SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

This document contains information of a proprietary nature.

No part of this manual may be reproduced or transmitted in
any form or by any means electronic, mechanical or
otherwise, including photocopying and recording for any
purpose other than the purchasers personal use without
written permission of A.E.T. Europe B.V.
Individuals or organisations, which are authorised by A.E.T.
Europe B.V. in writing to receive this information, may utilise
it for the sole purpose of evaluation and guidance.

A.E.T. Europe B.V.

IJsselburcht 3
NL - 6825 BS Arnhem
The Netherlands

2009, A.E.T. Europe B.V., Arnhem, The Netherlands

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Warning Notice
All information herein is either public information or is the property of and owned solely by A.E.T. Europe B.V. who shall have and keep
the sole right to file patent applications or any other kind of intellectual property protection in connection with such information.
This information is subject to change as A.E.T. Europe B.V. reserves the right, without notice, to make changes to its products, as
progress in engineering or manufacturing methods or circumstances warrant.
Installation and use of A.E.T. Europe B.V. products are subject to your acceptance of the terms and conditions set out in the license
Agreement which accompanies each product. Nothing herein shall be construed as implying or granting to you any rights, by license,
grant or otherwise, under any intellectual and/ or industrial property rights of or concerning any of A.E.T. Europe B.V. information.
Cryptographic products are subject to export and import restrictions. You are required to obtain the appropriate government licenses
prior to shipping this Product.
The information contained in this document is provided "AS IS" without any warranty of any kind. Unless otherwise expressly agreed in
writing, A.E.T. Europe B.V. makes no warranty as to the value or accuracy of information contained herein. The document could include
technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, A.E.T. Europe
B.V. reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any
time.

A.E.T. EUROPE B.V. HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THE INFORMATION CONTAINED
HEREIN, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. IN NO EVENT SHALL A.E.T. EUROPE B.V. BE LIABLE, WHETHER IN CONTRACT, TORT OR OTHERWISE, FOR ANY
INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING BUT NOT LIMITED TO DAMAGES
RESULTING FROM LOSS OF USE, DATA, PROFITS, REVENUES, OR CUSTOMERS, ARISING OUT OF OR IN CONNECTION WITH THE
USE OR PERFORMANCE OF INFORMATION CONTAINED IN THIS DOCUMENT.

Copyright A.E.T. Europe B.V., 1997 - 2009.

All rights reserved.

SafeSign is a trademark of A.E.T. Europe B.V. All A.E.T. Europe B.V. product names are trademarks of A.E.T. Europe B.V. All other
product and company names are trademarks or registered trademarks of their respective owners.

Credit information:
This product includes cryptographic software written by Eric A. Young ([email protected])
This product includes software written by Tim J. Hudson ([email protected]).

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Document Information
Filename:

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Document ID:

TAU_Guide_SafeSign-IC-Standard_v3.0

Project Information:

SafeSign Identity Client User Documentation

Document revision history

Version

Date

Author

1.0

15-12-2005

Drs C.M. van Houten

Changes
First edition for SafeSign Identity Client Standard Version 2.2 for Windows
(release 2.2.0)

1.1

21-04-2006

Drs C.M. van Houten

Edited for SafeSign Identity Client Standard Version 2.2 for Windows
(release 2.2.2)

2.0

24-07-2006

Drs C.M. van Houten

First edition for SafeSign Identity Client Standard Version 2.3 for Windows
(release 2.3.0)

2.1

02-01-2007

Drs C.M. van Houten

Edited for SafeSign Identity Client Standard Version 2.3 for Windows
(release 2.3.2)

3.0

23-12-2009

Drs C.M. van Houten

First edition for SafeSign Identity Client Standard Version 3.0 for Windows
(release 3.0.33)

WE RESERVE THE RIGHT TO CHANGE SPECIFICATIONS WITHOUT NOTICE

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

II

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Table of contents
Warning Notice ...............................................................................................................I
Document Information.................................................................................................. II
Table of contents..........................................................................................................III
List of Figures..................................................................................................................I
About the Product .........................................................................................................IV
About the Manual ........................................................................................................... V
1

SafeSign Identity Client Token Administration Utility ....................................... 1

1.1
1.2
1.2.1
1.2.2
1.3
1.4
1.4.1

Introduction........................................................................................................................................2
Help menu...........................................................................................................................................6
Versions Info.......................................................................................................................................... 6
About .................................................................................................................................................... 6
Multi-language....................................................................................................................................7
Use of protected authentication path devices ...................................................................................3
Secure pinpad reader .............................................................................................................................. 3

Digital IDs menu ................................................................................................ 5

2.1
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.2
2.3
2.4
2.5

Show Registered Digital IDs ..............................................................................................................5

Transfer ID to token ............................................................................................................................... 9
Import trust chain................................................................................................................................. 15
Delete Digital ID ................................................................................................................................... 17
View Certificate .................................................................................................................................... 19
Copy Cert To Store ............................................................................................................................... 20
Refresh................................................................................................................................................ 24
Check Expiration................................................................................................................................... 24
Close ................................................................................................................................................... 25
Import Digital ID ..............................................................................................................................26
Import Certificate .............................................................................................................................32
Clean Certificate Cache ....................................................................................................................34
Exit ....................................................................................................................................................35

Token Menu...................................................................................................... 36

3.1
3.1.1
3.1.2
3.1.3
3.2
3.2.1
3.3
3.4
3.4.1
3.4.2
3.5
3.5.1
3.6
3.7
3.7.1
3.7.2
3.7.3
3.7.4
3.8

Initialise Token .................................................................................................................................36

Initialising a Token ............................................................................................................................... 37
Wipe Token.......................................................................................................................................... 43
Import CA Certificates ........................................................................................................................... 46
Change PIN .......................................................................................................................................49
PIN information .................................................................................................................................... 50
Change Transport PIN ......................................................................................................................52
Unlock PIN ........................................................................................................................................54
Unlock using the PUK ............................................................................................................................ 54
Unlock via off-line PIN unlock ................................................................................................................ 55
Change PUK ......................................................................................................................................59
PUK information ................................................................................................................................... 60
Show Token Info...............................................................................................................................63
Show Token Objects .........................................................................................................................65
View Certificate .................................................................................................................................... 66
Save Object ......................................................................................................................................... 67
Edit Label............................................................................................................................................. 67
Delete Object ....................................................................................................................................... 68
Dump Token Contents ......................................................................................................................68

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

III

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

3.9
3.9.1
3.9.2
3.10
3.10.1
3.10.2
3.10.3
3.11

Query Unknown token ......................................................................................................................70

Apply settings....................................................................................................................................... 72
Save registry file................................................................................................................................... 73
Analyse Certificate Quality ...............................................................................................................75
Certificate Status OK ............................................................................................................................. 75
Certificate Status Not Optimal ................................................................................................................ 76
Certificate Status Unusable .................................................................................................................... 76
Change PIN Timeout.........................................................................................................................77

Integration menu............................................................................................. 80

4.1
4.2

Install SafeSign in Firefox ................................................................................................................80

Install SafeSign in Entrust ...............................................................................................................82

Tasks menu ...................................................................................................... 83

5.1
5.2
5.3

Launch an application.......................................................................................................................85
Launch a plug-in ...............................................................................................................................89
Remove a task ..................................................................................................................................92

Index of Notes................................................................................................................ a

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

IV

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

List of Figures
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure

1: SafeSign Identity Client menu ............................................................................................................................................ 2

2: Control Panel: Cryptographic Tokens .................................................................................................................................. 3
3: Token Administration Utility: Reader Name......................................................................................................................... 3
4: Token Administration Utility: Blank Token........................................................................................................................... 4
5: Token Administration Utility: Operational Token .................................................................................................................. 4
6: Token Administration Utility: Multiple operational tokens ..................................................................................................... 5
7: Token Administration Utility: Version Information................................................................................................................ 6
8: Token Administration Utility: About .................................................................................................................................... 6
9: Token Administration Utility: Dutch .................................................................................................................................... 7
10: Token Administration Utility: Chinese................................................................................................................................ 2
11: Region and Languages: Formats ...................................................................................................................................... 2
12: Enter PIN........................................................................................................................................................................ 4
13: PinPad: Enter your PIN.................................................................................................................................................... 4
14: Digital IDs: No personal Digital IDs .................................................................................................................................. 5
15: Digital IDs: Digital ID stored on token .............................................................................................................................. 6
16: View Certificate: This certificate will expire in the next 30 days .......................................................................................... 7
17: View Certificate: The certificate has expired...................................................................................................................... 8
18: Digital IDs: Transfer ID to token ...................................................................................................................................... 9
19: Transfer ID to token: Question....................................................................................................................................... 10
20: Transfer ID to token: Question CA certificates................................................................................................................. 10
21: Transfer ID to token: Enter PIN ..................................................................................................................................... 10
22: Transfer ID to token: Transferring.................................................................................................................................. 11
23: Transfer ID to token: Success ........................................................................................................................................ 11
24: Digital IDs: Personal Digital IDs on token....................................................................................................................... 11
25: Transfer ID to token: Error ............................................................................................................................................ 12
26: Digital IDs: no certification path ..................................................................................................................................... 12
27: View Certificate: Could not locate the complete trust chain .............................................................................................. 13
28: Digital IDs: Certification path not on token...................................................................................................................... 14
29: Digital IDs: Certification path not on token...................................................................................................................... 15
30: Import trust chain: Enter PIN......................................................................................................................................... 15
31: Import trust chain: Importing ........................................................................................................................................ 16
32: Import trust chain: Success ........................................................................................................................................... 16
33: Digital IDs: Certification path on token ........................................................................................................................... 16
34: Digital IDs: Are you sure you want to delete Digital ID .................................................................................................... 17
35: Delete Digital ID: Enter PIN ........................................................................................................................................... 17
36: Delete Digital ID: Deleting ............................................................................................................................................. 18
37: Delete Digital ID: Success.............................................................................................................................................. 18
38: View Certificate: Certificate Information.......................................................................................................................... 19
39: View Certificate: Save certificate .................................................................................................................................... 20
40: Digital IDs: Copy Cert. to System Store .......................................................................................................................... 21
41: Copy Cert. to System Store: This will copy the following Digital ID to the System Store ..................................................... 21
42: Copy Cert. to System Store: Certificate successfully transferred to the Registry Store ........................................................ 21
43: Encrypting File System: Use this certificate ..................................................................................................................... 22
44: Digital IDs: Two Personal Digital IDs .............................................................................................................................. 22
45: Digital IDs: Digital ID for EFS......................................................................................................................................... 23
46: Windows Security: Encrypting File System ...................................................................................................................... 23
47: Check Expiration: Information........................................................................................................................................ 24
48: Check Expiration: Certificate Expiration Warning ............................................................................................................. 24
49: Certificate Expiration Warning ........................................................................................................................................ 25
50: Token Administration Utility: Import Digital ID ................................................................................................................ 26
51: Import Digital ID ........................................................................................................................................................... 27
52: Import Digital ID: Select a Digital ID file ......................................................................................................................... 27
53: Import Digital ID: Digital ID file selected......................................................................................................................... 27
54: Import Digital ID: Label on token ................................................................................................................................... 28
55: Import Digital ID: Digital ID password entered................................................................................................................ 28
56: Error: Digital ID needs a different password ................................................................................................................... 29
57: Import Digital ID: Enter PIN .......................................................................................................................................... 29
58: Import Digital ID: Working............................................................................................................................................. 30
59: Import Digital ID: The Digital ID has been imported successfully ..................................................................................... 30
60: Error: Key Size either smaller than 768 bits or larger than 2048 bits................................................................................. 30
61: Error: Token out of memory .......................................................................................................................................... 31
62: Token Administration Utility: Imported Digital ID............................................................................................................. 31
63: Token Administration Utility: Import Certificate ............................................................................................................... 32
64: Import Certificate: File name ......................................................................................................................................... 33

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure

65: Import Certificate: Enter PIN ......................................................................................................................................... 33

