annex 1 certificate profile specifications - belgium annex_1_eid... · annex 1 certificate profile...

Annex 1

Certificate profile specifications

Certipost

eID certificate profiles

Version 8

Release date 25/04/2017

Document ID EID-DEL-004 Annex_1_eID certificate profile V8

© Certipost NV ALL RIGHTS RESERVED.

/ 62

Public document

EID-DEL-004 Annex 1 eID certificate profiles

1. SUMMARY OF CHANGES .......................................................................................................................................................................................................... 4

1.1. CHANGES IN V8 ..........................................................................................................................................................................................................................................4 1.2. CHANGES IN V7.0.3 ..................................................................................................................................................................................................................................6

2. UNDER BRCA2 .............................................................................................................................................................................................................................. 7

2.1. EID ROLE CERTIFICATE PROFILE UNDER ADMINISTRATION CA (1024) – UNDER BELGIUM ROOT CA 2 .........................................................................................7

3. BELGIUM ROOT 4 ....................................................................................................................................................................................................................... 9

3.1. ROOT-SIGNED BELGIUM ROOT CA 4 .......................................................................................................................................................................................................9 3.2. EID HIERARCHY ........................................................................................................................................................................................................................................11

3.2.1. Self-Signed Belgium Root CA 4...............................................................................................................................................................................................11 3.2.1.1. Citizen CA – Under Belgium Root CA 4 – with O= in subject field ............................................................................................................................................... 13 3.2.1.2. Citizen - End user authentication certificate – under Belgium Root CA 4 with O= in issuer field .................................................................................... 16 3.2.1.3. Citizen - End user signature certificate – under Belgium Root CA 4 with O= in issuer field .............................................................................................. 19 Foreigner CA – under Belgium Root CA 4 with O= in subject field ................................................................................................................................................................. 22 3.2.1.4. Foreigner – End user authentication certificate – under Belgium Root CA 4 – with O in the issuer Field .................................................................... 25 3.2.1.5. Foreigner - End user signature certificate – under Belgium Root CA 4 with O= in issuer field ........................................................................................ 28

3.2.2. RRN signing certificate – under Belgium Root CA 4........................................................................................................................................................31 3.3. OTHER CA & CERTIFICATES .....................................................................................................................................................................................................................33

3.3.1. Administration CA (2048) – under Belgium Root CA 4 ..................................................................................................................................................33 3.3.1.1. eID Role certificate profile under Administration CA (2048) – under Belgium Root CA 4 .................................................................................................. 35

3.3.2. BRCA OCSP responder certificate ..........................................................................................................................................................................................37 3.3.3. Belgium OCSP responder certificate .....................................................................................................................................................................................39 3.3.4. TS Certificate – under Belgium Root CA 4 ..........................................................................................................................................................................41

3.4. TEST ENVIRONNEMENT ONLY !!!!!!! .............................................................................................................................................................................................43 3.4.1. Citizen CA – Under Belgium Root CA 4 – TEST ONLY !!!!!!! ........................................................................................................................................43 3.4.2. Citizen - End user authentication certificate – under Belgium Root CA 4 TEST ONLY !!!!! .............................................................................46 3.4.3. Citizen - End user signature certificate – under Belgium Root CA 4 TEST ONLY !!!!!!! ....................................................................................49 3.4.4. Foreigner CA – under Belgium Root CA 4 TEST ONLY !!!!!!! .......................................................................................................................................52

/ 62

Public document


3.4.5. Foreigner – End user authentication certificate – under Belgium Root CA 4 TEST ONLY !!!!! .......................................................................55 3.4.6. Foreigner - End user signature certificate – under Belgium Root CA 4 TEST ONLY !!!!! ..................................................................................58

3.5. PRELIMINARY BUC IDS............................................................................................................................................................................................................................62

/ 62

Public document


1. Summary of changes

1.1. Changes in V8

This document contains changes required by the Fedict/eGov audit, the WebTrust Point-in-time and Point-of-Time audit and the eIDAS audit of 2017. A

summary of the changes made is listed below:

General:

Changed http://repository.eid.belgium.be references to HTTPS where applicable.

Citizen/Foreigner CA’s:

Removal of NetScape type

The subject’s Organization field (O-field) is assigned the value: “Certipost N.V. / S.A.”

