
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Citizen CA Fixed
Organisation OID: 2.5.4.10 X Certipost N.V./S.A. Fixed
LocalityName OID: 2.5.4.7 X Brussels Fixed
serialNumber OID: 2.5.4.5 X <yyyy><ss>26 Fixed
Subject Required
countryName { id-at-6 } YES provided by RRN Dynamic
commonName { id-at-3 } YES Concatenation of first given name, surname and certificate purpose between
brackets
Dynamic
!!continues on next page!!
26 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 50 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Surname { id-at-4 } YES provided by RRN Dynamic
givenName { id-at-42 } NO optionally provided by RRN (0, 1 or 2 given names) Dynamic
serialNumber { id-at-5 } YES provided by RRN (11 Digits numeric value) Dynamic
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE N/a
policyIdentifier X 2.16.56.12.1.1.2.1 Fixed
policyQualifiers N/a
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
policyQualifierId { id-qt-2 } X Fixed
Qualifier X Gebruik onderworpen aan aansprakelijkheidsbeperkingen, zie CPS - Usage
soumis à des limitations de responsabilité, voir CPS - Verwendung unterliegt
Haftungsbeschränkungen, gemäss CPS
Fixed
policyIdentifier X FALSE 0.4.0.194112.1.2 Fixed
Qualified Certificate
Statement
X FALSE
qcStatement (QcCompliance) { id-etsi-qcs 1 } X 0.4.0.1862.1.1 Fixed
qcStatement (QcSSCD) {id-etsi-qcs 4 } X 0.4.0.1862.1.4 Fixed
qcStatement (QcPDS) {id-etsi-qcs 5 } X 0.4.0.1862.1.5 Fixed
url IA5String X https://repository.eid.belgium.be/
language ISO 639-1 (1.0.639.1) X ‘en’
qcStatement (QcType) {id-etsi-qcs 6 } X 0.4.0.1862.1.6 Fixed
QcType {id-etsi-qcs-QcType 1} X 0.4.0.1862.1.6.1 Fixed
KeyUsage {id-ce 15} X TRUE N/a
nonRepudiation Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
cRLDistributionPoints {id-ce 31} X FALSE
distributionPoint
page 51 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
!!continues on next page!!
FullName X http://crl.eid.belgium.be/eidc<yyyy><ss>.crl Fixed
ExtendedKeyUsage {id-ce 37} X FALSE
emailProtection { id-kp 4 } X Set Fixed
Private Extensions OID Include Critical Value
AuthorityInfoAccess {id-pe 1} X FALSE
accessMethod { id-ad-2 } X
accessLocation X <url to the Issuing Citizen CA>
accessMethod { id-ad-1 } X
accessLocation X http://ocsp.eid.belgium.be/2
page 52 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.4.4. Foreigner CA – under Belgium Root CA 4 TEST ONLY !!!!!!!
Foreigner CA – Belgium Root CA 4 –TEST ONLY
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X 16 Bytes Generated by the CA at Key Generation Process Time
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X 28 july 2028 12:00:00 GMT (UTC: 1848398400) Fixed
SubjectPublicKeyInfo X RSA 4096
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Belgium Root CA4 Fixed
Subject
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } Foreigner CA Fixed
Organisation OID: 2.5.4.10 X Certipost N.V./S.A. Fixed
LocalityName OID: 2.5.4.7 X Brussels Fixed
serialNumber OID: 2.5.4.5 X <yyyy><ss>27 Fixed
Standard Extensions OID Include Critical Value
!!continues on next page!!