66: Token Administration Utility: Certificate successfully imported.......................................................................................... 34
67: Token Administration Utility: Clean Certificate Cache ....................................................................................................... 34
68: Clean Certificate Cache: Warning ................................................................................................................................... 35
69: Clean Certificate Cache: The cache has been successfully cleaned.................................................................................... 35
70: Token Administration Utility: Initialise Token................................................................................................................... 37
71: Token Administration Utility: Initialise Token dialog ......................................................................................................... 37
72: Token Administration Utility: Initialise Token dialog for series card ................................................................................... 38
73: Token Administration Utility: Initialise Token dialog completed......................................................................................... 39
74: Initialise Token: Your token is being initialised ................................................................................................................ 39
75: Initialise Token: The operation completed successfully .................................................................................................... 40
76: Token Administration Utility: Token operational............................................................................................................... 40
77: Error: Device Error 0x30 ................................................................................................................................................ 41
78: Error: Your Java card may not be configured correctly..................................................................................................... 41
79: Token Administration Utility: Initialise Token Warning ..................................................................................................... 42
80: Token Administration Utility: Wipe Token dialog.............................................................................................................. 43
81: Token Administration Utility: Wipe Token dialog completed.............................................................................................. 44
82: Token Administration Utility: Your token is being wiped ................................................................................................... 44
83: Token Administration Utility: The operation completed successfully .................................................................................. 45
84: Token Administration Utility: Token operational............................................................................................................... 45
85: Error: Device Error 0x30 ................................................................................................................................................ 45
86: Error: Your Java card may not be configured correctly..................................................................................................... 46
87: Token Administration Utility: Initialise Token dialog ......................................................................................................... 47
88: Browse for Folder.......................................................................................................................................................... 47
89: Initialise Token: Import CA Certificates ........................................................................................................................... 48
90: Token Administration Utility: Token is being initialised ..................................................................................................... 48
91: Token Administration Utility: Now importing CA certificates.............................................................................................. 48
92: Token Administration Utility: The operation completed successfully .................................................................................. 49
93: Token Administration Utility: Change PIN........................................................................................................................ 49
94: Token Administration Utility: Your PIN was successfully changed ..................................................................................... 50
95: Token Information: PIN Status....................................................................................................................................... 50
96: Token Administration Utility: Change PIN........................................................................................................................ 51
97: Change PIN: PIN incorrect............................................................................................................................................. 51
98: Change PIN: You have only 1 attempt left ...................................................................................................................... 51
99: Change PIN: PIN locked ................................................................................................................................................ 51
100: Change PIN: The PIN has previously been entered incorrectly........................................................................................ 52
101: Token Information: PIN set to transport value .............................................................................................................. 52
102: Token Administration Utility: Change transport PIN ....................................................................................................... 53
103: Change transport PIN dialog ........................................................................................................................................ 53
104: Change transport PIN: Your PIN was successfully changed ............................................................................................ 53
105: Token Administration Utility: Unlock PIN ....................................................................................................................... 54
106: Unlock PIN: Your PIN was successfully unlocked ........................................................................................................... 55
107: Unlock PIN.................................................................................................................................................................. 55
108: Off-line PIN unlock wizard: Welcome to the off-line PIN unlock wizard............................................................................ 55
109: Off-line PIN unlock wizard: select unlock algorithm........................................................................................................ 56
110: Off-line PIN unlock wizard: report challenge.................................................................................................................. 56
111 - off-line PIN unlock wizard: enter response and set a new PIN....................................................................................... 57
112: Off-line PIN unlock wizard: enter response and set a new PIN completed ....................................................................... 57
113: Off-line PIN unlock wizard: PIN unlock successful.......................................................................................................... 58
114: Off-line PIN unlock wizard: off-line PIN unlock failed ..................................................................................................... 58
115: Token Administration Utility: Change PUK ..................................................................................................................... 59
116: Change PUK: Your PUK was successfully changed ......................................................................................................... 59
117: Token Information: PUK Status .................................................................................................................................... 60
118: Token Administration Utility: Change PUK ..................................................................................................................... 61
119: Change PUK: PUK incorrect.......................................................................................................................................... 61
120: Change PUK: You have only 1 attempt left.................................................................................................................... 61
121: Change PUK: PUK locked ............................................................................................................................................. 61
122: Change PUK: The PUK has previously been entered incorrectly ...................................................................................... 62
123: Token locked .............................................................................................................................................................. 62
124: Token Administration Utility: Token Information ............................................................................................................ 63
125: PKCS #11 objects: Token Objects ................................................................................................................................ 65
126: PKCS #11 Objects: Enter PIN ...................................................................................................................................... 65
127: PKCS #11 Objects: All objects...................................................................................................................................... 66
128: View Certificate: Certificate Information........................................................................................................................ 66
129: Save Object: Save certificate........................................................................................................................................ 67
130: Edit Label ................................................................................................................................................................... 67
131: Delete Object: Are you sure ......................................................................................................................................... 68
132: Delete Object: Enter PIN ............................................................................................................................................. 68
133: Dump Token Contents: Question.................................................................................................................................. 69

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

II

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure
Figure

134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:

Dump Token Contents: Save........................................................................................................................................ 69

Dump Token Contents: Enter PIN................................................................................................................................. 69
Dump Token Contents: Dumping.................................................................................................................................. 70
Dump Token Contents: Dump successful ...................................................................................................................... 70
Token Administration Utility: Unknown Token ............................................................................................................... 70
Unknown ATR: The ATR is not registered correctly........................................................................................................ 71
Query unknown token: Unknown Java Card .................................................................................................................. 71
Unknown Java card: Copy settings ............................................................................................................................... 72
Apply settings: Enter name .......................................................................................................................................... 72
The registry settings have successfully been copied....................................................................................................... 72
Token Administration Utility: Blank Token ..................................................................................................................... 73
Save registry file: Enter name ...................................................................................................................................... 73
Save registry file ......................................................................................................................................................... 73
Save registry file: The registry file has been written successfully .................................................................................... 74
Token Administration Utility: Blank Token ..................................................................................................................... 74
Certificate analysis: OK ................................................................................................................................................ 75
Certificate analysis: Not optimal ................................................................................................................................... 76
Certificate analysis: Unusable....................................................................................................................................... 76
Token Administration Utility: Change PIN Timeout......................................................................................................... 77
Change Timeout: Timeout disabled .............................................................................................................................. 77
Change Timeout: Timeout enabled ............................................................................................................................... 78
Change Timeout: New Timeout Value........................................................................................................................... 78
Enter .......................................................................................................................................................................... 78
Your PIN Timeout was successfully changed ................................................................................................................. 78
Token Information: PIN Timeout enabled ..................................................................................................................... 79
Token Administration Utility: Install SafeSign in Firefox.................................................................................................. 80
Firefox Installer: Install SafeSign in Firefox ................................................................................................................... 81
Firefox Installer: Are you sure you want to install this security module? .......................................................................... 81
Firefox Installer: A new security module has been installed............................................................................................ 81
Token Administration Utility: Install SafeSign in Entrust ................................................................................................. 82
Entrust Installer: Install SafeSign in Entrust .................................................................................................................. 82
Entrust Installer: successfully installed.......................................................................................................................... 82
Token Administration Utility: Manage tasks ................................................................................................................... 83
Manage tasks: Tasks ................................................................................................................................................... 83
Add new task wizard: Welcome to the add new task wizard........................................................................................... 84
Add new task wizard: Step 1........................................................................................................................................ 84
Add new task wizard: Step 2........................................................................................................................................ 85
Add a new task wizard: Step 2 - application to launch ................................................................................................... 85
Add new task wizard: Step 2 - Command-line parameters.............................................................................................. 86
Add new task wizard: Step 3........................................................................................................................................ 86
Add new task wizard: Step 3 This task applies to the following token .......................................................................... 87
Add new task wizard: Step 4........................................................................................................................................ 87
Add new task wizard: Task added successfully.............................................................................................................. 88
Manage tasks: Remote Desktop Connection .................................................................................................................. 88
Add new task wizard: Step 2........................................................................................................................................ 89
Add a new task wizard: Step 2 plug-in to call ............................................................................................................. 89
Add new task wizard: Step 3........................................................................................................................................ 90
Add a new task wizard: Step 3 This task applies to the following token........................................................................ 90
Add a new task wizard: Step 4 ..................................................................................................................................... 91
Add a new task wizard: Task added successfully ........................................................................................................... 91
Manage tasks: Remote Desktop Connection .................................................................................................................. 92
Manage tasks: Remove task......................................................................................................................................... 92

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

III

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

About the Product

SafeSign Identity Client is a software package that can be used to enhance the security of applications that support
hardware tokens through PKCS #11 and Microsoft CryptoAPI.
The SafeSign Identity Client package provides a standards-based PKCS #11 Library and Cryptographic Service Provider
(CSP), allowing users to store public and private data on a personal token, either a smart card, USB token or SIM card. It
also includes the SafeSign Identity Client PKI applet, enabling end-users to utilise any Java Card 2.1.1 / Java Card 2.2
and higher compliant card with the SafeSign Identity Client middleware.
Combining full compliance with leading industry standards and protocols, with flexibility and usability, SafeSign Identity
Client can be used with multiple smart cards / USB tokens, multiple Operating Systems and multiple smart card readers.
SafeSign Identity Client allows users to initialise and use the token for encryption, authentication or digital signatures and
includes all functionality necessary to use hardware tokens in a variety of PKI environments.

SafeSign Identity Client comes in a standard version with an installer for the following Windows environments1:
Windows 2000, Windows XP, Windows Vista, Windows 7, Windows Server 2003 and Windows Server 2008.

In principle, SafeSign Identity Client supports any PC/SC compliant smart card reader. However, to avoid power
problems, smart card readers must be capable to provide at least a current of 60mA. PC/SC driver software is available
from the web site of the smart card reader manufacturer.

For more information, refer to the latest SafeSign Identity Client Product Description.

Windows NT 4.0 is supported up to SafeSign Identity Client 1.0.9.04, in line with Microsofts end-of-life policy.
Windows 98 and Windows ME are supported up to SafeSign Identity Client 2.3.0 (< 2.3.0), in line with Microsofts end-of-life policy.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

IV

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

About the Manual

This manual is specifically designed for administrators / advanced users of SafeSign Identity Client Standard Version 2.3
for Windows, who wish to use their SafeSign Identity Client token to enhance the security of their communications via
the Internet and be able to perform advanced token operations.

It describes the functionality provided by the SafeSign Identity Client Token Administration Utility, which enable you to
perform such operations as token initialisation, in order to prepare your token for key pair generation and certificate
download. Please refer to the SafeSign Identity Client Application User Guides to find out how to generate a key pair and
download a certificate onto your SafeSign Identity Client token and how to use it to enhance the security of your client
application.

In order to set up your SafeSign Identity Client token for use, follow the instructions in the manual, which describe how
to initialise your token and perform various operations such as viewing the contents of your token and changing its PIN.
Every activity has a number of steps, indicated by the numbers at the left-hand side of the text:
Each step will require you to take a certain action, which is indicated by a:

Go through these steps and the actions you are required to take, in order to perform the desired activity,
taking into account the notes in black with:

and the larger ones in blue with:

This document is part of the user documentation for SafeSign Identity Client.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

SafeSign Identity Client Token Administration Utility

The SafeSign Identity Client installation package installs the SafeSign Identity Client PKCS #11 Library and
Cryptographic Service Provider (CSP), allowing users to store public and private data on a personal token,
either a smart card, USB token or SIM card.
In order to make your SafeSign Identity Client token work with SafeSign Identity Client in PKCS #11supporting applications such as Mozilla Firefox, and in Microsoft CryptoAPI-supporting applications such as
Outlook, you need to initialise and manage your SafeSign Identity Client token. This can be done with the
SafeSign Identity Client Token Administration Utility included in the SafeSign Identity Client package.
Note that though the Token Administration (TAU) has been specifically designed for administrators, allowing
them to perform advanced token operations, it includes the same functionality as the Token Management
Utility for end-users, enabling you to personalise your token to be part of your secure applications.
To personalise your token, you will need to initialise it, which involves deleting all information that may be
stored on the token, writing the SafeSign Identity Client PKCS #15 structure on the token and (after changing
the token transport PIN, if set) setting a label and personal PIN.
The SafeSign Identity Client Token Administration Utility offers five menu options:
1.

