Skip to main content
Skip table of contents

Use Signature slot in Identity Manager

This article includes updates for Smart ID 23.04.4. 


Separate signature slots containing a signature certificate, protected by an additional PIN, is an additional security measure, typically used for Qualified Electronic Signatures(QES). Currently, Identity Manager supports the signature slot for the following middleware:

  • Gemalto (since PRIME 3.12)
  • Personal (since Identity Manager 22.10.2
  • Idopte  (since Identity Manager 23.04.4)

In this article you can find general information regarding signature slot. For use cases for a specific middleware, follow the links above.

Prerequisites

Prerequisites

A token that supports the signature slot. For details, see the section referring to the signature slot in the middleware pages linked above.

Use cases

Write to the signature slot

To explicitly select the signature slot as a target for your application, use the Location keyword in the respective Application_* section. Location supports only one value: Signature. Any other value will point to the default slot, as will omitting the Location keyword altogether. The value can either be hard coded in the encoding description (e.g. Location=#Signature) or it can reference a field (for example, Location=LOCATION_FIELD)

In the following example a certificate is written to the default slot (authenticated by PIN), one to the signature slot (authenticated by SignPIN) and one's location is determined at runtime by the field LOCATION_FIELD.

Explicitly selecting slots

CODE
[Fields]
PIN=
SIGN_PIN=
LOCATION_FIELD=
  
[Description]
PKCS11Library=yourMiddleware.dll
ApplicationList=ABC
# Default slot credentials
PIN=PIN
# Signature slot credentials
SignPIN=SIGN_PIN

[Application_A]
# Write a certificate to the default slot
KeySize=2048
CertTempl=myAuthCertTemplate
 
[Application_B]
# Write a certificate to the signature slot
KeySize=2048
CertTempl=myAuthCertTemplate
Location=#signature
 
[Application_C]
# Determine the slot to Write a certificate using process variables
KeySize=2048
CertTempl=mySigCertTemplate
Location=LOCATION_FIELD
Change signature slot credentials

The PINs for the signature slot can be changed similarly to the standard P11 PIN/PUK handling, but with different keywords:

Standard P11 PIN/PUK keywordsSignature PIN/PUK keywords

PIN

SignPIN
PUK SignPUK
InitialPUKInitialSignPUK
Pin_ValidationSignPin_Validation

Examples

Example: Change signature PUK and signature PIN using field values

CODE
[Fields]
OLD_SIGN_PUK=
NEW_SIGN_PUK=
NEW_SIGN_PIN=
 
[Description]
PKCS11Library=yourMiddleware.dll
SetPin=true
InitialSignPUK=OLD_SIGN_PUK
SignPUK=NEW_SIGN_PUK
SignPIN=NEW_SIGN_PIN

Example: Change signature PIN by entering old and new values. PIN must be at least 4 digits long

CODE
[Description] PKCS11Library=yourMiddleware.dll
SetPin=true
SignPIN=!FROM_USER_DIALOG_3_FIELD
SignPin_Validation=reg_exp([0-9]{4,})

Related information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.