- 09 Oct 2024
- 2 Minutes to read
- DarkLight
- PDF
Personal Certificate Client Prerequisites
- Updated on 09 Oct 2024
- 2 Minutes to read
- DarkLight
- PDF
Before installing the Personal Certificate Client, ensure the certificate is for document signing, the creator's account is enabled for Certificate Signing, and the Certificate Chain is trusted. Considerations include using X.509 v3 certificates for Adobe Signature, validating signatures with Adobe CDS/AATL certificates, and ensuring RSA algorithm and nonRepudiation flag are set. The PCC is compatible with specific Smart Card Readers and smart cards/authenticators. Customize download URLs and instructions, avoid virtualized desktop environments, and secure communication with OneSpan Sign for on-premises customers. Share communication certificates and renew them as needed. Include supported browsers in email notifications for maximum completion rates.
Before Installing the Personal Certificate Client
Before the Personal Certificate Client (PCC) can be used, an administrator must ensure that:
The relevant certificate is a document-signing certificate.
The account of the transaction's creator has been enabled for Certificate Signing. If your Certificate Signing has not been enabled, contact our Support Team.
The certificate’s Certificate Chain exists and is trusted on the signer's system.
Certificate Considerations
An administrator should consider the following:
Any X.509 v3 certificate and associated private key can be used to sign with an Adobe Signature. If you use an Adobe Certified Document Services (CDS) certificate or an Adobe Approved Trusted List (AATL) certificate, the resulting signatures are validated based on the trust information provided in Adobe Acrobat and Adobe Reader. If you use a non-CDS/AATL certificate, you can configure the source of the certificate to be trusted by Adobe Acrobat and Adobe Reader (for instructions, see relevant Adobe documentation).
The certificate’s signature algorithm should contain an RSA algorithm identifier.
The nonRepudiation (also known as contentCommitment) flag of the keyUsage certificate extension must be ON.
Device Considerations
Smart Card Readers
The PCC has been tested on the following Smart Card Readers, and is supported with them:
Digipass (VASCO) DP 870
Digipass (VASCO) DP 875
Digipass (VASCO) DP 905
Litronic 215
Identiv SCR331
HID Omnikey 3121
Smart Cards and Authenticators (Tokens)
The PCC has been tested using the following smart cards or authenticators, and is supported with them:
PIV cards
Belgium eID cards
Entrust USB tokens
KPN smart cards
If you would like to sign with a device that has not been tested with the PCC, note that the PCC relies on: (1) the device's drivers and/or middleware; (2) the underlying cryptographic libraries and services that ship with the Operating System. In particular, the PCC leverages the Microsoft Crypto API and the macOS Cryptographic Service.
We therefore expect that most available devices on the market (Smart Cards, hardware tokens, and card readers) will be compatible with the PCC, even if they have not been tested and certified by OneSpan. Nonetheless, if you would like to use a device that is not documented here, we recommend that you first reach out to your Account Representative.
Additional Considerations
An administrator should also consider the following:
Administrators can optionally: (1) specify the download URL that will appear if users are prompted to install the PCC; (2) customize the URL's download instructions. To arrange these configurations, please contact our Support Team.
For security purposes, the PCC is not supported in virtualized desktop or remote desktop environments. Those environments include: (1) Remote Desktop on Windows; (2) screen sharing on macOS.
On-premises customers must customize their PCC to secure its communication with OneSpan Sign. This includes sharing the PDF Document Engine's communication certificate or signer certificate with our Support Team, so it can be whitelisted. Once the PDF Document Engine's communication certificate expires, if the new certificate is re-issued with a new key-pair, on-premises customers must do this again. If the new certificate is renewed using the same key-pair, no additional action is required. For more information, see Authenticating Servers.
Although most users browse the Internet using one of the PCC's supported browsers (Edge, Firefox, Chrome), we recommend that you include the list of supported browsers in the email notification that signers receive. This will ensure that you achieve maximize completion rates for your signing processes.