Qc Statements 4, 5 are added

The AIA attribute was added and points to the self-signed BRCA root certificate and new url for the OCSP responder

The LocalityName has been added to the subject field

Validity “until” date changed to 28 july 2028 12:00:00 GMT

End-user certificates:

Authentication:

Qc Statements 4, 5 are added


AIA pointing to issuing sub-CA (Citizen / Foreigner CA)

An EKU is added to the authentication certificate (clientAuth)

The LocalityName has been added to the issuer field

http://repository.eid.belgium.be/

/ 62

Public document


Signature:

Qc Statements 4, 5, 6 are added in addition to the Qc statement 1


AIA pointing to issuing sub-CA (Citizen / Foreigner CA)

An EKU is added to the signing certificate (emailProtection)

The OID to indicate it is a QCP-n +QSCD 0.4.0.194112.1.2 shall be present, in addition to the CPS/CP OID.

The LocalityName has been added to the Issuer field

New OCSP Certificate under BRCA: A new certificate profile is added for OCSP-responder certificates issued by the BRCA’s for sub-CA’s (Citizen/Foreigner)

/ 62

Public document


1.2. Changes in V7.0.3

The document has been purge. Old CA, are no more in the document. If needed, please refer to older versions.

Sub CA and certificates will be produced under BRCA4 only (as consequence of the sha256 migration).

Citizen & Foreigner CA under BRCA 4

- Add Organization Name in the subject Field (O=http://repository.eid.belgium.be/)

Citizen & Foreigner EE Certificates under BRCA 4

As consequence of the previous, there are also profile change for each EE certificate

- Add Organization Name in the issuer Field (O=http://repository.eid.belgium.be/)

In the TEST Environment ONLY, we will create 2 supplementary CA to be able to test the following changes. Those Citizen/Foreigner CA will be mapped to

a separate BUC ID. The CAs also contain the (O = http://repository.eid.belgium.be/)

- End Entity Signing Certificate for Citizen & Foreigner

o Change qc statement syntax to v2

o "add 2 Qc Statements attributes :

{id-etsi-qcs-QcType} = {id-etsiqct-esign} (signature)

{id-etsi-qcs-QcPDS} = http://repository.eid.belgium.be, EN"

- Remove Netscape Properties New section for BUC IDs has been added Change OCSP responder certificate profile from SHA1 to SHA256




/ 62

Public document


2. Under BRCA2

2.1. eID Role certificate profile under Administration CA (1024) – under Belgium Root CA 2 eID Role Certificate – Belgium Root CA 2

Base Certificate OID Include Critical Value

Certificate

SignatureAlgorithm

Algorithm X 1.2.840.113549.1.1.5 (SHA-1 with RSA Encryption) Fixed

SignatureValue X

TBSCertificate

Version X 2

SerialNumber X Dynamic

Signature X Sha-1WithRSAEncryption

Validity

NotBefore X Key Generation Process Date

NotAfter X Key Generation Process Date + 1 year and 8 months

SubjectPublicKeyInfo X RSA 1024

Issuer

CountryName { id-at-6 } X BE Fixed

CommonName { id-at-3 } X Administration CA Fixed

serialNumber X <yyyy>1

Subject Required

countryName { id-at-6 } YES Dynamic

commonName { id-at-3 } YES Dynamic

serialNumber { id-at-5 } YES Dynamic

!!continues on next page!!

1 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2

/ 62

Public document


All others2 Optional Provided by PKCS10 request (it’s up to RRN) Dynamic

Standard Extensions OID Include Critical Value

CertificatePolicies {id-ce 32} X FALSE

policyIdentifier X 2.16.56.9.1.1.1.1 Fixed

policyQualifiers NA

policyQualifierId { id-qt-1 } X CPS Fixed

Qualifier X http://repository.eid.belgium.be Fixed

KeyUsage {id-ce 15} X TRUE

digitalSignature Set Fixed

authorityKeyIdentifier {id-ce 35} X FALSE

KeyIdentifier X SHA-1 Hash

SubjectKeyIdentifier {id-ce 14} X FALSE


Private Extensions OID Include Critical Value

RoleID 2.16.56.1.2.1.1 X NO 4 bytes provided by RRN3

RoleKeyReference 2.16.56.1.2.1.2 X YES 1 byte provided by RRN4

BasicConstraints YES

CA X FALSE

PathLenConstraint X NULL

2 Limited to the following directory attributes: CommonName; OrganizationUnit; Organization; Locality; State; Country

3 4 bytes (32 bits) to identify the used roles (1 bit corresponds with 1 role). A combination of roles concurrently is possible and will be reflected in the

RoleID by setting more bits.