27 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 53 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.12.1.1.7 Fixed
policyQualifiers NA
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
Qualified Certificate
Statement
{id-pe 3} X FALSE
qcStatement (QcSSCD) {id-etsi-qcs 4} X 0.4.0.1862.1.4 Fixed
qcStatement (QcPDS) {id-etsi-qcs 5} X 0.4.0.1862.1.5 Fixed
url IA5String X https://repository.eid.belgium.be/
language ISO 639-1 (1.0.639.1) X ‘en’
KeyUsage {id-ce 15} X TRUE
CertificateSigning Set Fixed
crlSigning Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
subjectKeyIdentifier {id-ce 14} X FALSE
KeyIdentifier X SHA-1 Hash
cRLDistributionPoints {id-ce 31} X FALSE
distributionPoint
FullName X http://crl.eid.belgium.be/belgium4.crl Fixed
BasicConstraints {id-ce 19} X TRUE
CA X TRUE Fixed
pathLenConstraint X 0 (Zero) Fixed
!!continues on next page!!
page 54 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Private Extensions OID Include Critical Value
AuthorityInfoAccess {id-pe 1} X FALSE
accessMethod { id-ad-2 } X
accessLocation X http://certs.eid.belgium.be/belgiumrs4.crt – Points to Root-Signed Belgium
Root CA.
Fixed
accessMethod { id-ad-1 } X
accessLocation X http://ocsp.eid.belgium.be/2
page 55 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.4.5. Foreigner – End user authentication certificate – under Belgium Root CA 4 TEST ONLY !!!!!
Foreigner – End User Authentication Certificate – Belgium Root CA 4 – TEST
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X Provided by the RRN Dynamic
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X Key Generation Process Date + 10 years and 3 months
SubjectPublicKeyInfo X RSA 2048
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Foreigner CA Fixed
Organisation OID: 2.5.4.10 X Certipost N.V./S.A. Fixed
LocalityName OID: 2.5.4.7 X Brussels Fixed
serialNumber OID: 2.5.4.5 X <yyyy><ss>28 Fixed
Subject Required
countryName { id-at-6 } YES provided by RRN Dynamic
commonName { id-at-3 } YES Concatenation of first given name, surname and certificate purpose between
brackets
Dynamic
!!continues on next page!!
28 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 56 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Surname { id-at-4 } YES provided by RRN Dynamic
givenName { id-at-42 } NO optionally provided by RRN (0, 1 or 2 given names) Dynamic
serialNumber { id-at-5 } YES provided by RRN (11 Digits numeric value) Dynamic
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.12.1.1.7.2 Fixed
policyQualifiers NA
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
Qualified Certificate
Statement
{id-pe 3} X FALSE
qcStatement (QcSSCD) {id-etsi-qcs 4} X 0.4.0.1862.1.4 Fixed
qcStatement (QcPDS) {id-etsi-qcs 5} X 0.4.0.1862.1.5 Fixed
url IA5String X https://repository.eid.belgium.be/
language ISO 639-1 (1.0.639.1) X ‘en’
KeyUsage {id-ce 15} X TRUE
digitalSignature Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
cRLDistributionPoints {id-ce 31} X FALSE
distributionPoint
FullName X http://crl.eid.belgium.be/eidf<yyyy><ss>29.crl Fixed
ExtendedKeyUsage {id-ce 37} X FALSE
clientAuth { id-kp 2 } X Set Fixed
!!continues on next page!!
29 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 57 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Private Extensions OID Include Critical Value
AuthorityInfoAccess {id-pe 1} X FALSE
accessMethod { id-ad-2 } X
accessLocation X <url to the Issuing CA>
accessMethod { id-ad-1 } X
accessLocation X http://ocsp.eid.belgium.be/2
page 58 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.4.6. Foreigner - End user signature certificate – under Belgium Root CA 4 TEST ONLY !!!!!
