TC CLIENT CERTIFICATES - TC TrustCenter
TC CLIENT CERTIFICATES - TC TrustCenter
TC CLIENT CERTIFICATES - TC TrustCenter
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>TC</strong> <strong>CLIENT</strong> <strong>CERTIFICATES</strong><br />
Activate<br />
the Signature Card <strong>TC</strong> QSign<br />
© <strong>TC</strong> <strong>TrustCenter</strong> 2011<br />
Now part of Symantec
en. 06 | 2011<br />
<strong>TC</strong> <strong>CLIENT</strong> <strong>CERTIFICATES</strong><br />
Activate the Signature Card <strong>TC</strong> QSign<br />
1<br />
2<br />
3<br />
4<br />
5<br />
6<br />
Content<br />
Preparations to activate the Signature Card<br />
Installation of the Siemens Card-API<br />
Entering the Transport-PIN as well as the private Signature-PIN & PUK<br />
3.1 Card Reader without PIN pad<br />
3.2 Card Reader with PIN pad<br />
How to change the Signature PIN or the PUK<br />
How to change the PIN for the advanced certificates<br />
Additional details<br />
All rights reserved. No information or images, fully or partially, in any form or by any means, may be reproduced,<br />
copied, duplicated, published or used in electronic systems or translations without the prior written consent of<br />
<strong>TC</strong> <strong>TrustCenter</strong>. This represents a crime, excluding printing and duplicating for one’s own use.<br />
All information in this document is compiled with great care. Neither <strong>TC</strong> <strong>TrustCenter</strong> nor the author are liable for any<br />
damages or disservice, that are in connection with the use of this document.<br />
All brands, product names and trademarks used in this document, but not listed above, are trademarks or service<br />
marks of the respective owners.<br />
Copyright © 2011 <strong>TC</strong> <strong>TrustCenter</strong> GmbH, Sonninstrasse 24 - 28, 20097 Hamburg, Germany.<br />
Now part of Symantec<br />
2/13<br />
continued on page 3 »<br />
Symantec Limited<br />
Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de
en. 06 | 2011<br />
<strong>TC</strong> <strong>CLIENT</strong> <strong>CERTIFICATES</strong><br />
Activate the Signature Card <strong>TC</strong> QSign<br />
1. Preparations to activate the Signature Card<br />
During activation of your <strong>TC</strong> QSign signature card with qualified certificate different PINs have to be entered and changed<br />
for security reasons. This is only required once per signature card, however please follow the directions below carefully.<br />
Please install first a compatible card reader. Details about respective compatible card readers can be found on the<br />
<strong>TC</strong> <strong>TrustCenter</strong> FAQ web page “Which Cardreader are supported by <strong>TC</strong> QSign 2.1 als well as the Siemens Card-API 3.2?”.<br />
If you have already installed a compatible card reader please make sure that the latest card reader drivers are installed<br />
and used.<br />
To activate and also to use the signature card with some applications, a particular SIEMENS software (Card API) is required.<br />
Please download this software (.zip archive) from the <strong>TC</strong> <strong>TrustCenter</strong> web page at https://www.trustcenter.de/en/<br />
products/2004.htm and extract and save the software into an appropriate directory. You may delete the original<br />
downloaded zip archive afterwards.<br />
To avoid any possible erroneous function of the Siemens Card API due to third party software (CSPs) from other card<br />
vendors please make sure that no other CSPs (Cryptographic Service Providers) are installed.<br />
List of the 4 different PINs mentioned in these directions:<br />
SigG-PIN<br />
Pin Length Purpose<br />
P11-PIN<br />
Signatur-PIN<br />
PUK<br />
5<br />
8<br />
8<br />
8<br />
Now part of Symantec<br />
The SigG- or Transport-PIN secures the signature card and prevents t any<br />
unauthorized person using the signature card until it has been delivered<br />
to the lawful certificate holder. The Transport-PIN has to be entered by the<br />
card owner before the initial card use.<br />
The P11-PIN secures the two additional advanced certificates on the<br />
