Release 2.3.2

  • Published on Nov 13, 2025
  • 2 minute(s) read
Prev Next

Bug Fixes

  • Beginning with PCC version 2.3.0, the Windows version of the PCC supports Key Storage Provider (KSP) keys. Starting with PCC version 2.3.1, KSP keys are used by default. When KSP keys are in use, the PIN prompt sometimes appeared behind the browser window, which made it seem as though the application had become unresponsive. This issue has been resolved. (refs PB-120621)

Addressing Compatibility Issues Related to Windows Security Update KB5066835

Microsoft has indicated that Windows Security Update KB5066835 (released October 14, 2025) may cause smart card authentication issues due to strengthened security and certificate handling changes. If you experience such issues, you have the following options:

Option A (Recommended): Upgrade to PCC version 2.3.2

Upgrading to this version (2.3.2) is the preferred solution. The issues caused by Update KB5066835 are related to its requirement that Key Storage Providers (KSP) be used instead of Cryptographic Service Providers (CSP) for RSA-based smart card certificates. PCC version 2.3.2 uses KSP by default for RSASSA-PSS signatures, which fully aligns with the new Windows requirements. By upgrading you resolve the issues introduced by KB5066835 and you still continue benefiting from the enhanced security hardening included in this Windows update.

Option B: Configure PCC 2.3.0 to Use RSASSA-PSS

If you prefer to stay on PCC version 2.3.0, you can manually configure the application to use the RSASSA-PSS algorithm by setting a registry value.

You can do this by creating the following registry setting:

HKEY_CURRENT_USER\SOFTWARE\OneSpan\OneSpan Personal Certificate Client\Cryptography\RsaPadding = PSS

The registry settings must be of type REG_SZ. You can do this by executing the following command line command:

reg add "HKCU\SOFTWARE\OneSpan\OneSpan Personal Certificate Client\Cryptography" /v RsaPadding /t REG_SZ /d PSS

You do not need Administrator's privileges to execute this command, because it modifies the current user's profile. Normally, you will not need to restart your computer or the application. Note that this modification will be taken into account only for the current user's account.

Alternatively, you may prefer to modify the setting for EVERY user account on the machine. To do this, you must create the registry setting under the HKLM hive. Note that in this case, you must have Administrator's privileges.

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\OneSpan\OneSpan Personal Certificate Client\Cryptography\RsaPadding = PSS

Or from the command line:

reg add "HKLM\SOFTWARE\WOW6432Node\OneSpan\OneSpan Personal Certificate Client\Cryptography" /v RsaPadding /t REG_SZ /d PSS

Option C: Follow Microsoft’s Workaround (Not Recommended)

If you are using a version earlier than 2.3.0 and cannot upgrade, you can use Microsoft’s workaround described here: https://learn.microsoft.com/en-us/windows/release-health/resolved-issues-windows-11-25h2#3697msgdesc

However, this approach is not recommended, as it prevents you from benefiting from the full security improvements introduced with KB5066835.

Notes:

  • You can use Option C with PCC version 2.3.0, in which case you do not need to modify the default signing method via registry setting. In this case, you will not benefit entirely from all security hardenings introduced with KB5066835.

  • If you want to use PCC 2.3.2 with RSA PKCS#1v1.5, you must follow the instructions for Option B, but instead of “PSS”, you must specify “PKCS1v15” as the registry setting value. In this case, you may encounter the issues reported for KB5066835. It is possible to encounter issues with RSASSA-PSS signatures if you are using legacy hardware equipped with drivers that do not support KSP. In this case, you must switch to RSA PKCS#1v1.5 signatures and apply Microsoft’s workaround (Option C).