Foreigner - End User Signature Certificate – Belgium Root CA 4 – TEST
Base Certificate OID Include Critical Value
Certificate
SignatureAlgorithm
Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed
SignatureValue X Issuing CA Signature
TBSCertificate
Version X 2
SerialNumber X Provided by the RRN Dynamic
Signature X Sha256WithRSAEncryption
Validity
NotBefore X Key Generation Process Date
NotAfter X Key Generation Process Date + 10 years and 3 months
SubjectPublicKeyInfo X RSA 2048
Issuer
countryName { id-at-6 } X BE Fixed
commonName { id-at-3 } X Foreigner CA Fixed
Organisation OID: 2.5.4.10 X Certipost N.V./S.A. Fixed
LocalityName OID: 2.5.4.7 X Brussels Fixed
serialNumber OID: 2.5.4.5 X <yyyy><ss>30 Fixed
Subject Required
countryName { id-at-6 } YES provided by RRN Dynamic
commonName { id-at-3 } YES Concatenation of first given name, surname and certificate purpose between
brackets
Dynamic
!!continues on next page!!
30 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2
page 59 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
Surname { id-at-4 } YES provided by RRN Dynamic
givenName { id-at-42 } NO optionally provided by RRN (0, 1 or 2 given names) Dynamic
serialNumber { id-at-5 } YES provided by RRN (11 Digits numeric value) Dynamic
Standard Extensions OID Include Critical Value
CertificatePolicies {id-ce 32} X FALSE
policyIdentifier X 2.16.56.12.1.1.7.1 Fixed
policyQualifiers NA
policyQualifierId { id-qt-1 } X CPS Fixed
Qualifier X http://repository.eid.belgium.be Fixed
policyQualifierId { id-qt-2 } X Fixed
Qualifier X Gebruik onderworpen aan aansprakelijkheidsbeperkingen, zie CPS - Usage
soumis à des limitations de responsabilité, voir CPS - Verwendung unterliegt
Haftungsbeschränkungen, gemäss CPS
Fixed
policyIdentifier X FALSE 0.4.0.194112.1.2 Fixed
Qualified Certificate
Statement
X FALSE
qcStatement (QcCompliance) { id-etsi-qcs 1 } X 0.4.0.1862.1.1 Fixed
qcStatement (QcSSCD) {id-etsi-qcs 4 } X 0.4.0.1862.1.4 Fixed
qcStatement (QcPDS) {id-etsi-qcs 5 } X 0.4.0.1862.1.5 Fixed
url IA5String X https://repository.eid.belgium.be/
language ISO 639-1 (1.0.639.1) X ‘en’
qcStatement (QcType) {id-etsi-qcs 6 } X 0.4.0.1862.1.6 Fixed
QcType {id-etsi-qcs-QcType 1} X 0.4.0.1862.1.6.1 Fixed
KeyUsage {id-ce 15} X TRUE
nonRepudiation Set Fixed
authorityKeyIdentifier {id-ce 35} X FALSE
KeyIdentifier X SHA-1 Hash
!!continues on next page!!
page 60 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
page 61 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
cRLDistributionPoints {id-ce 31} X FALSE
distributionPoint
FullName X http://crl.eid.belgium.be/eidf<yyyy><ss>31.crl Fixed
ExtendedKeyUsage {id-ce 37} X FALSE
emailProtection { id-kp 4 } X Set Fixed
Private Extensions OID Include Critical Value
AuthorityInfoAccess {id-pe 1} X FALSE
accessMethod { id-ad-2 } X
accessLocation X <url to the Issuing Foreigner CA>
accessMethod { id-ad-1 } X
accessLocation X http://ocsp.eid.belgium.be/2
31 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2.1
page 62 / 62
Public document
EID-DEL-004 Annex 1 eID certificate profiles
3.5. Preliminary BUC IDs
The following section map the EE certificate profiles to the related BUC ID
2017 Citizen With O= Authentication 2017000121
2017 Citizen With O= Signature 2017000122
2017 Foreigner With O= Authentication 2017000123
2017 Foreigner With O= Signature 2017000124
TEST ONLY
2017 Citizen With O= Authentication 2017000125
2017 Citizen With O= Signature 2017000126
2017 Foreigner With O= Authentication 2017000127
2017 Foreigner With O= Signature 2017000128