signature card (refer to chapter 5). The predefined P11-PIN can be changed<br />
by the user after card activation.<br />
The Signature PIN secures the qualified certificate and must be entered<br />
before each single signing event. The Signature PIN has to be defined<br />
during activation of the signature card.<br />
The PUK is used to reset the counter and to allow the Signature PIN to be<br />
entered again after more than three faulty entries. The PUK is defined by the<br />
user during activation of the signature card.<br />
3/13<br />
continued on page 4 »<br />
Symantec Limited<br />
Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de
en. 06 | 2011<br />
<strong>TC</strong> <strong>CLIENT</strong> <strong>CERTIFICATES</strong><br />
Activate the Signature Card <strong>TC</strong> QSign<br />
2. Installation of the Siemens Card-API<br />
Firstly the Siemens Card API has to be installed. Please open the directory where you have stored the extracted software<br />
by using Windows explorer and execute the file “Setup.exe” in the directory “CardAPI3.2Build41\Setup“. The installation<br />
procedure starts with the following screen:<br />
Click on “Next”.<br />
Now part of Symantec<br />
Please accept the terms of the license agreement. With the purchase of the <strong>TC</strong> QSign signature card one license<br />
is included for free.<br />
4/13<br />
continued on page 5 »<br />
Symantec Limited<br />
Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de
en. 06 | 2011<br />
<strong>TC</strong> <strong>CLIENT</strong> <strong>CERTIFICATES</strong><br />
Activate the Signature Card <strong>TC</strong> QSign<br />
If required you may change the destination location for the files to be installed. Please ask you IT administrator for assistance.<br />
Click on “Next”.<br />
You may start now the installation by clicking on “Install”.<br />
Once the installation is completed you may exit the installation routine by clicking on Finish.<br />
Now part of Symantec<br />
5/13<br />
continued on page 6 »<br />
Symantec Limited<br />
Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de
en. 06 | 2011<br />
<strong>TC</strong> <strong>CLIENT</strong> <strong>CERTIFICATES</strong><br />
Activate the Signature Card <strong>TC</strong> QSign<br />
3. Entering the Transport-PIN as well as the private Signature-PIN & PUK<br />
Important notice:<br />
Now part of Symantec<br />
Your new <strong>TC</strong> QSign signature card with qualified certificate will be secured by a Transport-PIN while being delivered to you.<br />
This ensures that no unauthorized person can use the signature card until it has been delivered to the lawful certificate holder.<br />
Only when <strong>TC</strong> <strong>TrustCenter</strong> has received the confirmation that the certificate owner has received the signature card, will the<br />
PIN-letter (including the Transport-PIN as well as the P11 PIN) be sent to the certificate owner.<br />
Before proceeding, please make sure – if not already done – that a compatible card reader with the latest drivers is installed<br />
(please refer to <strong>TC</strong> <strong>TrustCenter</strong>s FAQs “Which Cardreader are supported by <strong>TC</strong> QSign 2.1 als well as the Siemens Card-API 3.2?”).<br />
The following activation procedure has to be finalized completely within 60 seconds and may not be cancelled in between.<br />
Otherwise the signature card will be blocked irrevocably. The irrevocable blocking can also be caused by entering the wrong<br />
Transport-PIN three times.<br />
To start the activation procedure, please open the directory where you have stored the extracted software by using Windows<br />
explorer and execute the file “SigG_Pin.exe” in the directory “CardAPI3.2Build41\Extra“.<br />
6/13<br />
continued on page 7 »<br />
Symantec Limited<br />
Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de
en. 06 | 2011<br />
<strong>TC</strong> <strong>CLIENT</strong> <strong>CERTIFICATES</strong><br />
Activate the Signature Card <strong>TC</strong> QSign<br />
If not already inserted into the card reader, you will be asked to insert the <strong>TC</strong> QSign signature card. After having done so please<br />
