How to sign a PDF with CAdES into ASICE with a European (Belgian) ID Card.

How to sign a PDF with CAdES into ASICE with a European (Belgian) ID Card.

A week ago I had to sign a PDF into .asice, and it was hell. My Belgian id card didn't seem to be able to sign in CAdES/PAdES/XAdES or whatever *AdES format.

But after a lot of trial and error I got it working with my Belgian ID card.

Here I'm going to explain to you how I did it. Just to be clear, I got it working with a BELGIAN ID card, on a Macbook. If you have an ID card from another country and/or Windows, it will work so too, but you're going to have to figure some things out on your own (mainly in step 3)

First I'm going to explain how to sign a PDF with CAdES with a Belgian ID card on a Mac, and below I'll explain what you need to figure out if you have an ID card from another country. You can skip the next part if you don't have a Belgian ID card but still want to sign a PDF into ASICE.

If you have a Belgian ID card but you're on Windows, step 3 will be different for you.

What you'll need:

Step 1 - Reading your Belgian ID card

Install all the software and restart your Mac

Then when you connect your card reader with your Mac, insert your ID card and open the eID viewer, you should see this:

And then after everything is read, you should see your ID card information in the "identity" tab. If this doesn't work, please try another laptop and/or another card reader. On an old Intel Macbook it works 100% of the time, but on a newer M2 Macbook half of the time it works every time)

The most important part to sign CAdES is the certificates. Go to the certificates tab of the eID viewer. You should see this:

If you don't see any certificates or the Citizen CA certificate is missing, you'll have to make an appointment with your municipality (gemeenteloket) to put some new certificates on your ID card. You DON'T need a new ID card. They can reinstall the certificates on your ID card in five minutes.

Guess how I know)

If you can correctly read your ID card and your certificates, you're ready for step 2.

Step 2: Signing the PDF

With Disig Web Signer installed, go to https://qesportal.eu/Portal/en

If you open Disig Web Signer, it's normal that you don't see any window open. It will automatically later.

On the QES portal, first change the language to English in the top right, that's handier. Then select the document you want to sign. It can basically be any type of document. It will be encapsulated in the .cades document, which works as a container around your original document.

For example, I'm going to sign my memoji, but you'll probably want to sign some super important PDF)

Click "Sign" and it will then process the request. It might take a while (30 seconds) or longer, depending on how large the document is.

If everything goes well, it opens Disig Web Signer and you can see or read your document, like this:

Click "Sign" in the top right.

Step 3: Selecting the right certificate store

If you're on Windows or you use an ID card from a different country, this is where our paths divert. You will see a popup like this to select the store:

In my case, I also installed the Slovakian eID klient, to see if it worked with that. That is why the Slovak national identity card is pre-filled in, but it won't work with your Belgian ID card. So it's totally normal if you only see "Define custom store". Click on it. A finder window will open

For Mac, the store is located here:

/Library/Belgium Identity Card/Pkcs11/beid-pkcs11.bundle/Contents/MacOS/libbeidpkcs11.dylib

For Windows, the store is supposedly located here (according to this documentation here)

C:/Windows/System32/beidpkcs11.dll

For Windows I have not verified if it works like this. If you are on Windows, can you let me know by emailing me on [email protected]? I helped you by taking the time to write this blog, please help the people after you by letting me know if it works or doesn't.

If you use an ID card from a different country, this file will obviously not be in the folder 'Belgium Identity Card'. I'd suggest looking through the documentation of your government. Look for something like this on Google:

PKCS11 + your country + id card

Or just ask ChatGPT)

Let's continue!

If you're on Mac, you're going to browse to the root of your hard disk, it should look like this:

I checked on multiple Macs, and they're all called Macintosh HD. Hopefully for you it's the same.

You should see this:

Go to Library > Belgium Identity Card > Pkcs11

On my Mac it looks like this:

Select the libbeidpkcs11.dylib. That's the one I used, and hopefully it works for you too. If it doesn't, try it with another one and please let me know so I can update this guide! My email is down below)

Click the refresh button behind the store, it will then load all the certificates.

If everything went well, you can select the Citizen CA certificate from your ID card:

Then you can continue by entering your PIN code.

You'll get redirected back to QES in your browser

There you can validate the signed document:

And here's the ASICE container if you want to sign or validate it yourself. Don't worry, there's no hidden contract hidden in the image or something.

Congratulations you successfully signed a PDF into asice (CAdES) with your Belgian identity card!

I tried everything, signing it with Acrobat, trying dokobit, creating a Mobile-ID, nothing worked. This was the only way I got it working. If you found another way to sign it, you can always let me know, my email is below!

If it didn't work, you can email me too, but I don't know if I'll be of much assistance. I'd say, try a different browser (I used Chrome, try Firefox or Safari), a different laptop or a different card reader. I'm not joking, I have two card readers, it works with one of them (with the other one the eID viewer stays empty). On a newer M2 Macbook Pro it only sometimes recognizes the card reader, on an older MBP it only works all the time with the other card reader.

Questions, remarks, love letters, feel free to send them to [email protected]. Documents you sent me have to be in .asice format signed with CAdES of course)