Digital IDs menu, including such features as viewing and importing your Digital IDs and CA
certificates;

2.

Token menu, including such features as initialising your token and changing its PIN;

3.

Integration menu, allowing you to install SafeSign (PKCS#11) in Firefox and Entrust;

4.

Tasks menu, allowing you to manage tasks;

5.

Help menu

Note

The actual menu items visible / available can be configured in the registry. For more details, see the SafeSign
Identity Client Administrators Guide.
The following chapters will give a description of the various features of the SafeSign Identity Client Token
Administration Utility, besides that of token initialisation.
This chapter will briefly describe where to find and how to start the SafeSign Identity Client Token
Administration Utility (paragraph 1.1) and some information with regard to:

Version information (the Help menu of the SafeSign Identity Client Token Administration Utility) in
paragraph 1.2

The unique multi-language feature of SafeSign Identity Client in paragraph 1.3

The use of secure Class 2/3 PIN pad readers in paragraph 1.4

Chapter 2 will deal with the Digital IDs menu of the Token Administration Utility
Chapter 3 will deal with the Token menu of the Token Administration Utility
Chapter 4 will deal with the Integration menu of the Token Administration Utility
Chapter 5 will deal with the Tasks menu of the Token Administration Utility

Note that the screenshots in this guide were taken from a computer running (32-bit) Windows 7 Ultimate.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Removal of the token

For all token operations such as token initialisation, change PIN etc., described in this user guide, do not
remove the token from the smart card reader or USB port when performing such operations. Removal of the
token may lead to damaging the data stored on the token.
When your smart card reader has an LED, do not remove your smart card from the reader as long as the LED
flashes or is red.

1.1

Introduction
You will find the SafeSign Identity Client Token Administration Utility in the Programs menu.
Click Start > All Programs > SafeSign Standard > Token Administration:

Figure 1: SafeSign Identity Client menu

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Note

Under Windows 2000 and higher there will also be a shortcut to the SafeSign Identity Client Token
Administration Utility in the Control Panel, called Cryptographic Tokens. In Windows 7, this shortcut is
available when viewing all control panel items (not in Category view):

Figure 2: Control Panel: Cryptographic Tokens

Upon clicking Token Administration, the SafeSign Identity Client Token Administration Utility will open:

Figure 3: Token Administration Utility: Reader Name

This window shows you which smart card reader(s) have been installed on your PC and the status of the
token. When no token is inserted in the smart card reader, the name of the smart card reader will be listed (as
above).
Note that it is possible that more than one smart card reader has been installed on your PC, or a combination
of a PC/SC reader and a USB token.
All smart card readers that are installed will be listed and allow you to initialise a token.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Note

In this manual, the phrase a token in a smart card reader may refer to a smart card in a smart card reader
or a USB token in a USB port.
When a token is inserted in the smart card reader, the name of the token is displayed. In this case, there are
two possibilities1:
Either the token is blank, not yet initialised:

Figure 4: Token Administration Utility: Blank Token

Or the token has already been initialised and has a token label:

Figure 5: Token Administration Utility: Operational Token

If the token is supported and recognised.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Multiple tokens and readers

You may have multiple smart card readers or USB tokens installed (or a combination of both).
You may have multiple cards / tokens, e.g. one used for your personal e-mail, and the other used for your
business e-mail. Both can be present on one computer, in separate readers, and you can use the features of
the SafeSign Identity Client Token Administration Utility for each of these cards / tokens.
The following image is an example of how the SafeSign Identity Client Token Administration Utility looks when
both a smart card reader and a USB token are installed and when both the smart card and the USB token have
been initialised:

Figure 6: Token Administration Utility: Multiple operational tokens

Token availability
When there is one token in the reader, the Token Administration Utility will automatically select this
(highlighting it in blue). When there are two (or more) tokens in the readers, the last one inserted will be
selected.
You will need to select one of the tokens to perform such operations as Change PIN from the Token menu or
Import Digital ID from the Digital IDs menu. This makes sense, as you need to specify first which token you
want to change the PIN of or import a Digital ID to.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

1.2

Help menu
The Help menu of the SafeSign Identity Client Token Administration Utility features two items: Versions Info
and About.

1.2.1

Versions Info
The Versions Info item opens the Version Information dialog:

Figure 7: Token Administration Utility: Version Information

This will inform you of the version of SafeSign Identity Client you are running and the file versions of the
components installed by your SafeSign Identity Client version. You should always check the SafeSign Identity
Client version on your computer for the specific versions installed.
This dialog is particularly useful for support issues, where AET Support will be able to quickly identify the
version you are running. You can also save this information in a file.
Click Save information to save the versions in a text file (and name it accordingly) and include it when
submitting a support request to [email protected].

1.2.2

About
The About item opens the following dialog:

Figure 8: Token Administration Utility: About

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

1.3

Multi-language
SafeSign Identity Client Standard Version 3.0 for Windows contains support for the following languages (apart
from the default language, English):

Basque
Catalan
Chinese: Simplified
Chinese: Traditional
Croatian
Czech
Dutch
Finnish
German
Hungarian

Italian
Japanese
Korean
Portuguese: Portugal
Portuguese: Brazil
Russian
Serbian (Latin and Cyrillic)
Spanish
Thai
Turkish

Note

Editing of the language files is not allowed under any circumstances. Doing so, will forfeit any rights to support
and will make all warranties void. Only upon formal request and after written approval from A.E.T. Europe B.V.
may such editing be allowed, where modifications suggested are deemed to improve or facilitate the use and
understanding of SafeSign Identity Client and its operations. A.E.T. Europe B.V. will maintain sole discretion in
deciding to allow editing and the right to include it in (a) future release(s).
Multi-language support has been implemented such, to create utmost flexibility for both administrator and
user. It may be imagined that an administrator, and not the user himself / herself, is installing SafeSign
Identity Client on a user PC or on a central PC, for which he chooses a particular language. The user will then
always be free to change the preferred language of SafeSign Identity Client. In practice, the language of
SafeSign Identity Client will default to the language set in the Region and Language settings of the users
computer, without the need for the user to change any settings.

Note

While the language of the InstallShield Wizard and the SafeSign Identity Client items in the Start menu,
though this language can be selected upon installation of SafeSign Identity Client, is static and cannot be
changed once selected (without de-installing SafeSign Identity Client) due to limitations of Windows, the
language of SafeSign Identity Client and its utilities is dynamic and can be changed to any of the languages
supported.
Here is an example of how the Token Administration Utility looks in Dutch:

Figure 9: Token Administration Utility: Dutch

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Here is an example of how the Token Administration Utility looks in Chinese (PRC):

Figure 10: Token Administration Utility: Chinese

The user can set the language of SafeSign Identity Client and its Token Administration Utility to the language
he prefers to work with, in Region and Language under Start > Control Panel by setting the Format to
the preferred language:

Figure 11: Region and Languages: Formats

In order to set the system locale (for non-Unicode programs) that will apply to all users logging on, you need
to set / change the system locale (in the tab Administrative).
Note that when no specific language is set or when the selected language is not supported by SafeSign
identity Client, the default language of SafeSign Identity Client will be English.
You may also need to select the input language / keyboard layout combination.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Note

Changing the language format will have no effect on the language of the Operating System. It does provide
optimum flexibility, as the user can choose (and change) the language of SafeSign Identity Client independent
of the language of his Operating System. In practice, the language of SafeSign Identity Client will default to
the language set on the users computer, without the need for the user to make any modifications.
Note that though SafeSign Identity Client has been tested for its InstallShield Wizard and utilities to correctly
display language-specific characters, language format and language display may differ on the various
platforms used and may be dependent on the language pack and version of the Microsoft Operating System
used.
Note that for some applications, such as Microsoft VPN, SafeSign Identity Client cannot influence the language
of the Windows VPN dialogs. Microsoft VPN dialogs will appear in the language of the Operating System
installed.

1.4

Use of protected authentication path devices

1.4.1

Secure pinpad reader

SafeSign Identity Client supports a number of Class 2 and Class 3 PC/SC 2.0 pinpad readers. Please refer to
the latest SafeSign Identity Client Product Description for a full overview.
When using a secure pinpad, please note the following important guidelines:

In the Token Utility, all functions apart from Initialise Token have been pinpad-enabled1.

When using a secure pinpad reader with a display (Class 3), no PIN dialog will appear on-screen, but
on the readers display. When using a secure pinpad reader without a display (Class 2), a PIN dialog
will appear on-screen. For both readers, you should enter the PIN on your readers pinpad.

In Mozilla Firefox the Password Required dialog will appear, asking you for the master password of
your token. Do not enter the PIN on your computers keyboard, but click OK and then enter the PIN on
the readers pinpad.

For Windows smart card logon with Class 2 secure pinpad readers, whether you have installed the
SafeSign Identity Client GINA or not, the PinPad dialog (Figure 13)will appear.

Note that on Windows Vista and higher, the Microsoft GINA (msgina.dll) has been removed, and
custom GINAs will not be loaded.

For Microsoft VPN, the Connect [Name of Virtual Private Connection] dialog (Smart card PIN) will
appear upon inserting a token in the reader. Do not enter the PIN on your computers keyboard, but
click OK and then enter the PIN on the readers pinpad.

If you enter a wrong PIN, either the display of the reader will indicate this, or the SafeSign Identity
Client Token Utility will display a wrong PIN error on screen. Note that upon entering an incorrect PIN
in an application (for example Internet Explorer), the PIN dialog will not indicate this or allow you to
enter a correct PIN. This is due to the fact that for so-called protected authentication path
authentication (as with the use of a pinpad reader) the verification of the PIN is outside of the control
of the CSP.

For other possible issues, refer to the latest SafeSign Identity Client Release Notes.

The reason for this being that it cannot be communicated to the end user which code an end user must enter during initialisation, as
CT-API does not have the concept of a PUK (SO-PIN) code (it has only the concept of a PIN code). If implemented, a secure pinpad
reader would just prompt the user to enter a code for about 6 times in total, without the ability to distinguish / indicate the PIN or
PUK is requested.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Secure PIN entry

In accordance with the above, in this manual and any other SafeSign Identity Client manuals, where the entry
of a PIN is required, for example in the Enter PIN dialog in the Token Administration or applications:

Figure 12: Enter PIN

This may also refer to the entry of a PIN on the pinpad readers keypad, either instructed by the readers
display (Class 3) or by an on-screen dialog (Class 2), for users with a secure pinpad reader.

The PIN dialog for users of a Class 2 secure pinpad reader looks like this:

Figure 13: PinPad: Enter your PIN

Note that this dialog does not give you any information on the minimum PIN and PUK length, nor on the
number of retries remaining (when you have entered an incorrect PIN), as this dialog only provides what
information the reader (driver) provides.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Digital IDs menu

The Digital IDs menu contains the following items:
Show Registered Digital IDs: section 2.1
Import Digital ID: section 2.2
Import Certificate: section 2.3
Clean Certificate Cache: section 2.4
Exit: section 2.5

2.1

Show Registered Digital IDs

The SafeSign Identity Client Token Administration Utility allows users to identify the Digital IDs on the token.
The term Digital ID signifies a key pair (private and public key) and a certificate, which can be used for such
operations as signing and decrypting.
The menu item Show Registered Digital IDs opens a dialog to show the Digitals IDs that are stored on the
token and that have been registered in the local certificate store.
Note that it may take some time for Digital IDs to be registered and displayed in the Digital IDs dialog,
depending on the amount of objects on the token and the (speed of the) token reader used.