4 1 byte to identify the application where the certificate is used.


/ 62

Public document


3. Belgium Root 4

3.1. Root-Signed Belgium Root CA 4 RootSigned Belgium Root CA 4


Certificate

SignatureAlgorithm

Algorithm X 1.2.840.113549.1.1.11 (SHA256 with RSA Encryption) Fixed

SignatureValue X Issuing CA Signature

TBSCertificate

Version X 2

SerialNumber X Generated by the CA at Key Generation Process Time

Signature X Sha256WithRSAEncryption

Validity


NotAfter X 12 may 2025 23:59:00 Z

Fixed


Issuer

organisationName { id-at-10 } X Cybertrust, Inc Fixed

commonName { id-at-3 } X Cybertrust Global Root

Fixed

Subject

countryName { id-at-6 } X BE Fixed

commonName { id-at-3 } Belgium Root CA4 Fixed


/ 62

Public document




policyIdentifier X 2.16.56.12.1.1 Fixed

policyQualifiers NA5




CertificateSigning Set Fixed

crlSigning Set Fixed



subjectKeyIdentifier {id-ce 14} X FALSE


cRLDistributionPoints {id-ce 31} X FALSE

distributionPoint

FullName X http://crl.omniroot.com/ctglobal.crl Fixed

BasicConstraints {id-ce 19} X TRUE

CA X TRUE Fixed

NetscapeCertType X FALSE

2.16.840.1.113730.1.1 sslCA - smimeCA - objectSigningCA Fixed

5 NA: Not Applicable

http://crl.omniroot.com/ctglobal.crl

/ 62

Public document


3.2. eID Hierarchy

3.2.1. Self-Signed Belgium Root CA 4

SelfSigned Belgium Root CA 4


Certificate

SignatureAlgorithm



TBSCertificate

Version X 2



Validity


NotAfter X 22 oct 2032 23:59:00 Z Fixed


Issuer


commonName { id-at-3 } X Belgium Root CA4 Fixed

Subject


commonName { id-at-3 } Belgium Root CA4 Fixed


/ 62

Public document




policyIdentifier X 2.16.56.12.1.1 Fixed

policyQualifiers NA6











CA X TRUE Fixed

NetscapeCertType X FALSE

2.16.840.1.113730.1.1 sslCA - smimeCA - objectSigningCA Fixed

6 NA: Not Applicable

/ 62

Public document


3.2.1.1. Citizen CA – Under Belgium Root CA 4 – with O= in subject field

Citizen CA - under Belgium Root CA 4


Certificate

SignatureAlgorithm



TBSCertificate

Version X 2

SerialNumber X 16 Bytes Generated by the CA at Key Generation Process Time


Validity


NotAfter X 28 july 2028 12:00:00 GMT (UTC: 1848398400) Fixed


Issuer



Subject


commonName { id-at-3 } X Citizen CA Fixed

Organisation OID: 2.5.4.10 X Certipost N.V./S.A. Fixed

LocalityName OID: 2.5.4.7 X Brussels Fixed

serialNumber OID: 2.5.4.5 X <yyyy><ss>7



/ 62

Public document




policyIdentifier X 2.16.56.12.1.1.2 Fixed

policyQualifiers NA



Qualified Certificate

Statement

{id-pe 3} X FALSE

qcStatement (QcSSCD) {id-etsi-qcs 4} X 0.4.0.1862.1.4 Fixed

qcStatement (QcPDS) {id-etsi-qcs 5} X 0.4.0.1862.1.5 Fixed

url IA5String X https://repository.eid.belgium.be/

language ISO 639-1 (1.0.639.1) X ‘en’









distributionPoint

FullName X http://crl.eid.belgium.be/belgium4.crl Fixed


CA X TRUE Fixed

pathLenConstraint X 0 (Zero) Fixed


http://crl.eid.belgium.be/belgium4.crl

/ 62

Public document



AuthorityInfoAccess {id-pe 1} X FALSE

accessMethod { id-ad-2 } X

accessLocation X http://certs.eid.belgium.be/belgiumrs4.crt – Points to Root-Signed Belgium

Root CA.

