TC CLIENT CERTIFICATES - TC TrustCenter

TC CLIENT CERTIFICATES 

Activate 

the Signature Card TC QSign 

© TC TrustCenter 2011 

Now part of Symantec

en. 06 | 2011 


Activate the Signature Card TC QSign 

1 

2 

3 

4 

5 

6 

Content 

Preparations to activate the Signature Card 

Installation of the Siemens Card-API 

Entering the Transport-PIN as well as the private Signature-PIN & PUK 

3.1 Card Reader without PIN pad 

3.2 Card Reader with PIN pad 

How to change the Signature PIN or the PUK 

How to change the PIN for the advanced certificates 

Additional details 

All rights reserved. No information or images, fully or partially, in any form or by any means, may be reproduced, 

copied, duplicated, published or used in electronic systems or translations without the prior written consent of 

TC TrustCenter. This represents a crime, excluding printing and duplicating for one’s own use. 

All information in this document is compiled with great care. Neither TC TrustCenter nor the author are liable for any 

damages or disservice, that are in connection with the use of this document. 

All brands, product names and trademarks used in this document, but not listed above, are trademarks or service 

marks of the respective owners. 

Copyright © 2011 TC TrustCenter GmbH, Sonninstrasse 24 - 28, 20097 Hamburg, Germany. 

Now part of Symantec 

2/13 

continued on page 3 » 

Symantec Limited 

Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de

en. 06 | 2011 



1. Preparations to activate the Signature Card 

During activation of your TC QSign signature card with qualified certificate different PINs have to be entered and changed 

for security reasons. This is only required once per signature card, however please follow the directions below carefully. 

Please install first a compatible card reader. Details about respective compatible card readers can be found on the 

TC TrustCenter FAQ web page “Which Cardreader are supported by TC QSign 2.1 als well as the Siemens Card-API 3.2?”. 

If you have already installed a compatible card reader please make sure that the latest card reader drivers are installed 

and used. 

To activate and also to use the signature card with some applications, a particular SIEMENS software (Card API) is required. 

Please download this software (.zip archive) from the TC TrustCenter web page at https://www.trustcenter.de/en/ 

products/2004.htm and extract and save the software into an appropriate directory. You may delete the original 

downloaded zip archive afterwards. 

To avoid any possible erroneous function of the Siemens Card API due to third party software (CSPs) from other card 

vendors please make sure that no other CSPs (Cryptographic Service Providers) are installed. 

List of the 4 different PINs mentioned in these directions: 

SigG-PIN 

Pin Length Purpose 

P11-PIN 

Signatur-PIN 

PUK 

5 

8 

8 

8 


The SigG- or Transport-PIN secures the signature card and prevents t any 

unauthorized person using the signature card until it has been delivered 

to the lawful certificate holder. The Transport-PIN has to be entered by the 

card owner before the initial card use. 

The P11-PIN secures the two additional advanced certificates on the 

signature card (refer to chapter 5). The predefined P11-PIN can be changed 

by the user after card activation. 

The Signature PIN secures the qualified certificate and must be entered 

before each single signing event. The Signature PIN has to be defined 

during activation of the signature card. 

The PUK is used to reset the counter and to allow the Signature PIN to be 

entered again after more than three faulty entries. The PUK is defined by the 

user during activation of the signature card. 

3/13 




en. 06 | 2011 



2. Installation of the Siemens Card-API 

Firstly the Siemens Card API has to be installed. Please open the directory where you have stored the extracted software 

by using Windows explorer and execute the file “Setup.exe” in the directory “CardAPI3.2Build41\Setup“. The installation 

procedure starts with the following screen: 

Click on “Next”. 


Please accept the terms of the license agreement. With the purchase of the TC QSign signature card one license 

is included for free. 

4/13 




en. 06 | 2011 



If required you may change the destination location for the files to be installed. Please ask you IT administrator for assistance. 

Click on “Next”. 

You may start now the installation by clicking on “Install”. 

Once the installation is completed you may exit the installation routine by clicking on Finish. 


5/13 




en. 06 | 2011 



3. Entering the Transport-PIN as well as the private Signature-PIN & PUK 

Important notice: 


Your new TC QSign signature card with qualified certificate will be secured by a Transport-PIN while being delivered to you. 

This ensures that no unauthorized person can use the signature card until it has been delivered to the lawful certificate holder. 

Only when TC TrustCenter has received the confirmation that the certificate owner has received the signature card, will the 

PIN-letter (including the Transport-PIN as well as the P11 PIN) be sent to the certificate owner. 

Before proceeding, please make sure – if not already done – that a compatible card reader with the latest drivers is installed 

(please refer to TC TrustCenters FAQs “Which Cardreader are supported by TC QSign 2.1 als well as the Siemens Card-API 3.2?”). 

The following activation procedure has to be finalized completely within 60 seconds and may not be cancelled in between. 

Otherwise the signature card will be blocked irrevocably. The irrevocable blocking can also be caused by entering the wrong 

Transport-PIN three times. 

To start the activation procedure, please open the directory where you have stored the extracted software by using Windows 

explorer and execute the file “SigG_Pin.exe” in the directory “CardAPI3.2Build41\Extra“. 

6/13 




en. 06 | 2011 



If not already inserted into the card reader, you will be asked to insert the TC QSign signature card. After having done so please 

confirm by clicking on “OK”. 