When there are no Digital IDs, the Digital IDs dialog (Digital IDs > Show Registered Digital IDs) will be
empty and look like this:

Figure 14: Digital IDs: No personal Digital IDs

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

When a Digital ID has been generated or imported on the token, the Digital IDs dialog will look like this (if the
Digital ID is selected as below):

Figure 15: Digital IDs: Digital ID stored on token

This dialog will identify the Personal Digital IDs and the Digital ID details, i.e. the Certificate Contents and the
Certification Path (when available).
When a Digital ID (displayed under Personal Digital IDs) or CA certificate (displayed under Certification
Path) is on token, this will be identified by the following symbol:

When a Digital ID or CA certificate is not on token (but in the Microsoft Certificate Store), this will be identified
by the following symbol:
To transfer a Digital ID that is not on token, to a token: refer to paragraph 2.1.1
To import a CA certificate(s) that is not on token, to a token: refer to paragraph 2.1.2

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

The Digital IDs dialog will also indicate if a certificate is about to expire or already expired. In this case, the
symbol indicating a Digital ID is on the token:
is replaced by
the symbol indicating the certificate is about to expire:
the symbol indicating the certificate is expired:

When viewing a certificate about to expire, the Certificate dialog will look like this:

Figure 16: View Certificate: This certificate will expire in the next 30 days

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

When viewing an expired certificate, the Certificate dialog will look like this:

Figure 17: View Certificate: The certificate has expired

For more information regarding certificate expiration, refer to paragraph 2.1.7.

The Digital IDs dialog also allows the user to perform a number of operations with regard to the Digital IDs
stored on the token (by means of the buttons on the lower right-hand side of the dialog):
Transfer ID to Token
Import trust chain
Delete Digital IDs
View certificate
Copy Cert To Store
Check Expiration
Close

These functions will be described in the next paragraphs.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

2.1.1

Transfer ID to token
It is possible to transfer (move) a Digital ID to a token, for example when you have a personal certificate (with
a private key corresponding to this certificate) in the Microsoft Certificate Store that you wish to transfer to
your token. This greatly enhances the security of your Digital ID, now protected by two-factor authentication:
to access it, you would need to have possession of the token and knowledge of the tokens PIN.
Note that when transferring a Digital ID to the token, the private key will be moved to the token and will no
longer be present on your hard disk.
Note that you can only transfer your Digital ID when the private key is (marked as) exportable, which may
depend on the certificate template1.

When a Digital ID (in Personal Digital IDs) is not on token (but in the Microsoft Certificate Store), this will
be identified by the symbol:
Select the Digital ID you wish to transfer to the token:

Figure 18: Digital IDs: Transfer ID to token

Click Transfer ID to token to move the Digital ID from its original location to the token

On Windows Server 2003, it is not possible to mark the private key as exportable for the Smart Card User template, when the
certificate purpose is signature and smartcard logon.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

You will be asked to confirm if you want to transfer the Digital ID with the specified data:

Figure 19: Transfer ID to token: Question

Click Yes to transfer the Digital ID specified to the token

If you click No, the process of transferring the Digital ID will abort and the Digital ID will not be transferred.

You will be asked if the CA certificates belonging to the Digital ID (trust chain) should be imported as well:

Figure 20: Transfer ID to token: Question CA certificates

Click Yes if you want to import the CA certificates belonging to the Digital ID
If you click No, the CA certificates belonging to the Digital ID will not be imported on the token (but the
process of transferring the Digital ID will continue).

You will be required to enter the PIN for the token:

Figure 21: Transfer ID to token: Enter PIN

Enter the correct PIN for the token and click OK

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

10

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

The Digital ID will now be transferred:

Figure 22: Transfer ID to token: Transferring

When the Digital ID has been successfully transferred to the token, you will be notified:

Figure 23: Transfer ID to token: Success

Click OK

The Digital ID will now be on the token:

Figure 24: Digital IDs: Personal Digital IDs on token

When you have clicked Yes at the prompt to import CA certificates belonging to the Digital ID to the token
(Figure 20), the CA certificates for the Digital IDs will also be on the token (as indicated in the picture above,
under Certification Path).

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

11

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Private key non-exportable

When the private key belonging to the Digital ID is non-exportable, the transfer fails and the following error
message will be displayed:

Figure 25: Transfer ID to token: Error

Click OK to close this dialog

Certification Path
When the CA certificate is not available (either on the token or in the appropriate Microsoft Certificate Store),
the Digital IDs dialog will look like this:

Figure 26: Digital IDs: no certification path

There is no CA certificate listed under Certification Path.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

12

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

When you double-click to view the certificate, the Certificate dialog will inform you:

Figure 27: View Certificate: Could not locate the complete trust chain

The complete trust chain for this certificate could not be found.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

13

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

When the CA certificate is not on the token (for example when you chose not to import the certificate chain
during transferral, see Figure 20), but it is in the appropriate Microsoft (Trusted Root Certification Authorities)
Store, the Digital IDs dialog will look like this:

Figure 28: Digital IDs: Certification path not on token

In this case, you may want to import the trust chain onto the token. This is described in paragraph 2.1.2.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

14

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

2.1.2

Import trust chain

The operation Import trust chain allows you to import the trust chain for your Digital ID(s) onto the token,
to ensure maximum flexibility and interoperability. When taking your token to another computer (where the
appropriate trust chain may not be installed), you always have all certificates with you and can register them.
You can use this functionality when you have transferred a Digital ID from the Personal Certificate Store to the
token and chose not to import the CA certificate(s) at the time (as described in paragraph 2.1.1) or if you have
retrieved the CA certificates at a later time (with your Digital ID already on the token).
Select the Digital ID whose trust chain you wish to import to the token:

Figure 29: Digital IDs: Certification path not on token

Click Import trust chain to import the trust chain to the token

You will be asked to enter the PIN for your token:

Figure 30: Import trust chain: Enter PIN

Enter the correct PIN and click OK

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

15

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

The certificate chain will now be imported:

Figure 31: Import trust chain: Importing

When the certificate chain has been successfully imported, you will be informed:

Figure 32: Import trust chain: Success

Click OK to close this dialog

The certificate chain will now be on the token:

Figure 33: Digital IDs: Certification path on token

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

16

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

2.1.3

Delete Digital ID
It is possible to delete a Digital ID stored on the token by means of the Delete Digital ID button (Figure 15).
Note that with the Token Administration Utility, you can only delete Personal Digital IDs on the token; you can
not delete Digital IDs displayed in the Digital IDs dialog that are in the Certificate Store, as indicated by the
symbol (in which case the Delete Digital ID button will be greyed out):

Note

Upon deleting a Digital ID, all Digital ID objects (public key, private key and certificate) will be deleted from
the token.
Should a key pair have more than one certificate (as in the case of certificate renewal, where the same key
pair is used to generate a certificate), the Digital IDs dialog will display two Digital IDs. Deleting one of them
will not lead to a deletion of the (shared) key pair, but will only delete the certificate, so that the other
certificate (and its certificate chain) can still be used.
When clicking the Delete Digital ID button, you will be asked if you are sure to delete the Digital ID with the
specified data:

Figure 34: Digital IDs: Are you sure you want to delete Digital ID

Click Yes to delete the Digital ID, upon which you will be asked to enter the PIN for your token
If you click No, the process of deleting the Digital ID will abort and the Digital ID will not be deleted.

Upon clicking Yes (Figure 34), you will be asked to enter the PIN for your token:

Figure 35: Delete Digital ID: Enter PIN

Enter the correct PIN and click OK

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

17

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

PIN / PUK length

SafeSign Identity Client enforces a minimum and maximum PIN / PUK length. If you enter a PIN / PUK of less
than the minimum allowed or more than the maximum allowed, you will not be able to click the OK button in
such instances where the PIN / PUK is required1. Only when you enter a PIN / PUK of the required length will
the PIN / PUK be accepted. Note that both the minimum and the maximum PIN / PUK length may have been
set to different values (than the default values supported by the card) by the administrator.
From SafeSign Identity Client release 3.0.33 onwards ( 3.0.33) it is possible for the Java Card 2.2 (and
higher) supported cards, to have a maximum PIN / PUK length of less than 15 characters ( 15).

Upon entering the correct PIN, the Digital ID will be deleted:

Figure 36: Delete Digital ID: Deleting

When the Digital ID has been successfully deleted, you will be informed:

Figure 37: Delete Digital ID: Success

Click OK to close this dialog

The Digital ID and its corresponding certificate chain have now been deleted from the token.

When the maximum PUK / PIN length exceeds the maximum length required, the OK button will be greyed out.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

18

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

2.1.4

View Certificate
The button View Certificate allows you to view the contents of the personal Digital IDs, as well as of the CA
certificate(s), when selected.
Note that you can also view the certificate content when double-clicking any of the Digital IDs listed under
Personal Digital IDs or any of the certificates listed under Certificate chain.
Upon clicking on View Certificates when a Personal Digital ID is highlighted (blue), the following dialog will
appear:

Figure 38: View Certificate: Certificate Information

This dialog will display the available certificate information.

It will also give additional information when appropriate, such as when the certificate is about to expire (Figure
16), when the certificate is expired (Figure 17), when the complete trust chain of the certificate cannot be
located (Figure 27) or a combination of these.

Click Close to close this dialog.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

19

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Save to file
You can save the certificate information to a file, by clicking Save to file.
Upon clicking Save to file, you are allowed to save the file as a Certificate File type (*.cer):

Figure 39: View Certificate: Save certificate

Select a location for the file to be saved in and a name to save it under, then click Save

2.1.5

Copy Cert To Store

SafeSign Identity Client version 3.0.33 (and higher) supports EFS on Windows Vista, Windows 7 and Windows
Server 20081.
This gives you the flexibility to use your (existing) Smart Card User certificates for EFS. Note that on Vista and
higher, EFS requires that the key that is specified for the certificates private key has the AT_KEYEXCHANGE
flag. Refer to the Microsoft web site for more information on the requirements and operation of EFS.
In order to be able to use a certificate on a token with EFS, you need to copy the certificate to the Windows
system / registry store. This is necessary, because Microsoft will (only) look for the certificate in this location,
when you want to select a certificate for use with EFS, in the Manage your file encryption certificates wizard.
To do this, you can add (through the registry) a button in the Show Registered Digital IDs dialog that will add
the certificate selected to the registry store. This button is called Copy Cert. to System Store.
The button will appear when adding the action CopyIDToSystemAction as a DWORD Value in the registry
key HKEY_LOCAL_MACHINE\SOFTWARE\A.E.T. Europe B.V.\SafeSign\2.0\Actions and setting its value to 1.

Note that SafeSign does not support EFS in Windows 2000 or Windows XP, as it is only in Windows Server 2008 and Windows Vista /
windows 7 that EFS supports the storage of users private keys on smart cards.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

20

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

When you have added the action and enabled it, the button should be available in the Digital IDs dialog:

Figure 40: Digital IDs: Copy Cert. to System Store

Click on Copy Cert. to System Store to copy the certificate to the Microsoft system / registry store.

You will be asked to confirm whether you want to copy the Digital ID selected to the System Store:

Figure 41: Copy Cert. to System Store: This will copy the following Digital ID to the System Store

Click Yes to copy the Digital ID to the System Store

Upon clicking Yes, the Digital ID will be copied to the System / Registry Store:

Figure 42: Copy Cert. to System Store: Certificate successfully transferred to the Registry Store

Click OK

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

21

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

After doing this, when you go to the Manage your file encryption certificates wizard (Control Panel > User
Accounts > Manage your file encryption certificates), you will now be able to select the certificate on
the token (after entering your PIN):

Figure 43: Encrypting File System: Use this certificate

Registration
When you have copied the certificate to the System / Registry Store, the certificate will be registered twice:

Figure 44: Digital IDs: Two Personal Digital IDs

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

22

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

This is because (only) the certificate has been copied to the registry store, with the corresponding key pair
(still) on the token, whereby the Digital ID is associated with the token.
So now it looks like the token contains two Digital IDs: one suitable for EFS and the other suitable for other
purposes (client authentication, smart card logon, etc.)
This means that if you remove the token, the certificate for use with EFS will remain registered, as it is present
in the Microsoft system / registry certificate store:

Figure 45: Digital IDs: Digital ID for EFS

Note however that if you want to encrypt a file or access a file encrypted by this certificate, you will be asked
to enter your token:

Figure 46: Windows Security: Encrypting File System

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

23

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

2.1.6

Refresh
The Refresh button allows you to refresh the Digital IDs dialog and its contents.

2.1.7

Check Expiration
You may check the expiration status of the Digital ID(s) on the token by clicking on the Check Expiration
button.
When no certificates are about to expire / are expired, the following dialog will appear:

Figure 47: Check Expiration: Information

Click OK to close this dialog.