Fixed


accessLocation X http://ocsp.eid.belgium.be/2

http://certs.eid.belgium.be/belgiumrs4.crt

http://ocsp.eid.belgium.be/2

/ 62

Public document


3.2.1.2. Citizen - End user authentication certificate – under Belgium Root CA 4 with O= in issuer field Citizen - End User Authentication Certificate – Belgium Root CA 4


Certificate

SignatureAlgorithm



TBSCertificate

Version X 2

SerialNumber X Provided by the RRN Dynamic


Validity


NotAfter X Key Generation Process Date + 10 years and 3 months


Issuer






Subject Required

countryName { id-at-6 } Required provided by RRN Dynamic

commonName { id-at-3 } Required Concatenation of first given name, surname and certificate purpose between brackets Dynamic

Surname { id-at-4 } Required provided by RRN Dynamic



/ 62

Public document


givenName { id-at-42 } optionally provided by RRN (0, 1 or 2 given names) Dynamic

serialNumber { id-at-5 } Required provided by RRN (11 Digits numeric value) Dynamic




policyQualifiers NA




Statement

{id-pe 3} X FALSE




language ISO 639-1 (1.0.639.1) X ‘en’






distributionPoint

FullName X http://crl.eid.belgium.be/eidc<yyyy><ss>9.crl Fixed

ExtendedKeyUsage {id-ce 37} X FALSE

clientAuth { id-kp 2 } X Set Fixed

!!continues on the next page!!



/ 62

Public document





accessLocation X <url to the Issuing Citizen CA>




/ 62

Public document


3.2.1.3. Citizen - End user signature certificate – under Belgium Root CA 4 with O= in issuer field

Citizen - End User Signature Certificate – Belgium Root CA 4


Certificate

SignatureAlgorithm



TBSCertificate

Version X 2



Validity




Issuer






Subject Required

countryName { id-at-6 } Required provided by RRN Dynamic

commonName { id-at-3 } Required Concatenation of first given name, surname and certificate purpose between brackets Dynamic

Surname { id-at-4 } Required provided by RRN Dynamic



/ 62

Public document


givenName { id-at-42 } optionally provided by RRN (0, 1 or 2 given names) Dynamic

serialNumber { id-at-5 } Required provided by RRN (11 Digits numeric value) Dynamic


CertificatePolicies {id-ce 32} X FALSE N/a


policyQualifiers N/a



policyQualifierId { id-qt-2 } X Fixed

Qualifier X Gebruik onderworpen aan aansprakelijkheidsbeperkingen, zie CPS - Usage

soumis à des limitations de responsabilité, voir CPS - Verwendung unterliegt

Haftungsbeschränkungen, gemäss CPS

Fixed

policyIdentifier X FALSE 0.4.0.194112.1.2 Fixed


Statement

X FALSE

qcStatement (QcCompliance) { id-etsi-qcs 1 } X 0.4.0.1862.1.1 Fixed

qcStatement (QcSSCD) {id-etsi-qcs 4 } X 0.4.0.1862.1.4 Fixed

qcStatement (QcPDS) {id-etsi-qcs 5 } X 0.4.0.1862.1.5 Fixed


language ISO 639-1 (1.0.639.1) X ‘en’

qcStatement (QcType) {id-etsi-qcs 6 } X 0.4.0.1862.1.6 Fixed

QcType {id-etsi-qcs-QcType 1} X 0.4.0.1862.1.6.1 Fixed

KeyUsage {id-ce 15} X TRUE N/a

nonRepudiation Set Fixed




distributionPoint

FullName X http://crl.eid.belgium.be/eidc<yyyy><ss>.crl Fixed

/ 62

Public document




emailProtection { id-kp 4 } X Set Fixed








/ 62

Public document


Foreigner CA – under Belgium Root CA 4 with O= in subject field

Foreigner CA – Belgium Root CA 4


Certificate

SignatureAlgorithm



TBSCertificate

Version X 2



Validity




Issuer



Subject


commonName { id-at-3 } X Foreigner CA Fixed






/ 62

Public document





policyQualifiers NA




Statement

{id-pe 3} X FALSE




language ISO 639-1 (1.0.639.1) X ‘en’









distributionPoint



CA X TRUE Fixed




/ 62

Public document






Root CA.

