Release 2.3.1

  • Updated on Nov 3, 2025
  • 3 minute(s) read
Prev Next

What's New

Here are some of the new features and enhancements we have made for this release.

  • RSASSA-PSS signing set as default: The default signing method is now RSASSA-PSS. This method was first introduced in version 2.3.0 as an optional signing option. The previous RSA PKCS#1 v1.5 signature format remains available and can be re-enabled by changing a registry setting. For more information, see the notes for Windows Security Update KB5066835 and Addressing Compatibility Issues Related to Windows Security Update KB5066835.

  • Improved error reporting – All Editions: We have improved the error message that appears when PCC fails to sign a document due to an error on the client side. A clearer and more specific error message now appears, indicating that the issue occurred on the client side, and not the server side. (refs PB-120202)

  • Enhanced error reporting – SAT Edition: A more detailed error message now appears if a signing attempt fails due to an expired, not-yet-valid, or corrupted certificate. (refs PB-118987)

    The message displayed for revoked certificates remains unchanged, as revocation validation for SAT certificates is performed on the server side.

Addressing Compatibility Issues Related to Windows Security Update KB5066835

Microsoft has indicated that Windows Security Update KB5066835 (released October 14, 2025) may cause smart card authentication issues due to strengthened security and certificate handling changes. If you experience such issues, you have the following options:

Option A (Recommended): Upgrade to PCC version 2.3.1

Upgrading to this version (2.3.1) is the preferred solution. The issues caused by Update KB5066835 are related to its requirement that Key Storage Providers (KSP) be used instead of Cryptographic Service Providers (CSP) for RSA-based smart card certificates. PCC version 2.3.1 uses KSP by default for RSASSA-PSS signatures, which fully aligns with the new Windows requirements. By upgrading you resolve the issues introduced by KB5066835 and you still continue benefiting from the enhanced security hardening included in this Windows update.

Option B: Configure PCC 2.3.0 to Use RSASSA-PSS

If you prefer to stay on PCC version 2.3.0, you can manually configure the application to use the RSASSA-PSS algorithm by setting a registry value.

You can do this by creating the following registry setting:

HKEY_CURRENT_USER\SOFTWARE\OneSpan\OneSpan Personal Certificate Client\Cryptography\RsaPadding = PSS

The registry settings must be of type REG_SZ. You can do this by executing the following command line command:

reg add "HKCU\SOFTWARE\OneSpan\OneSpan Personal Certificate Client\Cryptography" /v RsaPadding /t REG_SZ /d PSS

You do not need Administrator's privileges to execute this command, because it modifies the current user's profile. Normally, you will not need to restart your computer or the application. Note that this modification will be taken into account only for the current user's account.

Alternatively, you may prefer to modify the setting for EVERY user account on the machine. To do this, you must create the registry setting under the HKLM hive. Note that in this case, you must have Administrator's privileges.

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\OneSpan\OneSpan Personal Certificate Client\Cryptography\RsaPadding = PSS

Or from the command line:

reg add "HKLM\SOFTWARE\WOW6432Node\OneSpan\OneSpan Personal Certificate Client\Cryptography" /v RsaPadding /t REG_SZ /d PSS

Option C: Follow Microsoft’s Workaround (Not Recommended)

If you are using a version earlier than 2.3.0 and cannot upgrade, you use Microsoft’s workaround described here https://learn.microsoft.com/en-us/windows/release-health/resolved-issues-windows-11-25h2#3697msgdesc

However, this approach is not recommended, as it prevents you from benefiting from the full security improvements introduced with KB5066835.

Notes:

  • You can use Option C with PCC version 2.3.0, in which case you do not need to modify the default signing method via registry setting. In this case, you will not benefit entirely from all security hardenings introduced with KB5066835.

  • If you want to use PCC 2.3.1 with RSA PKCS#1v1.5, you must follow the instructions for Option B, but instead of “PSS”, you must specify “PKCS1v15” as the registry setting value. In this case, you may encounter the issues reported for KB5066835. It is possible to encounter issues with RSASSA-PSS signatures if you are using legacy hardware equipped with drivers that do not support KSP. In this case, you must switch to RSA PKCS#1v1.5 signatures and apply Microsoft’s workaround (Option C).