Personal Certificate Client Prerequisites

Before Installing the Personal Certificate Client

Before the Personal Certificate Client (PCC) can be used, an administrator must ensure that:

• The relevant certificate is a document-signing certificate.

• The account of the transaction's creator has been enabled for Certificate Signing. If your Certificate Signing has not been enabled, contact our Support Team.

• The certificate’s Certificate Chain exists and is trusted on the signer's system.

Certificate Considerations

An administrator should consider the following:

• Any X.509 v3 certificate and associated private key can be used to sign with an Adobe Signature. If you use an Adobe Certified Document Services (CDS) certificate or an Adobe Approved Trusted List (AATL) certificate, the resulting signatures are validated based on the trust information provided in Adobe Acrobat and Adobe Reader. If you use a non-CDS/AATL certificate, you can configure the source of the certificate to be trusted by Adobe Acrobat and Adobe Reader (for instructions, see relevant Adobe documentation).

• The certificate’s signature algorithm should contain an RSA algorithm identifier.

• The nonRepudiation (also known as contentCommitment) flag of the keyUsage certificate extension must be ON.

Device Considerations

Smart Card Readers

The PCC has been tested on the following Smart Card Readers, and is supported with them:

• Digipass (VASCO) DP 870

• Digipass (VASCO) DP 875

• Digipass (VASCO) DP 905

• Litronic 215

• Identiv SCR331

• HID Omnikey 3121

Smart Cards and Authenticators (Tokens)

The PCC has been tested using the following smart cards or authenticators, and is supported with them:

• PIV cards

• Belgium eID cards

• Entrust USB tokens

• KPN smart cards

If you would like to sign with a device that has not been tested with the PCC, note that the PCC relies on: (1) the device's drivers and/or middleware; (2) the underlying cryptographic libraries and services that ship with the Operating System. In particular, the PCC leverages the Microsoft Crypto API and the macOS Cryptographic Service.

We therefore expect that most available devices on the market (Smart Cards, hardware tokens, and card readers) will be compatible with the PCC, even if they have not been tested and certified by OneSpan. Nonetheless, if you would like to use a device that is not documented here, we recommend that you first reach out to your Account Representative.

External URLs

During normal operations the PCC sends requests to external URLs. Most commonly, these are URLs that contain the artifacts required to build a valid certificate chain and retrieve revocation data for various certificates. For example, the certificate used to sign documents, or TLS certificates.

If your environment restricts access to the internet then access to some of these external URLs may be blocked, which may prevent the PCC from functioning normally. Currently, the following domains are known to be accessed by the PCC and may be blocked by your internet policy:

• digitalcertvalidation.com

• digicert.com

• globalsign.com

Note that this list is incomplete. It does not include, for example, the domains in which the URLs containing the revocation data for end-users’ signing certificates are hosted.

If you restrict access to the internet you must compile a list of the external URLs the PCC is trying to access in your particular environment, using various publicly available third-party tools and/or the features of your firewall. For example, the following tools could be used to retrieve a list of external URLs for a specific environment:

• Sysinternals Process Monitor (https://learn.microsoft.com/en-us/sysinternals/downloads/procmon),

• Wireshark (https://www.wireshark.org/),

• Telerik Fiddler (https://www.telerik.com/fiddler).

Once this is done, you must whitelist these URLs to allow the PCC to work.

Additional Considerations

An administrator should also consider the following:

• Administrators can optionally: (1) specify the download URL that will appear if users are prompted to install the PCC; (2) customize the URL's download instructions. To arrange these configurations, please contact our Support Team.

• For security purposes, the PCC is not supported in virtualized desktop or remote desktop environments. Those environments include: (1) Remote Desktop on Windows; (2) screen sharing on macOS.

• On-premises customers must customize their PCC to secure its communication with OneSpan Sign. This includes sharing the PDF Document Engine's communication certificate or signer certificate with our Support Team, so it can be whitelisted. Once the PDF Document Engine's communication certificate expires, if the new certificate is re-issued with a new key-pair, on-premises customers must do this again. If the new certificate is renewed using the same key-pair, no additional action is required. For more information, see Authenticating Servers.

Although most users browse the Internet using one of the PCC's supported browsers (Edge, Firefox, Chrome), we recommend that you include the list of supported browsers in the email notification that signers receive. This will ensure that you achieve maximize completion rates for your signing processes.