Fixed





/ 62

Public document


3.2.1.4. Foreigner – End user authentication certificate – under Belgium Root CA 4 – with O in the issuer Field

Foreigner – End User Authentication Certificate – Belgium Root CA 4


Certificate

SignatureAlgorithm



TBSCertificate

Version X 2



Validity




Issuer






Subject Required

countryName { id-at-6 } YES provided by RRN Dynamic



/ 62

Public document


commonName { id-at-3 } YES Concatenation of first given name, surname and certificate purpose between

brackets

Dynamic

Surname { id-at-4 } YES provided by RRN Dynamic

givenName { id-at-42 } NO optionally provided by RRN (0, 1 or 2 given names) Dynamic

serialNumber { id-at-5 } YES provided by RRN (11 Digits numeric value) Dynamic




policyQualifiers NA




Statement

{id-pe 3} X FALSE




language ISO 639-1 (1.0.639.1) X ‘en’






distributionPoint

FullName X http://crl.eid.belgium.be/eidf<yyyy><ss>13.crl Fixed




/ 62

Public document







accessLocation X <url to the Issuing Foreigner CA>




/ 62

Public document


3.2.1.5. Foreigner - End user signature certificate – under Belgium Root CA 4 with O= in issuer field

Foreigner - End User Signature Certificate – Belgium Root CA 4


Certificate

SignatureAlgorithm



TBSCertificate

Version X 2



Validity




Issuer






Subject Required



brackets

Dynamic

surname { id-at-4 } YES provided by RRN Dynamic


/ 62

Public document








policyQualifiers NA







Fixed



Statement

X FALSE





Language ISO 639-1 (1.0.639.1) X ‘en’








/ 62

Public document



distributionPoint










15 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2.1


/ 62

Public document


3.2.2. RRN signing certificate – under Belgium Root CA 4

RRN Signing Certificate – Belgium Root CA 4


Certificate

SignatureAlgorithm



TBSCertificate

Version X 2

SerialNumber X 11 bytes Generated by the CA at Key Generation Process Time


Validity


NotAfter X Key Generation Process Date + 11 years and 5 months Fixed


Issuer


CommonName { id-at-3 } X Belgium Root CA4 Fixed

Subject Required

CommonName { id-at-3 } YES RRN Fixed

CountryName { id-at-6 } YES BE Fixed

All others YES RRN Fixed



PolicyIdentifier X 2.16.56.12.1.1.4 Fixed

PolicyQualifiers NA


/ 62

Public document


PolicyQualifierId { id-qt-1 } X CPS Fixed



NonRepudiation X Set Fixed

DigitalSignature X Set Fixed

AuthorityKeyIdentifier {id-ce 35} X FALSE

SubjectkeyIdentifier X FALSE SHA-1 Hash Fixed

CRLDistributionPoints {id-ce 31} X FALSE

DistributionPoint X


Basic contraints

CA X FALSE Fixed

/ 62

Public document


3.3. Other CA & certificates

3.3.1. Administration CA (2048) – under Belgium Root CA 4

Administration CA – Belgium Root CA 4


Certificate

SignatureAlgorithm

Algorithm X 1.2.840.113549.1.1.5 SHA-1 with RSA Encryption Fixed


TBSCertificate

Version X 2



Validity


NotAfter X Key Generation Process Date + 11 years and 8 month Fixed


Issuer



Subject






/ 62

Public document





policyQualifiers NA











distributionPoint



CA X TRUE Fixed



/ 62

Public document


3.3.1.1. eID Role certificate profile under Administration CA (2048) – under Belgium Root CA 4

eID Role Certificate – Belgium Root CA 4


Certificate

SignatureAlgorithm

Algorithm X 1.2.840.113549.1.1.5 SHA-1 with RSA Encryption Fixed

SignatureValue X

TBSCertificate

Version X 2

SerialNumber X Dynamic


Validity




Issuer




Subject Required

countryName { id-at-6 } YES Dynamic

commonName { id-at-3 } YES Dynamic



/ 62

Public document


serialNumber { id-at-5 } YES Dynamic

All others18 Optional Provided by PKCS10 request (it’s up to RRN) Dynamic




policyQualifiers NA







SubjectKeyIdentifier {id-ce 14} X FALSE



RoleID 2.16.56.1.2.1.1 X NO 4 bytes provided by RRN19

RoleKeyReference 2.16.56.1.2.1.2 X YES 1 byte provided by RRN20

BasicConstraints YES

CA X FALSE

PathLenConstraint X NULL

18 Limited to the following directory attributes: CommonName; OrganizationUnit; Organization; Locality; State; Country

19 4 bytes (32 bits) to identify the used roles (1 bit corresponds with 1 role). A combination of roles concurrently is possible and will be reflected in the

RoleID by setting more bits.