When there are certificates about to expire / expired, the Certificate Expiration Warning dialog will appear:

Figure 48: Check Expiration: Certificate Expiration Warning

This dialog will display both the certificate(s) that will expire in the next [x] days (30 days in our example) and
the certificates that have already expired1.
The days in advance are set default to thirty (30) days.

Just as Microsoft will keep certificates that are expired in its Certificate Store.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

24

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Certificate Expiration Warning

The Certificate Expiration Warning dialog will also appear by default every time a token is inserted, which
contains certificates that are about to expire in the time period specified. In that case, the following dialog will
appear (note that the SafeSign Identity Client Token Administration Utility does not have to be open(ed) for
this dialog to appear):

Figure 49: Certificate Expiration Warning

Note that if you select Dont show this warning again for these certificates, this warning will not be displayed
again for the certificate(s) shown and cannot be activated again (for these certificates).

If you select the certificate(s) about to expire, you may view the contents of the certificate as registered in the
Certificate Store, by double-clicking it or clicking View Certificate.

Note for Administrators

Refer to the SafeSign Identity Client Administrators Guide for details on how to set and customize the
Certificate Expiration Warning.

2.1.8

Close
Clicking the Close button will close the Digital IDs dialog.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

25

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

2.2

Import Digital ID
The SafeSign Identity Client Token Administration Utility allows you to import a Digital ID on your SafeSign
Identity Client token. By importing the file, your keys and certificate will be securely stored on your token and
can be used for secure communication.
This greatly enhances the security of your Digital ID, now protected by two-factor authentication: to access it,
you would need to have possession of the token and knowledge of the tokens PIN.
Note that this procedure can be used to import Digital ID files stored in PKCS #12 or PFX format on your hard
disk (or removable media, such as a diskette), whereas the function Transfer ID to token (as available under
Show Registered Digital IDs) can be used for Digital IDs present in the Microsoft Personal Certificate
Store.

Note

The term Digital ID (file) is used to refer to the combination of a certificate (including a public key) and a
private key (PKCS #12 format) usually protected by a password.
This Digital ID should be stored as a PKCS#12 (.p12) file or a Personal Information Exchange (.pfx) file, which
are both formats that contain your private key, on a diskette or on your hard disk.
A file of this format can be obtained either by exporting the keys and certificates from your Firefox (.p12) or
from your Microsoft Certificate Store (.pfx). Note that during this process, you will be asked to enter a
password to protect your file. This password is required when importing a Digital ID on your SafeSign Identity
Client token.

Note

Note that the application (and its version) used determines how the format of a Digital ID looks.
When SafeSign Identity Client imports a Digital ID, the public key is not stored on the token. The reason
behind this is to save space on the token, as the public key does not have to be on the token, for it is
embedded in the certificate and used for public key operations only (and does not have to be kept secret).
The user will at all times be able to view the Digital IDs available to him in the Digital IDs dialog (Digital IDs
> Show Registered Digital IDs), which will correctly display the Digital ID(s) that can be used for
cryptographic operations.
To import a Digital ID, click Digital IDs > Import Digital ID:

Figure 50: Token Administration Utility: Import Digital ID

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

26

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

The following dialog will appear:

Figure 51: Import Digital ID

First, you will need to specify the location where the Digital ID file is stored. The Digital ID file can be stored
anywhere, either on a hard disk or on a diskette. Click on the

symbol to select the location:

Figure 52: Import Digital ID: Select a Digital ID file

In the above example, the file was stored in: C:\Program Files\A.E.T. Europe B.V.\SafeSign\

Select the Digital ID file by clicking on it, then click Open

The Import Digital ID dialog will now show the (path to the) Digital ID file you have just selected:

Figure 53: Import Digital ID: Digital ID file selected

The next step is to enter the Digital ID password

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

27

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Import CA certificates
When importing a Digital ID, you may choose whether you want to import the CA certificates as well. Doing so
will ensure maximum flexibility and interoperability. When taking your token to another computer (where the
appropriate trust chain may not be installed), you always have all certificates with you and can register them.
By default, the option Import CA certificates is selected.
If you do not wish to import the CA certificates on the token, deselect the checkbox.

Set the label of the ID on the token to a non default-value

When importing a Digital ID, the label of the Digital ID as set by the application used to obtain the Digital ID,
will be copied. If you wish to set your own label to the Digital ID, select Set the label of the ID on the
token to a non-default value and enter a label in the Label on token box, as illustrated below:

Figure 54: Import Digital ID: Label on token

Note that when the Digital ID can be used for smart card logon, no label (friendly name) will be set on the
Digital ID (certificate), even when set in this dialog1.

Enter the password for the Digital ID file:

Figure 55: Import Digital ID: Digital ID password entered

Click OK to import the Digital ID

In line with the Microsoft winlogon process, which does not register smart card logon certificates with a friendly name.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

28

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Wrong Password
The password that you are requested to enter, is the password that was used to protect the Digital ID.
If you do not enter the correct password, the following prompt will be displayed:

Figure 56: Error: Digital ID needs a different password

Click OK to close this dialog box

You will have to start the import a Digital ID procedure again by clicking Digital IDs > Import Digital ID

When you have clicked OK after entering the correct password for the Digital ID file (Figure 55), you will be
asked to enter the PIN for the token:

Figure 57: Import Digital ID: Enter PIN

Enter the correct PIN and click OK

PIN / PUK length

SafeSign Identity Client enforces a minimum and maximum PIN / PUK length. If you enter a PIN / PUK of less
than the minimum allowed or more than the maximum allowed, you will not be able to click the OK button in
such instances where the PIN / PUK is required1. Only when you enter a PIN / PUK of the required length will
the PIN / PUK be accepted. Note that both the minimum and the maximum PIN / PUK length may have been
set to different values (than the default values supported by the card) by the administrator.
From SafeSign Identity Client release 3.0.33 onwards ( 3.0.33) it is possible for the Java Card 2.2 (and
higher) supported cards, to have a maximum PIN / PUK length of less than 15 characters ( 15).

When the maximum PUK / PIN length exceeds the maximum length required, the OK button will be greyed out.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

29

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Upon clicking OK after entering the correct PIN, the Digital ID will be imported:

Figure 58: Import Digital ID: Working

Your Digital ID is being imported

When the Digital ID has been successfully imported, the following prompt will inform you:

Figure 59: Import Digital ID: The Digital ID has been imported successfully

Click OK to close this dialog

Key Size Error

When you try to import a Digital ID that does not comply with the key length constraints of the supported
token, the following dialog will be displayed:

Figure 60: Error: Key Size either smaller than 768 bits or larger than 2048 bits

Click OK to close this dialog

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

30

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Token out of Memory

When the token is full, i.e. does not have enough memory to import a / another Digital ID, the following
dialog will be displayed:

Figure 61: Error: Token out of memory

Click OK to close this dialog.

You may check in the Token Information dialog (Token > Show Token Info) how much space is left on the
token. Note that the token may contain parts of the Digital ID file imported (e.g. when it contains multiple
certificates).

After importing a Digital ID, you may check in the Digital IDs dialog (Digital IDs > Show Registered
Digital IDs) if the Digital ID has been correctly imported:

Figure 62: Token Administration Utility: Imported Digital ID

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

31

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

2.3

Import Certificate
The SafeSign Identity Client Token Administration Utility allows you to import a Certificate Authority (CA)
certificate on your SafeSign Identity Client token. By importing the file, the CA certificate is securely stored on
your token, greatly enhancing the mobility and flexibility of your SafeSign Identity Client token.
Upon using your SafeSign Identity Client token on another computer, where the CA (root) certificate is not
installed, SafeSign Identity Client will enable you to install the CA certificate, creating a trusted chain for your
personal Digital ID (which would not be trusted without the CA certificate that issued it being installed, as in
that case Windows does not have enough information to verify this certificate because the issuer of this
certificate could not be found).
SafeSign Identity Client supports the import of:

DER encoded .CER certificates

DER encoded .CRT certificates

DER format certificates

Note

CA certificates may also be imported during token initialisation, please refer to paragraph 3.1.3
To import a CA Certificate, click Digital IDs > Import Certificate:

Figure 63: Token Administration Utility: Import Certificate

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

32

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

You will be asked to specify the location where the Certificate File is stored:

Figure 64: Import Certificate: File name

Specify the location where the Certificate File is stored. The Certificate File can be stored anywhere, either on
a hard disk or on a diskette.
In the above example, the file was stored in: C:\Program Files\A.E.T. Europe B.V.\SafeSign\

Select the file by clicking on it, then click Open

After selecting the Certificate File to import, you will be asked to enter the PIN of your SafeSign Identity Client
Token:

Figure 65: Import Certificate: Enter PIN

Enter the PIN and click OK to import the certificate file

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

33

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

PIN / PUK length

SafeSign Identity Client enforces a minimum and maximum PIN / PUK length. If you enter a PIN / PUK of less
than the minimum allowed or more than the maximum allowed, you will not be able to click the OK button in
such instances where the PIN / PUK is required1. Only when you enter a PIN / PUK of the required length will
the PIN / PUK be accepted. Note that both the minimum and the maximum PIN / PUK length may have been
set to different values (than the default values supported by the card) by the administrator.
From SafeSign Identity Client release 3.0.33 onwards ( 3.0.33) it is possible for the Java Card 2.2 (and
higher) supported cards, to have a maximum PIN / PUK length of less than 15 characters ( 15).

When the Certificate File has been imported, you will be notified:

Figure 66: Token Administration Utility: Certificate successfully imported

Click OK to finish the import certificate operation

2.4

Clean Certificate Cache

From SafeSign Identity Client version 3.0.33 onwards ( 3.0.33), it is possible to clean the SafeSign certificate
cache2.
For that purpose, a button was added to the Digital IDs menu of the Token Utility.
It can be used when the certificate cache has become corrupted and certificates are not registered anymore.
Instead of manually clearing the cache (in the registry), the cache can now be cleared through the Token
Utility. We recommend users only to clean the certificate cache when instructed to do so by their Helpdesk or
System administrator.
To clean the certificate cache, click Digital IDs > Clean Certificate Cache:

Figure 67: Token Administration Utility: Clean Certificate Cache

When the maximum PUK / PIN length exceeds the maximum length required, the OK button will be greyed out.
The SafeSign certificate cache is located at HKEY_CURRENT_USER\Software\A.E.T. Europe B.V.\SafeSign\2.0\Cache\Certificates

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

34

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

As cleaning the registry cache is an operation that should only be initiated upon request from a Helpdesk (or
system administrator), you will get a warning to that extent:

Figure 68: Clean Certificate Cache: Warning

Click Yes to continue with cleaning of the cache

Upon clicking Yes, the cache will be cleaned and you will be informed when the cache has been cleaned:

Figure 69: Clean Certificate Cache: The cache has been successfully cleaned

Click OK to close this dialog

2.5

Exit
The Exit item of the Digital IDs menu will close the SafeSign Identity Client Token Administration Utility.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

35

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Token Menu

3.1

Initialise Token
The first step after installing SafeSign Identity Client is to initialise your token (if not yet initialised).
The values written on the token during initialisation cannot be changed during the lifetime of the token. This
means that during the lifetime of the token, the token keeps the so-called profile that has been created
during the initialisation.
Note however, the distinction between test (completed) tokens and series / production (completed) tokens:

For test tokens, it is possible to change the profile of the token during a re-initialisation of the token
(i.e. replace the existing PKCS#15 structure with a new or updated PKCS#15 structure).

For production tokens, it is not possible to change a profile once it has been set during initialisation.
You may only wipe its contents, while maintaining the PKCS#15 structure written on it during
initialisation.

You can view the completion of the token under Token > Show Token Info (paragraph 3.6).

