Personal Certificate Client Prerequisites

Before Installing the Personal Certificate Client

Before the Personal Certificate Client (PCC) can be used, an administrator must ensure that:

• The relevant certificate is a document-signing certificate.

• The account of the transaction's creator has been enabled for Certificate Signing. If your Certificate Signing has not been enabled, contact our Support Team.

• The certificate’s Certificate Chain exists and is trusted on the signer's system.

Certificate Considerations

An administrator should consider the following:

• Any X.509 v3 certificate and associated private key can be used to sign with an Adobe Signature. If you use an Adobe Certified Document Services (CDS) certificate or an Adobe Approved Trusted List (AATL) certificate, the resulting signatures are validated based on the trust information provided in Adobe Acrobat and Adobe Reader. If you use a non-CDS/AATL certificate, you can configure the source of the certificate to be trusted by Adobe Acrobat and Adobe Reader (for instructions, see relevant Adobe documentation).

• The certificate’s signature algorithm should contain an RSA algorithm identifier.

• The nonRepudiation (also known as contentCommitment) flag of the keyUsage certificate extension must be ON.

Device Considerations

Smart Card Readers

The PCC has been tested on the following Smart Card Readers, and is supported with them:

• Digipass (VASCO) DP 870

• Digipass (VASCO) DP 875

• Digipass (VASCO) DP 905

• Litronic 215

• Identiv SCR331

• HID Omnikey 3121

Smart Cards and Authenticators (Tokens)

The PCC has been tested using the following smart cards or authenticators, and is supported with them:

• PIV cards

• Belgium eID cards

• Entrust USB tokens

• KPN smart cards

If you would like to sign with a device that has not been tested with the PCC, note that the PCC relies on: (1) the device's drivers and/or middleware; (2) the underlying cryptographic libraries and services that ship with the Operating System. In particular, the PCC leverages the Microsoft Crypto API and the macOS Cryptographic Service.

We therefore expect that most available devices on the market (Smart Cards, hardware tokens, and card readers) will be compatible with the PCC, even if they have not been tested and certified by OneSpan. Nonetheless, if you would like to use a device that is not documented here, we recommend that you first reach out to your Account Representative.

Additional Considerations

An administrator should also consider the following:

• Administrators can optionally: (1) specify the download URL that will appear if users are prompted to install the PCC; (2) customize the URL's download instructions. To arrange these configurations, please contact our Support Team.

• For security purposes, the PCC is not supported in virtualized desktop or remote desktop environments. Those environments include: (1) Remote Desktop on Windows; (2) screen sharing on macOS.

• On-premises customers must customize their PCC to secure its communication with OneSpan Sign. This includes sharing the PDF Document Engine's communication certificate or signer certificate with our Support Team, so it can be whitelisted. Once the PDF Document Engine's communication certificate expires, if the new certificate is re-issued with a new key-pair, on-premises customers must do this again. If the new certificate is renewed using the same key-pair, no additional action is required. For more information, see Authenticating Servers.

Although most users browse the Internet using one of the PCC's supported browsers (Edge, Firefox, Chrome), we recommend that you include the list of supported browsers in the email notification that signers receive. This will ensure that you achieve maximize completion rates for your signing processes.