20 1 byte to identify the application where the certificate is used.


/ 62

Public document


3.3.2. BRCA OCSP responder certificate

Belgium OCSP Responder


Certificate

SignatureAlgorithm

Algorithm 1.2.840.113549.1.1.5 X SHA-256 with RSA Encryption Fixed


TBSCertificate

Version X 2



Validity

NotBefore X Key Certification Process Date

NotAfter X Key Certification Process Date + 1 y 3m Fixed


Issuer


commonName { id-at-3 } X BRCA 4 Fixed

serialNumber X <yyyy><ss>21

Subject


commonName { id-at-3 } BRCA OCSP Responder Fixed



/ 62

Public document




DigitalSignature Set Fixed

ExtendedKeyUsage {id-ce 37} FALSE

ocspSigning 1.3.6.1.5.5.7.3.9 X





ocspNoCheck { id-pkix-ocsp 5 }

1.3.6.1.5.5.7.48.1.5

FALSE

Null X

/ 62

Public document


3.3.3. Belgium OCSP responder certificate

Belgium OCSP Responder


Certificate

SignatureAlgorithm

Algorithm 1.2.840.113549.1.1.5 X SHA-256 with RSA Encryption Fixed


TBSCertificate

Version X 2



Validity

NotBefore X Key Certification Process Date

NotAfter X Key Certification Process Date + 1 y 3m Fixed


Issuer


commonName { id-at-3 } X <Issuing CA> Fixed

serialNumber X <yyyy><ss>22

Subject


commonName { id-at-3 } Belgium OCSP Responder Fixed




/ 62

Public document



DigitalSignature Set Fixed

ExtendedKeyUsage {id-ce 37} FALSE

ocspSigning 1.3.6.1.5.5.7.3.9 X





ocspNoCheck { id-pkix-ocsp 5 }

1.3.6.1.5.5.7.48.1.5

FALSE

Null X

/ 62

Public document


3.3.4. TS Certificate – under Belgium Root CA 4

TS Certificate – Belgium Root CA 4


Certificate

SignatureAlgorithm


SignatureValue X Issuing CA Signature Dynamic

TBSCertificate

Version X 2 Fixed

SerialNumber X 11 Bytes Generated by the CA at Key Generation Dynamic

Signature X Sha256WithRSAEncryption Dynamic

Validity

notBefore X Key Generation Process Date Dynamic

notAfter X Key Generation Process Date + 5 years and 3 months Dynamic

SubjectPublicKeyInfo X RSA 2048 Dynamic

Issuer



Subject Required

CountryName { id-at-6 } YES BE Dynamic

CommonName { id-at-3 } YES Time Stamping Authority Dynamic

serialNumber <yyyy>

Organisation Belgium Federal Government



PolicyIdentifier X 2.16.56.12.1.1.5 Fixed


/ 62

Public document


PolicyQualifiers NA

PolicyQualifierId { id-qt-1 } X CPS Fixed

Qualifier X http://repository.pki.belgium.be Fixed


NonRepudiation X Set Fixed

DigitalSignature X Set Fixed

ExtendedKeyUsage {id-ce 37} X TRUE

Timestamping { id-kp 1 } X Set Fixed

BasicConstraints {id-ce 19} X FALSE

CA

X FALSE Fixed

PathLenConstraint X None Fixed

AuthorityKeyIdentifier {id-ce 35} X FALSE

keyIdentifier X SHA-1 Hash Fixed



CRLDistributionPoints {id-ce 31} X FALSE

DistributionPoint X

FullName X http://crl.pki.belgium.be/belgiumrs4.crl Fixed

http://repository.pki.belgium.be/

/ 62

Public document


3.4. TEST ENVIRONNEMENT ONLY !!!!!!!

3.4.1. Citizen CA – Under Belgium Root CA 4 – TEST ONLY !!!!!!!

Citizen CA - under Belgium Root CA 4 -TEST ONLY


Certificate

SignatureAlgorithm



TBSCertificate

Version X 2



Validity




Issuer



Subject


commonName { id-at-3 } Citizen CA Fixed




/ 62

Public document


serialNumber OID: 2.5.4.5 <yyyy><ss>23 Fixed




policyQualifiers NA




Statement

{id-pe 3} X FALSE




language ISO 639-1 (1.0.639.1) X ‘en’









distributionPoint



CA X TRUE Fixed





/ 62

Public document






Root CA.

