We've made some updates! Check out our updated Documentation Portal! Learn more...

For information on our current and upcoming deployments, please see the Releases and Maintenances Calendar section of our Trust Center.

Release 2.3.5

  • Published on Dec 19, 2025
  • 1 minute(s) read
Prev Next

What’s New

Added support for ECC (Elliptic Curve Cryptography) certificates: ECC provides strong encryption with smaller key sizes, delivering improved performance and security efficiency. (refs PB-118805)

The default padding for RSA digital signatures has reverted to PKCS#1 v1.5: Starting with version 2.3.2, RSASSA-PSS was introduced as the default RSA signature padding. However, some older smart cards and USB tokens do not support RSASSA-PSS. To maintain compatibility with these devices and to avoid the need for additional configurations, PKCS#1 v1.5 has been restored as the default RSA signature padding. (refs PB-121339)

Users who wish to use RSASSA-PSS can enable it by creating or modifying the following registry value (REG_SZ):

HKEY_CURRENT_USER\SOFTWARE\OneSpan\OneSpan Personal Certificate Client\Cryptography
RsaPadding = PSS

Alternatively, this can be configured by executing the following:

reg add "HKCU\SOFTWARE\OneSpan\OneSpan Personal Certificate Client\Cryptography" /v RsaPadding /t REG_SZ /d PSS

Bug Fixes

The following issues were resolved in this release:

  • Fixed a concurrency issue. (refs PB-121626)

  • We have Improved certificate filtering for digital signing. PCC requires that certificates used for signing contain a KeyUsage extension explicitly permitting digital signing, including the nonRepudiation (contentCommitment) flag. For more information see Personal Certificate Client Prerequisites. (refs PB-118805)

    This policy aligns certificate selection with common document signing compliance profiles (for example, PAdES / AdES) and helps prevent users from inadvertently signing documents with certificates not intended for this purpose.

    In previous versions, it was also possible to sign using certificates that did not contain a KeyUsage extension at all. As of version 2.3.5, such certificates are excluded by default.

    If you need to allow certificates without a KeyUsage extension, this behavior can be overridden by setting the following registry value (REG_SZ):

    HKEY_CURRENT_USER\SOFTWARE\OneSpan\OneSpan Personal Certificate Client\Cryptography\AllowNoKeyUsageCertificates = 1

    Alternatively, the registry value can be added by executing:

    reg add "HKCU\SOFTWARE\OneSpan\OneSpan Personal Certificate Client\Cryptography" /v AllowNoKeyUsageCertificates /t REG_SZ /d 1