Note

Test (completed) tokens are normally used for testing and evaluation only. Users will generally be provided
with series (completed) tokens, that may have the SafeSign Identity Client applet installed (in case of Java
cards) and that may even be initialised. Also, it is recommended that for Java cards, the default GlobalPlatform
key set is changed to a (customer) specific key set, so the applet(s) cannot be removed (without knowledge of
this keyset).
When initialising a token, SafeSign Identity Client will detect the token model you have inserted and will
determine the best (possible) profile(s) to initialise the token with. Before initialising a token, please consider
carefully that the availability of profiles depends on the type of token used.
If a particular profile is not available, this will probably mean that the profile is not available for the token
(because it does not have enough room for the public and private space settings of that profile). If no
selectable profile is available (the token profile line is greyed out), this will probably mean that you do not
have enough rights to select a profile. Depending on your user rights, you may only be able to select the
profile set by the administrator. Note that end-users are recommended to select the default profile, unless
otherwise instructed by their administrator.
Paragraph 3.1.1 will describe how to initialise either (a) an uninitialised token (whether test-completed or
series-completed) or (b) an already initialised token with test completion.
Paragraph 3.1.2 will describe how to wipe a token with series completion.
Paragraph 3.1.3 will describe how to import a CA Certificate during token initialisation / wiping.
These paragraphs will use the JCOP41 v2.3.1 Java Card as an example.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

36

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

3.1.1

Initialising a Token
When you have not yet initialised your token (whether the token is test completed or series completed), your
token will be identified in the Token Administration Utility, as a Blank Token uninitialised and only the
Initialise Token item (and the Show Token Info item) will be available:

Figure 70: Token Administration Utility: Initialise Token

In order to initialise your token, click Token > Initialise Token (as above)

Note

When your test-completed token has already been initialised with a token label, PUK and PIN, you may reinitialise the token. See the note on re-initialising a token.
When your series-completed token has already been initialised with a token label, PUK and PIN, you may wipe
the token. See section 3.1.2.
This will open the Initialise Token dialog box, enabling you to initialise your token:

Figure 71: Token Administration Utility: Initialise Token dialog

The Token Model box will identify the type of token you have inserted and are about to initialise.
The Token Profile drop-down box will allow you to select the profile to initialise the token with. Note that this
box may be greyed out, if you do not have the rights to modify it.
For Java cards, the option Try to remove the existing SafeSign (Identity Client) PKI applet (test cards only) is
included, to enable removal of the existing SafeSign Identity Client applet.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

37

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

SafeSign applet installed in series

When the SafeSign Identity Client Java applet is installed in series, the option Try to remove the existing
SafeSign (Identity Client) PKI applet (test cards only) will not be available:

Figure 72: Token Administration Utility: Initialise Token dialog for series card

In order to initialise your token, you must meet a number of requirements in doing so. When you have met a
certain requirement, the
will become a
Fill in the required fields as follows, taking into account the remarks and requirements below:
Field

Requirements

Token Profile

Different token profiles may be available, depending on the type of token you have inserted.
Choose the profile that suits your needs. For Java Card v2.2+ cards, there is only one profile,
called Default profile available.

Token Label

The token label must contain some characters, it cannot be empty;

Maximum number of characters is 32

Enter PUK

Minimum PUK length is 4 characters, maximum PUK length is 8 15 characters

Confirm PUK

Confirmed new PUK should be equal to the new PUK

Enter PIN

Minimum PIN length is 4 characters, maximum PIN length is 8 - 15 characters

Confirm PIN

Confirmed new PIN should be equal to new PIN

Table 1: Token Administration Utility: Initialise Token fields

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

38

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Field requirements
Both the token label and the PIN and PUK code may consist in whole or in part of alphanumeric characters,
i.e. letters (both small and capital letters), numbers, specials characters / symbols (such as @, # and &) and
blank spaces.
SafeSign Identity Client enforces a minimum and maximum PIN / PUK length. If you enter a PIN / PUK of less
than the minimum allowed or more than the maximum allowed, you will not be able to click the OK button in
such instances where the PIN / PUK is required1. Only when you enter a PIN / PUK of the required length will
the PIN / PUK be accepted. Note that both the minimum and the maximum PIN / PUK length may have been
set to different values (than the default values supported by the card) by the administrator.
From SafeSign Identity Client release 3.0.33 onwards ( 3.0.33) it is possible for the Java Card 2.2 (and
higher) supported cards, to have a maximum PIN / PUK length of less than 15 characters ( 15).

When all fields have been entered according to requirements, as follows:

Figure 73: Token Administration Utility: Initialise Token dialog completed

Click OK to start initialising your SafeSign Identity Client Token.

Upon clicking OK, you will be informed that your token is being initialised:

Figure 74: Initialise Token: Your token is being initialised

Do not interrupt or remove your SafeSign Identity Client token during the initialisation process. If you have a
smart card reader with an LED, you may want to keep an eye on the LED of your smart card reader to see
whether it is busy or not.

When the maximum PUK / PIN length exceeds the maximum length required, the OK button will be greyed out.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

39

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

When the initialisation operation is completed, the following prompt will appear:

Figure 75: Initialise Token: The operation completed successfully

Click OK to finish the initialisation

When your token is initialised, the token name will appear in the token window:

Figure 76: Token Administration Utility: Token operational

Once your token is initialised, all operations in the Digital IDs and Token menu will be available.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

40

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Device Error
When the Initialise Token operation failed, the following warning will appear:

Figure 77: Error: Device Error 0x30

Check that your reader is functioning properly and whether you have a correct card. Make sure that the token
is inserted in the smart card reader and click OK to try to initialise the token again. This error may also occur
when there is not enough space left on the card (for the profile you selected).
Click OK to close this dialog

Your Java Card may not be configured correctly

The following error message may be displayed when initialising a Java card:

Figure 78: Error: Your Java card may not be configured correctly

This error may have various causes, for example, there is not enough space left on the card (for the profile
you selected) or there are other applets on the card.
Also check that your reader is functioning properly (and satisfies the power requirements) and that you have a
token supported by (the version of) SafeSign identity Client.
One of the most common causes for this error is that the card does not have the SafeSign Identity Client
applet installed and has a custom key set, in which case the Token Utility cannot load the applet.
Make sure that the token is inserted in the smart card reader and click OK to try to initialise the token again.
Otherwise, contact AET Support for assistance.
Click OK to close this dialog

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

41

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Re-initialise token
When your token has already been initialised, it may be initialised again, if the token is a test (completed)
token.
Note that when you re-initialise your token, all data that may be stored on your token will be deleted. A
warning to this extent will be included in the Initialise Token dialog box:

Figure 79: Token Administration Utility: Initialise Token Warning

Upon initialising a token that is as yet uninitialised, as described in paragraph 3.1.1, this warning will not
appear, as there is no data on the token yet.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

42

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

3.1.2

Wipe Token
When you have a series completed token that has been initialised, you will only be able to wipe the token (not
re-initialise it).
In that case, the Token menu will display the item Wipe Token (instead of Initialise Token, as in Figure 79).
Clicking on it will open the following window:

Figure 80: Token Administration Utility: Wipe Token dialog

Note that the token label in the dialog above is the old token label for the initialised token.
Note that the Token Profile option may not be available to you.
Note that when you wipe your token, all data that may be stored on your token will be deleted. A warning to
this extent will be included in the Wipe Token dialog box.

In order to wipe your token, a number of requirements should be met in doing so. When you have met a
certain requirement, the
will become a
Fill in the required fields as follows, taking into account the previous remarks and requirements:
Field

Token Label

Requirements
The token label must contain some characters, it cannot be empty;
Maximum number of characters is 32

Enter PUK

Minimum PUK length is 4 characters; maximum PUK length is 8 - 15 characters. The PUK entered
should be the current / existing PUK.

Enter PIN

Minimum PIN length is 4 characters, maximum PIN length is 8 - 15 characters

Confirm PIN

Confirmed new PIN should be equal to new PIN

Table 2: Token Administration Utility: Wipe Token fields

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

43

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Field requirements
Both the token label and the PIN and PUK code may consist in whole or in part of alphanumeric characters,
i.e. letters (both small and capital letters), numbers, specials characters / symbols (such as @, # and &) and
blank spaces.
SafeSign Identity Client enforces a minimum and maximum PIN / PUK length. If you enter a PIN / PUK of less
than the minimum allowed or more than the maximum allowed, you will not be able to click the OK button in
such instances where the PIN / PUK is required1. Only when you enter a PIN / PUK of the required length will
the PIN / PUK be accepted. Note that both the minimum and the maximum PIN / PUK length may have been
set to different values (than the default values supported by the card) by the administrator.
From SafeSign Identity Client release 3.0.33 onwards ( 3.0.33) it is possible for the Java Card 2.2 (and
higher) supported cards, to have a maximum PIN / PUK length of less than 15 characters ( 15).

When all fields have been entered according to requirements, as follows:

Figure 81: Token Administration Utility: Wipe Token dialog completed

Click OK to start wiping your SafeSign Identity Client Token.

Upon clicking OK, you will be informed that your token is being wiped:

Figure 82: Token Administration Utility: Your token is being wiped

Do not interrupt or remove your SafeSign Identity Client token during the wiping process. If you have a smart
card reader with an LED, you may want to keep an eye on the LED of your smart card reader to see whether it
is busy or not.

When the maximum PUK / PIN length exceeds the maximum length required, the OK button will be greyed out.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

44

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

When the wiping operation is completed, the following prompt will appear:

Figure 83: Token Administration Utility: The operation completed successfully

Click OK to finish the wiping process

When your token is wiped, the (new) token name will appear in the token window:

Figure 84: Token Administration Utility: Token operational

Once your token is wiped, all operations in the Digital IDs and Token menu will be available.

Device Error
When the Initialise Token operation failed, the following warning will appear:

Figure 85: Error: Device Error 0x30

Check that your reader is functioning properly and whether you have a correct card. Make sure that the token
is inserted in the smart card reader and click OK to try to initialise the token again. This error may also occur
when there is not enough space left on the card (for the profile you selected).
Click OK to close this dialog

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

45

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Your Java Card may not be configured correctly

The following error message may be displayed when initialising a Java card:

Figure 86: Error: Your Java card may not be configured correctly

This error may have various causes, for example, there is not enough space left on the card (for the profile
you selected) or there are other applets on the card.
Also check that your reader is functioning properly (and satisfies the power requirements) and that you have a
token supported by (the version of) SafeSign identity Client.
One of the most common causes for this error is that the card does not have the SafeSign Identity Client
applet installed and has a custom key set, in which case the Token Utility cannot load the applet.
Make sure that the token is inserted in the smart card reader and click OK to try to initialise the token again.
Otherwise, contact AET Support for assistance.
Click OK to close this dialog

3.1.3

Import CA Certificates
The SafeSign Identity Client Token Administration Utility enables the import of Certificate Authority (CA)
certificates. There are two ways to do this:
1.

By means of the item Import Certificates of the Digital ID menu, allowing you to select single CA
certificates for import (one at a time), as described in paragraph 2.3;

2.

During token initialisation, by selecting a directory where one or multiple CA certificates is / are stored
(all at once), as described in this paragraph.

CA certificate format
SafeSign Identity Client supports the import of:

DER encoded .CER certificates

DER encoded .CRT certificates

DER format certificates

Select the directory where the CA certificates are located, and change the default extension from *.cer to *.crt
or *.der as required.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

46

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

In the Initialise Token dialog, the option Import CA Certificates allows you to select a directory where the
CA certificate(s) is (are) stored:

Figure 87: Token Administration Utility: Initialise Token dialog

Fill in all fields according to requirements (as described in paragraph 3.1.1) and click on the browse icon
to select a directory where the CA certificates have been placed.

Upon clicking on the browse icon, the Browse for Folder dialog will open, allowing you to select a directory
containing CA Certificates:

Figure 88: Browse for Folder

Select a directory and click OK

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

47

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Upon clicking OK, the directory will be indicated in the corresponding box:

Figure 89: Initialise Token: Import CA Certificates

Note that all CA certificates present in the directory will be imported.

Click OK to initialise the token

Upon clicking OK, you token will be initialised:

Figure 90: Token Administration Utility: Token is being initialised

Do not interrupt or remove your SafeSign Identity Client token during the initialisation process. If you have a
smart card reader with an LED, you may want to keep an eye on the LED of your smart card reader to see
whether it is busy or not.