Fixed





/ 62

Public document


3.4.2. Citizen - End user authentication certificate – under Belgium Root CA 4 TEST ONLY !!!!!

Citizen - End User Authentication Certificate – Belgium Root CA 4 – TEST ONLY


Certificate

SignatureAlgorithm



TBSCertificate

Version X 2



Validity




Issuer





serialNumber OID: 2.5.4.5 X <yyyy><ss>24 Fixed

Subject Required



brackets

Dynamic



/ 62

Public document








policyQualifiers NA




Statement

{id-pe 3} X FALSE




language ISO 639-1 (1.0.639.1) X ‘en’






distributionPoint

FullName X http://crl.eid.belgium.be/eidc<yyyy><ss>25.crl Fixed






/ 62

Public document









/ 62

Public document


3.4.3. Citizen - End user signature certificate – under Belgium Root CA 4 TEST ONLY !!!!!!!

Citizen - End User Signature Certificate – Belgium Root CA 4 – TEST ONLY


Certificate

SignatureAlgorithm



TBSCertificate

Version X 2



Validity




Issuer






Subject Required



brackets

Dynamic



/ 62

Public document






CertificatePolicies {id-ce 32} X FALSE N/a


policyQualifiers N/a







Fixed



Statement

X FALSE





language ISO 639-1 (1.0.639.1) X ‘en’








distributionPoint

/ 62

Public document



FullName X http://crl.eid.belgium.be/eidc<yyyy><ss>.crl Fixed










/ 62

Public document


3.4.4. Foreigner CA – under Belgium Root CA 4 TEST ONLY !!!!!!!

Foreigner CA – Belgium Root CA 4 –TEST ONLY


Certificate

SignatureAlgorithm



TBSCertificate

Version X 2



Validity




Issuer



Subject


commonName { id-at-3 } Foreigner CA Fixed







/ 62

Public document




policyQualifiers NA




Statement

{id-pe 3} X FALSE




language ISO 639-1 (1.0.639.1) X ‘en’









distributionPoint



CA X TRUE Fixed




/ 62

Public document






Root CA.

Fixed





/ 62

Public document


3.4.5. Foreigner – End user authentication certificate – under Belgium Root CA 4 TEST ONLY !!!!!

Foreigner – End User Authentication Certificate – Belgium Root CA 4 – TEST


Certificate

SignatureAlgorithm



TBSCertificate

Version X 2



Validity




Issuer






Subject Required



brackets

Dynamic



/ 62

Public document








policyQualifiers NA




Statement

{id-pe 3} X FALSE




language ISO 639-1 (1.0.639.1) X ‘en’






distributionPoint







/ 62

Public document





accessLocation X <url to the Issuing CA>




/ 62

Public document


3.4.6. Foreigner - End user signature certificate – under Belgium Root CA 4 TEST ONLY !!!!!

Foreigner - End User Signature Certificate – Belgium Root CA 4 – TEST


Certificate

SignatureAlgorithm



TBSCertificate

Version X 2



Validity




Issuer






Subject Required



brackets

Dynamic



/ 62

Public document








policyQualifiers NA







Fixed



Statement

X FALSE





language ISO 639-1 (1.0.639.1) X ‘en’








/ 62

Public document


/ 62

Public document



distributionPoint










31 See paragraph 10.1 – eID EID-DEL-004 eID PKI hierarchy and certificate profile V5.2.1


/ 62

Public document


3.5. Preliminary BUC IDs

The following section map the EE certificate profiles to the related BUC ID

2017 Citizen With O= Authentication 2017000121

2017 Citizen With O= Signature 2017000122

2017 Foreigner With O= Authentication 2017000123

2017 Foreigner With O= Signature 2017000124

TEST ONLY

2017 Citizen With O= Authentication 2017000125

2017 Citizen With O= Signature 2017000126

2017 Foreigner With O= Authentication 2017000127

2017 Foreigner With O= Signature 2017000128

annex 1 certificate profile specifications - belgium annex_1_eid... · annex 1 certificate profile...

Documents