confirm by clicking on “OK”.<br />
The next message window indicates that the activation process will be started. Please click on “OK”.<br />
Now part of Symantec<br />
Depending on whether a card reader with or without PIN pad (Key pad) is used, different steps have to be followed and respective<br />
message windows will display as described below.<br />
Please note: if your are using a cardreader with PIN pad and display you have to follow the directions displayed on your<br />
monitor and the card reader display! On your monitor it will be indicated which PIN of PUK is referred to in the actual dialog.<br />
The dialog resp. windows may vary from the ones shown next.<br />
7/13<br />
continued on page 8 »<br />
Symantec Limited<br />
Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de
<strong>TC</strong> <strong>CLIENT</strong> <strong>CERTIFICATES</strong><br />
Activate the Signature Card <strong>TC</strong> QSign<br />
3. 1 Card Reader without PIN pad<br />
A message window appears with 5 data input boxes.<br />
You are asked to enter the 5-digit Transport PIN as provided in the PIN letter and marked as “SigG” via your<br />
computer keyboard. Please enter next your personal 8-digit Signature PIN as well as your personal 8-digit PUK.<br />
You will have to enter both PINs twice for confirmation.<br />
Please navigate by Tab key or mouse from box to box and do not use the Enter key in between.<br />
Click on “OK” after all PINs have been entered.<br />
3. 2 Card Reader with PIN pad<br />
A message window appears with only 1 data input box.<br />
You are asked first to enter the 5-digit Transport PIN as provided in the PIN letter and marked as “SigG” via the<br />
keypad of the reader.<br />
Please confirm by pressing the button “OK” on the card reader keypad.<br />
Now part of Symantec<br />
continued on page 9 »<br />
en. 06 | 2011<br />
Symantec Limited<br />
Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de<br />
8/13
en. 06 | 2011<br />
<strong>TC</strong> <strong>CLIENT</strong> <strong>CERTIFICATES</strong><br />
Activate the Signature Card <strong>TC</strong> QSign<br />
Next you have to choose and enter your personal 8-digit Signature PIN.<br />
Now part of Symantec<br />
Please note that the Signature PIN must contain exactly 8 digits. If the activation procedure is cancelled the<br />
signature card will be blocked irrevocably.<br />
Next you will be asked to choose and enter a PUK. The PUK is used to reset the counter and to allow entering<br />
the Signature PIN again after more than three faulty entries.<br />
9/13<br />
continued on page 10 »<br />
Symantec Limited<br />
Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de
en. 06 | 2011<br />
<strong>TC</strong> <strong>CLIENT</strong> <strong>CERTIFICATES</strong><br />
Activate the Signature Card <strong>TC</strong> QSign<br />
The PUK must contain exactly 8 digits as well.<br />
Please click on “OK”.<br />
Your <strong>TC</strong> QSign signature card is now ready to use and by using the appropriate applications qualified signatures<br />
can be generated.<br />
4. How to change the Signature PIN or the PUK<br />
Please use the application „SigG_Pin.exe“to change the Signature PIN on a regular basis or – if required – to change your PUK. In<br />
particular if you have a suspicion that someone could have acquired your Signature PIN, you should change the PIN as a precaution.<br />
Please remember that the qualified signatures can be – exactly the same as your handwritten signature – legally effective.<br />
You have been pointed to the obligation for executive care regarding the qualified certificate while requesting a <strong>TC</strong> QSign<br />
signature card (please refer to the document “Info for Certificate Holders”).<br />
Please insert your signature card into the card reader and execute the program “SigG_Pin.exe”.<br />
Now part of Symantec<br />
If not already inserted in the card reader, you will be asked to insert the <strong>TC</strong> QSign signature card into the card reader. After having<br />
done so please confirm by clicking on “OK”.<br />
10/13<br />
continued on page 11 »<br />
Symantec Limited<br />
Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de
en. 06 | 2011<br />
<strong>TC</strong> <strong>CLIENT</strong> <strong>CERTIFICATES</strong><br />
Activate the Signature Card <strong>TC</strong> QSign<br />
Please select the desired action.<br />
The respective window opens (below change of Signature PIN).<br />
Please enter your current Signature PIN into the top entry field by using your computer keyboard or your card reader PIN pad.<br />
Move by using the Tab key or mouse to the next entry field and enter your new 8-digit Signature PIN. After having confirmed<br />
the new Signature PIN by re-entering into the third entry field, please click on “OK”.<br />
A message window appears and confirms the PIN change.<br />
Please click on “OK”.<br />
Now part of Symantec<br />
11/13<br />
continued on page 12 »<br />
Symantec Limited<br />
Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de
en. 06 | 2011<br />
<strong>TC</strong> <strong>CLIENT</strong> <strong>CERTIFICATES</strong><br />
Activate the Signature Card <strong>TC</strong> QSign<br />
5. How to change the PIN for the advanced certificates<br />
Now part of Symantec<br />
<strong>TC</strong> <strong>TrustCenter</strong> is a global operating Certificate Authority and the <strong>TC</strong> root certificates are pre-installed as trusted roots in<br />
all mayor browsers such as Microsoft’s IE and Mozilla’s FireFox. This allows secure and authenticated email communication<br />
with certificates issued by <strong>TC</strong> <strong>TrustCenter</strong>.<br />
The <strong>TC</strong> QSign signature card contains two additional advanced certificates (Class 3):<br />
> one certificate for encryption (e.g. mail encryption).<br />
> one certificate for authentication (e.g. client authentication for log-on to web servers,<br />
log-on to MS domain server) Note: for smartcard logon usage you have to provide<br />
a user name (UPN) when requesting the signature card.<br />
These two certificates are secured by another 8-digit PIN (P11-PIN). This PIN has been provided together with the Transport<br />
PIN in the PIN letter. After having activated the signature card you should also change the P11-PIN.<br />
Please execute the PIN-change dialog via the Desktop with “Start” -> “Siemens” -> “CardOS API” -> “Change PIN”.<br />
12/13<br />
continued on page 13 »<br />
Symantec Limited<br />
Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de
en. 06 | 2011<br />
<strong>TC</strong> <strong>CLIENT</strong> <strong>CERTIFICATES</strong><br />
Activate the Signature Card <strong>TC</strong> QSign<br />
A window with three entry fields will be opened.<br />
Please enter your 8-digit P11-PIN (provided in the PIN letter) into the top entry field by using your computer keyboard<br />
(please do not use the card reader PIN pad). Move by using the Tab key or mouse to the next entry field and enter your new<br />
4 to 8-digit Signature PIN. After having confirmed the new Signature PIN by re-entering into the third entry field, please<br />
click on “OK”.<br />
A message window appears and confirms the PIN change.<br />
Please click on “OK”.<br />
6. Additional details<br />
Log-on to Card-API Viewer<br />
To view the certificates and other information stored on your <strong>TC</strong> QSign signature card you can use the Siemens “Viewer”<br />
application provided with the Card API. Some of the stored details can be viewed only after having logged-on. If a PIN<br />
is requested, please use your personal P11-PIN.<br />
Access to Signature PIN via CSP<br />
Now part of Symantec<br />
In certain signing applications which use the Microsoft Cryptographic Service Provider (CSP) (e.g. Adobe Acrobat/Reader)<br />
it is required to enable access to the CSP by providing the P11-PIN. Please note any of the messages which appear during<br />
the PIN entering dialog. If it says “Enter the PIN for <strong>TC</strong> QSign” it refers to the P11 PIN. Then afterwards the Signature PIN<br />
will be asked for.<br />
Symantec Limited<br />
Ballycoolin Business Park, Blanchardstown | Dublin 15 | Ireland | Phone: +353 1 803 5400 | Fax +353 820 4055 | www.trustcenter.de<br />
13/13