When the CA certificate(s) is imported as part of the initialisation process, you will see the following dialog:

Figure 91: Token Administration Utility: Now importing CA certificates

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

48

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

When the initialisation operation is completed, the following prompt will appear:

Figure 92: Token Administration Utility: The operation completed successfully

Click OK to finish the initialisation

3.2

Change PIN
The SafeSign Identity Client Token Administration Utility enables you to change the PIN for your SafeSign
Identity Client Token.
In order to do so, select Change PIN from the Token menu. This will open the following dialog:

Figure 93: Token Administration Utility: Change PIN

This dialog will identify the token of which you want to change the PIN (SafeSign Token in our example).
Enter the old PIN, a new PIN and confirm the new PIN.
Only when you enter the correct old PIN and a new and confirmed PIN that are the same (and fulfil the PIN
length requirements), will the OK button be available.

Click OK to change the PIN

PIN / PUK length

SafeSign Identity Client enforces a minimum and maximum PIN / PUK length. If you enter a PIN / PUK of less
than the minimum allowed or more than the maximum allowed, you will not be able to click the OK button in
such instances where the PIN / PUK is required1. Only when you enter a PIN / PUK of the required length will
the PIN / PUK be accepted. Note that both the minimum and the maximum PIN / PUK length may have been
set to different values (than the default values supported by the card) by the administrator.
From SafeSign Identity Client release 3.0.33 onwards ( 3.0.33) it is possible for the Java Card 2.2 (and
higher) supported cards, to have a maximum PIN / PUK length of less than 15 characters ( 15).

When the maximum PUK / PIN length exceeds the maximum length required, the OK button will be greyed out.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

49

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

When the PIN has been successfully changed, the following dialog will be displayed:

Figure 94: Token Administration Utility: Your PIN was successfully changed

Click OK to close this dialog box.

3.2.1

PIN information
Every time you enter your PIN for the SafeSign Identity Client Token, either when asked to do so in
applications (e.g. in the Enter PIN dialog for Microsoft applications) or within the SafeSign Identity Client
Token Administration Utility, SafeSign Identity Client will provide you with information as to the status of the
PIN.
Note that you have three attempts to enter the correct PIN1 and that SafeSign Identity Client will register this
and give you information as to the status of the PIN. When you enter an incorrect PIN three times, the token
will be LOCKED and you should use the Unlock PIN item from the Token menu (as described in paragraph
3.4).
The counter for incorrect PIN entries will be reset (to three attempts to enter the PIN) if you enter a correct
PIN after entering an incorrect PIN (but no more than three times).
In the Token Information dialog (Token > Show Token Info), the status of the PIN is displayed. There are
four possible scenarios:
1.

PIN is OK (as in Figure 95 below):

Figure 95: Token Information: PIN Status

2.

PIN has been entered incorrectly at least once

3.

One final attempt left to enter the PIN correctly

4.

PIN is LOCKED

Note that your administrator may have changed the maximum number of PIN retries.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

50

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Also, when you perform an operation within the SafeSign Identity Client Token Administration Utility, such as

Change PIN (or any other item for which PIN entry is required), you will receive information on the status of
the PIN in the dialog involved. Here also, four notifications are possible:
(1) When the PIN is OK (has not been entered incorrectly before):

Figure 96: Token Administration Utility: Change PIN

(2) When the PIN has been entered incorrectly:

Figure 97: Change PIN: PIN incorrect

(3) When one final attempt is left to enter the PIN correctly:

Figure 98: Change PIN: You have only 1 attempt left

(4) When the PIN is locked:

Figure 99: Change PIN: PIN locked

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

51

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Wrong PIN in different item

When you close one menu item in the SafeSign Identity Client Token Administration Utility and you enter an
incorrect PIN in another item, you will be notified of this (The PIN has previously been entered incorrectly)
and the status of incorrect PIN entries. For example, the dialog below indicates you have already entered an
incorrect PIN in another item (for example when importing a Digital ID) and that you have only one attempt
left to enter the correct PIN:

Figure 100: Change PIN: The PIN has previously been entered incorrectly

3.3

Change Transport PIN

The administrator may have initialised the token with a Transport PIN.
A Transport PIN is a temporary PIN on the token that has to be changed into a personalised PIN code before a
token can be used. Setting a Transport PIN can be useful for security reasons, for example when you want to
be certain that a user (consciously) sets his / her own PIN prior to any signature token operations.
When a Transport PIN is set, the item Change PIN is not available; instead the option Change transport PIN is
available.
When the administrator has set a Transport PIN, the user should first change the Transport PIN into his own
personal PIN for the token:

Figure 101: Token Information: PIN set to transport value

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

52

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

When a Transport PIN is set, the Token Administration Utility will enable you to change the Transport PIN:

Figure 102: Token Administration Utility: Change transport PIN

Select Change Transport PIN (as above)

This will open the Change transport PIN dialog

Figure 103: Change transport PIN dialog

Enter the correct transport PIN, a new (personal) PIN for the token and confirm the new PIN

The transport PIN will now be changed into the new PIN, after which you will be informed:

Figure 104: Change transport PIN: Your PIN was successfully changed

Click OK

You can now use your token with your own personal PIN.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

53

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

3.4

Unlock PIN
The SafeSign Identity Client Token Administration Utility enables you to unlock the PIN for your SafeSign
Identity Client Token (when your PIN is locked, as in Figure 99).
Note that the Unlock PIN item will only be available when the PIN is actually locked. If not, the item will be
greyed out. In order to unlock the PIN, you will need to know the PUK of the SafeSign Identity Client token.
There are two ways of unlocking the PIN: unlocking the PIN using the PUK or unlocking the PIN via off-line
PIN unlock.
The first option is described in section 3.4.1.
The second option is described in section 3.4.2.

3.4.1

Unlock using the PUK

In order to unlock the PIN, select Unlock PIN from the Token menu1.
This will open the following dialog:

Figure 105: Token Administration Utility: Unlock PIN

This dialog will identify the token of which you want to unlock the PIN (SafeSign IC Token in our example).
Enter the current PUK, a new PIN and confirm the new PIN.
Only when you enter the correct PUK and a new and confirmed PIN that are the same (and fulfil the PIN
length requirements), will the OK button be available.

Click OK to unlock the PIN

PIN / PUK length

SafeSign Identity Client enforces a minimum and maximum PIN / PUK length. If you enter a PIN / PUK of less
than the minimum allowed or more than the maximum allowed, you will not be able to click the OK button in
such instances where the PIN / PUK is required2. Only when you enter a PIN / PUK of the required length will
the PIN / PUK be accepted. Note that both the minimum and the maximum PIN / PUK length may have been
set to different values (than the default values supported by the card) by the administrator.
From SafeSign Identity Client release 3.0.33 onwards ( 3.0.33) it is possible for the Java Card 2.2 (and
higher) supported cards, to have a maximum PIN / PUK length of less than 15 characters ( 15).

1
2

When off-line PIN unlock is enabled, you will be asked to choose which method you want to use to unlock your PIN, as in Figure 107.
When the maximum PUK / PIN length exceeds the maximum length required, the OK button will be greyed out.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

54

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

When the PIN has been successfully unlocked, the following dialog will be displayed:

Figure 106: Unlock PIN: Your PIN was successfully unlocked

Click OK to close this dialog box.

Your PIN should be unlocked and ready to use again, which you may check by being able to use all menu
items again (such as Import Digital IDs).

3.4.2

Unlock via off-line PIN unlock

The SafeSign IC Token Utility has built-in support for off-line PIN unlock.
When enabled, the user will be allowed to choose how to unlock the PIN, upon selecting Unlock PIN from the
Token menu:

Figure 107: Unlock PIN

Select the option Unlock PIN via off-line PIN unlock to start the off-line PIN unlock wizard, which consists of
5 steps and starts with the welcome page:

Figure 108: Off-line PIN unlock wizard: Welcome to the off-line PIN unlock wizard1

Click Next to continue

1

This page contains an optional text telling the user how he/she can contact the helpdesk. The content of this text field is always You
can contact your helpdesk at %s., where %s is replace by the string value HelpdeskContact under the
[HKEY_LOCAL_MACHINE\SOFTWARE\A.E.T. Europe B.V.\SafeSign\2.0] registry key. This text field is displayed on all pages of the
wizard if this registry value is set.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

55

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Step 1 is to select the unlock algorithm to use. The helpdesk employee should tell you which algorithm to use:

Figure 109: Off-line PIN unlock wizard: select unlock algorithm

Select the unlocking algorithm and click Next to continue

Once you have selected an algorithm, Step 2 is to report the challenge requested from the card:

Figure 110: Off-line PIN unlock wizard: report challenge

Once the challenge has been reported to your helpdesk and a response given, click Next to continue

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

56

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

After clicking Next, in Step 3 you can enter the response you have been given by the helpdesk employee, and
you are allowed to enter a new PIN code for the token:

Figure 111 - off-line PIN unlock wizard: enter response and set a new PIN

The wizard checks the response length as well as the length of the new PIN.

Complete the fields as follows:

Figure 112: Off-line PIN unlock wizard: enter response and set a new PIN completed

Click Next to continue

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

57

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

The final page of the wizard shows whether the unlock procedure succeeded or failed:

Figure 113: Off-line PIN unlock wizard: PIN unlock successful

Figure 114: Off-line PIN unlock wizard: off-line PIN unlock failed

If off-line PIN unlock fails after the two remaining tries, you can only unlock the PIN using the PUK, as
described in section 3.4.1.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

58

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

3.5

Change PUK
The SafeSign Identity Client Token Administration Utility enables you to change the PUK for your SafeSign
Identity Client Token.
In order to do so, select Change PUK from the Token menu. This will open the following dialog:

Figure 115: Token Administration Utility: Change PUK

This dialog will identify the token of which you want to change the PUK (SafeSign IC Token in our example).
Enter the old PUK, a new PUK and confirm the new PUK.
Only when you enter the correct old PUK and a new and confirmed PUK that are the same (and fulfil the PUK
length requirements), will the OK button be available.

Click OK to change the PUK

PIN / PUK length

SafeSign Identity Client enforces a minimum and maximum PIN / PUK length. If you enter a PIN / PUK of less
than the minimum allowed or more than the maximum allowed, you will not be able to click the OK button in
such instances where the PIN / PUK is required1. Only when you enter a PIN / PUK of the required length will
the PIN / PUK be accepted. Note that both the minimum and the maximum PIN / PUK length may have been
set to different values by the administrator.
From SafeSign Identity Client release 3.0.33 onwards ( 3.0.33) it is possible for the Java Card 2.2 (and
higher) supported cards, to have a maximum PIN / PUK length of less than 15 characters ( 15).

When the PUK has been successfully changed, the following dialog will be displayed:

Figure 116: Change PUK: Your PUK was successfully changed

Click OK to close this dialog box.

Your PUK is changed.

When the maximum PUK / PIN length exceeds the maximum length required, the OK button will be greyed out.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

59

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

3.5.1

PUK information
Every time you enter your PUK for the SafeSign Identity Client Token, which is mostly likely done within the
SafeSign Identity Client Token Administration Utility Change PIN or Change PUK item, SafeSign Identity Client
will provide you information with regard to the status of the PUK.
Note that you have three attempts to enter the correct PUK1 and that SafeSign Identity Client will register this
and give you information as to the status of the PUK. When you enter an incorrect PUK three times, the PUK
will be LOCKED.
The counter for incorrect PUK entries will be reset (to three attempts to enter the PUK) if you enter a correct
PUK after entering an incorrect PUK (but no more than three times).

Note

When you enter an incorrect PUK three times, the PUK will be locked and cannot be unlocked. For a test
completed token, this implies you will have to initialise the token again, thereupon losing all data stored on the
token. For a series completed token, your token will become unusable, as you cannot wipe the contents of
your token, for in order to do so, you will need the PUK.

In the Token Information dialog (Token > Show Token Info), the status of the PUK is displayed. There are
four possible scenarios:
1.

PUK is OK (as in Figure 117 below)

Figure 117: Token Information: PUK Status

2.

PUK has been entered incorrectly at least once

3.

One final attempt left to enter the PUK correctly

4.