The next message window indicates that the activation process will be started. Please click on “OK”. 


Depending on whether a card reader with or without PIN pad (Key pad) is used, different steps have to be followed and respective 

message windows will display as described below. 

Please note: if your are using a cardreader with PIN pad and display you have to follow the directions displayed on your 

monitor and the card reader display! On your monitor it will be indicated which PIN of PUK is referred to in the actual dialog. 

The dialog resp. windows may vary from the ones shown next. 

7/13 






3. 1 Card Reader without PIN pad 

A message window appears with 5 data input boxes. 

You are asked to enter the 5-digit Transport PIN as provided in the PIN letter and marked as “SigG” via your 

computer keyboard. Please enter next your personal 8-digit Signature PIN as well as your personal 8-digit PUK. 

You will have to enter both PINs twice for confirmation. 

Please navigate by Tab key or mouse from box to box and do not use the Enter key in between. 

Click on “OK” after all PINs have been entered. 

3. 2 Card Reader with PIN pad 

A message window appears with only 1 data input box. 

You are asked first to enter the 5-digit Transport PIN as provided in the PIN letter and marked as “SigG” via the 

keypad of the reader. 

Please confirm by pressing the button “OK” on the card reader keypad. 



en. 06 | 2011 


Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de 

8/13

en. 06 | 2011 



Next you have to choose and enter your personal 8-digit Signature PIN. 


Please note that the Signature PIN must contain exactly 8 digits. If the activation procedure is cancelled the 

signature card will be blocked irrevocably. 

Next you will be asked to choose and enter a PUK. The PUK is used to reset the counter and to allow entering 

the Signature PIN again after more than three faulty entries. 

9/13 




en. 06 | 2011 



The PUK must contain exactly 8 digits as well. 

Please click on “OK”. 

Your TC QSign signature card is now ready to use and by using the appropriate applications qualified signatures 

can be generated. 

4. How to change the Signature PIN or the PUK 

Please use the application „SigG_Pin.exe“to change the Signature PIN on a regular basis or – if required – to change your PUK. In 

particular if you have a suspicion that someone could have acquired your Signature PIN, you should change the PIN as a precaution. 

Please remember that the qualified signatures can be – exactly the same as your handwritten signature – legally effective. 

You have been pointed to the obligation for executive care regarding the qualified certificate while requesting a TC QSign 

signature card (please refer to the document “Info for Certificate Holders”). 

Please insert your signature card into the card reader and execute the program “SigG_Pin.exe”. 


If not already inserted in the card reader, you will be asked to insert the TC QSign signature card into the card reader. After having 

done so please confirm by clicking on “OK”. 

10/13 




en. 06 | 2011 



Please select the desired action. 

The respective window opens (below change of Signature PIN). 

Please enter your current Signature PIN into the top entry field by using your computer keyboard or your card reader PIN pad. 

Move by using the Tab key or mouse to the next entry field and enter your new 8-digit Signature PIN. After having confirmed 

the new Signature PIN by re-entering into the third entry field, please click on “OK”. 

A message window appears and confirms the PIN change. 



11/13 




en. 06 | 2011 



5. How to change the PIN for the advanced certificates 


TC TrustCenter is a global operating Certificate Authority and the TC root certificates are pre-installed as trusted roots in 

all mayor browsers such as Microsoft’s IE and Mozilla’s FireFox. This allows secure and authenticated email communication 

with certificates issued by TC TrustCenter. 

The TC QSign signature card contains two additional advanced certificates (Class 3): 

> one certificate for encryption (e.g. mail encryption). 

> one certificate for authentication (e.g. client authentication for log-on to web servers, 

log-on to MS domain server) Note: for smartcard logon usage you have to provide 

a user name (UPN) when requesting the signature card. 

These two certificates are secured by another 8-digit PIN (P11-PIN). This PIN has been provided together with the Transport 

PIN in the PIN letter. After having activated the signature card you should also change the P11-PIN. 

Please execute the PIN-change dialog via the Desktop with “Start” -> “Siemens” -> “CardOS API” -> “Change PIN”. 

12/13 




en. 06 | 2011 



A window with three entry fields will be opened. 

Please enter your 8-digit P11-PIN (provided in the PIN letter) into the top entry field by using your computer keyboard 

(please do not use the card reader PIN pad). Move by using the Tab key or mouse to the next entry field and enter your new 

4 to 8-digit Signature PIN. After having confirmed the new Signature PIN by re-entering into the third entry field, please 

click on “OK”. 

A message window appears and confirms the PIN change. 


6. Additional details 

Log-on to Card-API Viewer 

To view the certificates and other information stored on your TC QSign signature card you can use the Siemens “Viewer” 

application provided with the Card API. Some of the stored details can be viewed only after having logged-on. If a PIN 

is requested, please use your personal P11-PIN. 

Access to Signature PIN via CSP 


In certain signing applications which use the Microsoft Cryptographic Service Provider (CSP) (e.g. Adobe Acrobat/Reader) 

it is required to enable access to the CSP by providing the P11-PIN. Please note any of the messages which appear during 

the PIN entering dialog. If it says “Enter the PIN for TC QSign” it refers to the P11 PIN. Then afterwards the Signature PIN 

will be asked for. 


Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de 

13/13

TC CLIENT CERTIFICATES - TC TrustCenter

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?