This page contains informations about how to use a certificate or your electronic identity card (eID card) for making digital signatures.
If you are using an eID card, make sure that your eID card is correctly installed and configured on your machine (compliant operating system, card reader and eID middleware installed, browser correctly configured). Informations about how to install, configure and use your electronic identity card are available on the following sites :
This page is split into the following sections :
Creating a digital signature has additionnal requirements over digital authentication. For instance, it requires up-to-date browsers and libraries for encrypting data. The components required for making digital signatures are the following :
A certificate is needed to sign data, or to authenticate yourself with the system. Such a certificate is included in your belgium electronic identity card. If you do not have an eID card, you can get one from a Certificate Authority such as Global Sign. For detailed instructions about how to acquire a certificate, please follow the instructions given by aforementioned providers.
In order to avoid problems, we heavily recommend that you put the Web site of the Ministry of Finances in the list of trusted sites :
If you do that, you can jump directly to section 3.2.
This library is used to digitally sign data, verify digital signatures, envelop data for privacy, hash data, encrypt/decrypt data and more. If this library is not present on your computer, it is automatically installed, when possible. Depending on your configured security level, you may have to perform the following steps :
With such configuration, the CAPICOM library is automatically installed. You can jump to section 3.2. To see how to add the site of the Ministry of Finances to the list of trusted sites, see here.
With this configuration, Internet explorer will first ask you if ActiveX controls can be actived. Click on the bar located on the top of the screen, and click on "Install ActiveX Control...".
Internet Explorer will next ask you the authorization to install the CAPICOM library. You can safely install this component. Click on "Install".
If you need to manually install the CAPICOM library, a version for Internet Explorer 6.0 SP1 and above can be manually downloaded and installed from the Microsoft web site.
A copy of the CAPICOM library is also locally available here. You can download this file, unpack and copy the capicom.dll file into your Windows system directory (usually C:\Windows\System32). Next, restart your browser.
The digital certificate need to be registered into your browser(s). If you use an eID card and have the eID middleware installed, your certificates are automatically installed the first time you insert your card in the reader. For a software digital certificate, many certificate providers give a tool to register it automatically. When the certificate is only provided as a file, the following steps are needed for loading it in your browser.
Some options must be activated to allow you to make a digital signature:
For Mozilla browsers (Firefox, Mozilla, Netscape and others), the JSS library (Mozilla Network Security Services for Java) is required. This library allows Mozilla Browsers to perform cryptographic operations. It must be manually installed. It can be freely downloaded from http://www.mozilla.org/projects/security/pki/jss/using_jss.html.
Instructions for setting up Java for Mozilla Firefox can be found here.
For your convenience, an archive suitable for Windows platforms can be downloaded here. This archive contains the following files :
All these files can be freely downloaded from http://www.mozilla.org/projects/security/pki/jss/using_jss.html. They are distributed under the Mozilla Firefox End-User Software License Agreement, which can be found here.
To install JSS :
A FAQ is available here.
For your convenience, an archive suitable for Linux platforms can be downloaded here. This archive contains the following files :
To install JSS :
When the certificate is provided as a file, the following steps are needed for loading it in your Mozilla Firefox. The certificate must be in the PKCS12 format. If it is not, the certificate can still be imported and exported into this format using Internet Explorer, or by using openssl.
Some options must be activated to allow you to make a digital signature :
The first time it is used, the "Belgium Identity Card PKCS#11" module must be registered in Mozilla, Netscape or Firefox. This module can be registered automatically by opening a special html page located on your hard drive, usually at the following location : file://C:/Program Files/Belgium Identity Card/beid-pkcs11-register.html (Note that the location of this file may vary, according to your platform or installation options.)
There is no data to sign. This problem usually appears if you used the "back" button or if some error occurred in the application. In such situations, it may happen that the application "loses" the document that you wanted to sign. You probably need to go a few steps backward, and restart the signature processus.
The Java applet that handles the digital signature is not properly loaded. Check that Java is correctly installed on your machine. You might also have to clear the cache of your browser (Tools > Clear Private Data...) and of Java (open the Java Control Panel, General Tab > Delete files... > Ok). Next, restart the browser. If that does not help, contact the service desk.
See Error 201
See Error 201
Upgrade your Java Runtime Environment to a version >= 1.4.2 (version recommanded : 1.5). See java.sun.com.
This may appear in Mozilla if your browser could not verify on-line the validity of a certificate. You may circumvent this problem by disabling the on-line verification of certificate :
No working JSS library could be found. This JSS library is required to create a signature in Mozilla/Firefox browsers. It needs to be manually installed. Installation instructions can be found here. After the installation, you need to restart the browser.
See Error 420
The CAPICOM library was not found. Make sure that a file named capicom.dll is present in your Windows system directory (usually C:\Window\System32\ or C:\Winnt\System32). This library should have been automatically installed, provided that you authorized the installation, see section 3.1.
You do not have any certificate installed in your browser, or no certificate is suitable for signing a document. Make sure you successfully imported your digital certificate in the browser, see http://readers.eid.belgium.be/ for informations about how to import a certificate into Internet Explorer.
This is a permission issue. The current user does not have sufficient permissions to access the key of your certificates. These keys are stored in "Key containers" for which you should have access. The steps to resolve this problem depend on the version of Windows you are using :
The permission of the key container are specified in the registry. To change these permissions, open regedt32 (not regedit!), open the hive HKEY_LOCAL_MACHINE and highlight the key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MachineKeys\<container name>. Select Security/Permissions from the menu and make sure Everyone has Full Control over this key.
In Windows Explorer, locate the C:\Documents and settings\<username>\Application Data\Microsoft\Crypto\RSA\ directory. Change the access rights on this directory and all the files it contains by performing the following steps :
You may have to reproduce these steps for the C:\Documents and settings\All Users\Application Data\Microsoft\Crypto\RSA\ directory
Note These are hidden files. In order to view these hidden files you must turn on the Display hidden files and folders option in Windows. To display hidden files and folders, perform the following steps:
See Error 503.
There exists two possible causes : either you are using an old eID middleware, or there is a conflict between some of your certificates.
First, check the version of your Belgium eID Run-time. You may lauch the belgium eID utility program, usually located at "C:\Program Files\Belgium Identity Card\beidgui.exe". The version is shown in the "info" tab, it should be 2.5.9 (or higher). Please consider upgrading to the latest version available. This can be donwloaded from the eid belgium website at http://eid.belgium.be.
If this does not solve the problem, then the problem most probably lies in some conflict between the certificates that are registered by the eID middleware. This problem can be solved by manually deleting certificates.
To delete a certificate on Windows 2000 or Windows XP:
Your eID certificates will be re-registered automatically when you insert your eID card. If you had a class 3 certificate, then you will have to re-register it.
This error appears when Internet Explorer cannot find the certificate selected. This error appears with Isabel certificates. This error is cause by a faulty update of the Isabel certificates by Isabel Office Sign. A solution is available on the Isabel on-line support (www.isabel.be), section "Isabel Web Support", under document ID 48700 (make a search using this ID). If this does not solve the problem, contact the Isabel Helpdesk.
The CAPICOM library failed to create the digital signature. Depending on the actual error, one or more of the following actions may help in solving this problem :