PUK is LOCKED

Note that your administrator may have changed the maximum number of PUK retries.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

60

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Also, when you perform an operation within the SafeSign Identity Client Token Administration Utility, such as

Change PUK (or any other item for which PUK entry is required), you will receive information on the status of
the PUK in the dialog involved. Here also, four possible notifications are possible:
(1) When the PUK is OK (has not been entered incorrectly before):

Figure 118: Token Administration Utility: Change PUK

(2) When the PUK has been entered incorrectly:

Figure 119: Change PUK: PUK incorrect

(3) When one final attempt is left to enter the PUK correctly:

Figure 120: Change PUK: You have only 1 attempt left

(4) When the PUK is locked:

Figure 121: Change PUK: PUK locked

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

61

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Wrong PUK in different item

When you close one menu item in the SafeSign Identity Client Token Administration Utility and you enter an
incorrect PUK in another item, you will be notified of this (Previous attempts to use the PUK have failed) and
the status of incorrect PUK entries. For example, the dialog below indicates you have already entered an
incorrect PUK in another item and that you have only one attempt left to enter the correct PUK:

Figure 122: Change PUK: The PUK has previously been entered incorrectly

Token Locked
When both the PIN and PUK of the token have been locked, the Token Administration Utility will look like this:

Figure 123: Token locked

Note that in this case, only a test completion token can be (re-)initialised (deleting all contents and rewriting
the entire file structure), whereas a series completion token has become useless.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

62

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

3.6

Show Token Info

The Token Information dialog (Token > Show Token Info) displays some information on the token
inserted:

Figure 124: Token Administration Utility: Token Information

The Token Information field displays the following information:

Field

Value

Token Label

[token label]
Displays the label of the token, as given to it by the administrator or by the user
himself.

Token Serial Number

[serial number]
Displays the serial number of the token (usually the chip serial number).

Token Model

[token model]
Displays the token model and version.

Series Completion

[Yes / No]
Displays whether the token is a test (completed) or series / production (completed)
token. When the token is a test (completed) token, it will say [No], meaning you can
re-initialise the token; when the token is a series / production (completed) token, it
will say [Yes], meaning you can only wipe the token contents.

Registry card type

[registry card type]

Displays the card name as present in the Microsoft Cryptography key1.

CSP

[SafeSign Standard Cryptographic Service Provider]

Displays the configured CSP.

The key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

63

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

PIN Status

[PIN status message]

Displays the status of the PIN:

OK
PIN has been entered incorrectly at least once
One final attempt left to enter PIN incorrectly
LOCKED
PIN Length

[maximum x characters / minimum x characters]

Displays the maximum and minimum number of characters for the PIN length.

PIN Timeout

[disabled / -]
Displays the status of the PIN Timeout setting.

PUK Status

[PUK status message]

Displays the status of the PUK:

OK
PUK has been entered incorrectly at least once
One final attempt left to enter PUK incorrectly
LOCKED
Public Memory / Private Memory

[Total x bytes / Free x bytes / Used x bytes]

Displays the total amount of bytes, the free amount of bytes and the used amount
of bytes available in the public memory on the token (after initialisation).

Note

Note that the private memory is not the place where the private keys are stored. According to and in
accordance with the PKCS#15 standard, private keys are stored in a directory, while the private memory is
used to store for example secure data objects.
This explains why the amount of private space does not decrease when a token is inserted that contains a
(number of) private key(s).

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

64

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

3.7

Show Token Objects

The option Show Token Objects provides a more detailed and technical view of the contents of the token. It
displays all the separate objects on the token.
Note that it is not designed to give a detailed and correlated structure between the objects on the token
(where such distinction is not possible by the friendly name / label of the objects). This is the purpose of Show
Registered Digital IDs, which shows the relation between the objects on the token i.e. which objects go
together and make up a Digital ID that can be used.
Select Show Token Objects from the Token menu to open the PKCS#11 objects ([Token Name]) dialog:

Figure 125: PKCS #11 objects: Token Objects

This dialog will display the Public token objects.

In order to view all objects / private objects on the token, click Show Private Objects

Upon selecting Show Private Objects, You will be asked for the PIN of the token:

Figure 126: PKCS #11 Objects: Enter PIN

Enter the correct PIN to display the private objects on the token

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

65

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Upon entering the correct PIN, the private objects on the token will also be displayed:

Figure 127: PKCS #11 Objects: All objects

A number of operations are possible with regard to (some of) the objects on the token, which are described in
the following paragraphs.

3.7.1

View Certificate
This allows you to view the certificate content.
Click on View Certificate to view the contents of the certificate:

Figure 128: View Certificate: Certificate Information

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

66

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

3.7.2

Save Object
This allows you to save certificates in *.cer format, as well as data objects on the token.
Note

Note that the Save to file button in Figure 128 does the same for certificates.
Click on Save Object to select a location to save the file in:

Figure 129: Save Object: Save certificate

Select a location and click Save

3.7.3

Edit Label
You can edit the label of both public and private keys and certificates (e.g. to be able to identify which public
and private key and certificate go together).
Note

When requesting a key pair and certificate through the CSP, the key pair is generated before the certificate.
SafeSign Identity Client matches the label of the public and private key with the label of the certificate, so as
better to distinguish which public and private key and certificate go together.
Upon clicking Edit Label, the following dialog will be opened:

Figure 130: Edit Label

Enter the new label and click OK to save it.

After entering the correct PIN for the token, the label will be changed.
Note that you will have to edit the label of each object separately.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

67

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

3.7.4

Delete Object
This allows you to delete token objects, both public key(s), private key(s) and certificate(s).
Select an object and click on Delete Object. You will be asked to confirm the deletion:

Figure 131: Delete Object: Are you sure

Click Yes if you want to delete the object.

You will be asked for the PIN of the token:

Figure 132: Delete Object: Enter PIN

Enter the correct PIN and click OK, upon which the object will be deleted.
Note that if you have entered the PIN once in the PKCS #11 Objects dialog (e.g. to show private objects), you
will not have to enter it again at this point.

3.8

Dump Token Contents

This function allows an administrator to dump the contents of the token. Administrators can send this
information to AET support if errors occur that may be related to the token contents, for further analysis.
A token dump will identify the PKCS #11 objects on the token and their attributes.
This dump is particularly useful when used in combination with the Analyse Certificate Quality feature (Token
> Analyse Certificate Quality). If the certificate quality is indicated as being not optimal, the dump will
give administrators (and AET Support) more information on whether the attributes are set and whether they
are set correctly. This is important both for certificate registration and applications trying to use the token (and
the certificate it contains).
Note that the actual objects on the token will in no way be saved or placed off the card.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

68

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

To dump the token contents, go to Token > Dump Token Contents.

You will be asked for confirmation to continue the dump:

Figure 133: Dump Token Contents: Question

Click Yes to continue with the dump

You will be asked to select a location and a name for the resulting file:

Figure 134: Dump Token Contents: Save

Select a location and a name for the file and click Save

You will be asked to enter the PIN for the token:

Figure 135: Dump Token Contents: Enter PIN

Enter the correct PIN and click OK

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

69

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

The token contents will now be written to a file in the location specified:

Figure 136: Dump Token Contents: Dumping

When the dump is successful, you will be notified:

Figure 137: Dump Token Contents: Dump successful

Click OK
You can now view the contents of the file in the location where you saved it.

3.9

Query Unknown token

This function has been built into the Token Administration Utility to be able to integrate as yet unrecognised
versions of supported Java tokens.
Note that in order to use this feature you will need to know at least which token (type) you are using.
It may happen that a (new) batch of an already supported token is not recognised (out-of-the-box) by
SafeSign Identity Client. This is most likely to happen when the CPLC data of the token is not known in
SafeSign Identity Client. The Query Unknown Token function allows you to query the CPLC data of the
token and create the registry entry necessary to support it.
Note that in case your token is not recognised, it is advisable to verify whether there is a new version of
SafeSign Identity Client available (that may recognise your token) and/or to contact your manufacturer about
the exact details of the token.
When SafeSign Identity Client does not recognise a token (yet), the Token Administration Utility will display
Unknown token present1:

Figure 138: Token Administration Utility: Unknown Token

Select Token > Query unknown token

1

Note that it may also be that the particular token is not supported by SafeSign (see the list of supported tokens in the Product
Description) or that something else is wrong (in which case, Query unknown token may inform you that the token is not recognised
as a Java card.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

70

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Unknown ATR
Note that it may occur that a Java card (model) is recognised, but that the ATR is as yet unknown. In this
case, the following dialog will be displayed:

Figure 139: Unknown ATR: The ATR is not registered correctly

When the ATR of a token is not registered correctly for use in Microsoft CryptoAPI applications (while the
token model is recognised), this could lead to problems with, for example, Windows smart card logon. See the
Smart Card Logon note.
Therefore, if the ATR of a token is not recognised, a warning to this extent will appear when inserting the
token while the Token Administration Utility is open. This dialog will also allow you to copy the ATR of the
token to the clipboard, so you can copy it to an e-mail message (for example).
When the ATR and the type of token is reported back to AET Europe, [email protected] will be able to
provide you with the correct settings for using the token (in a registry file, to be deployed on all machines
used with the token) and include it in our next release(s), if required, to ensure easy deployment and rollout.
Note that in Windows 7, when the ATR of a token is not recognised, Windows will start looking for drivers for
the Smart Card. This is because Windows tries to download and install the smart card minidrivers for the card
through Plug and Play services. See http://support.microsoft.com/kb/976832 for more details.

Upon selecting the Query unknown token item of the Token menu, the following dialog will open:

Figure 140: Query unknown token: Unknown Java Card

This dialog identifies the registry key for the Java card inserted.
You can either copy the registry key to the clipboard, in order to send this information to AET Support, or you
can copy the registry settings from a known Java card, if the card you are using is a new (as yet
unrecognised) version of an already supported Java card.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

71

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Select Copy registry settings from a known Java card and select the known Java card (as below):

Figure 141: Unknown Java card: Copy settings

You should not select the first Java card in the list, but use the drop-down box to select the Java card type you
know the token to be (as above, where the JCOP41 v2.3.1 has been selected). The drop-down box does not
automatically select the token model you are using.
You can now either apply the registry settings to the (as yet) unknown card, or you can save the registry file
to add it manually at a later time by double-clicking it1.

3.9.1

Apply settings
Upon clicking on Apply settings, you will be asked to enter the name for the new card:

Figure 142: Apply settings: Enter name

Enter a name for the new card (or retain the name of the known Java card) and click OK

Upon clicking OK, you will be informed that:

Figure 143: The registry settings have successfully been copied

Click OK

This may be convenient if an administrator needs to update the workstation of SafeSign end-users to support the new version of a
Java card.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

72

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

The token can now be initialised, as described in paragraph 3.1:

Figure 144: Token Administration Utility: Blank Token

3.9.2

Save registry file

Upon clicking on Save registry file, you will be asked to enter the name for the new card:

Figure 145: Save registry file: Enter name

Enter a name for the new card (or retain the name of the known Java card) and click OK

You can now save the registry file to a suitable location:

Figure 146: Save registry file

Click Save

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

73

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

When the registry file has been saved, you will be informed that:

Figure 147: Save registry file: The registry file has been written successfully

Click OK

The registry file will now be available at the location where you saved it. Upon double-clicking it, the registry
file will be saved in the registry and you will be able to initialise the (now) blank token:

Figure 148: Token Administration Utility: Blank Token

Smart Card Logon

Note that when using the new Java card for Windows smart card logon (when it contains a smart card user
or smart card logon certificate), an error message may appear when logging on (The card supplied requires
drivers that are not present on this system).
The data of the new card should be added on every machine where SafeSign Identity Client is installed (by
means of the saved registry file, described in paragraph 3.9.2) before smart card logon is to be performed.
Although the card will be recognised on other machines (i.e. its details and contents can be viewed in the
Token Utility), the logon will fail, because the ATR is different from that in the registry.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

74

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

3.10

Analyse Certificate Quality

This function analyses the quality of the certificate(s) stored on the token. It analyses the attributes of the
certificate(s) for optimal performance and speed of the SafeSign Identity Client certificate registration process
and for applications that will use the certificate. This allows administrators to identify possible issues with
certificate quality and ensure that the right attributes are set and/or set with the right values.
There are three possible scenarios:

3.10.1 Certificate Status OK

The status is OK, which means that the certificate has been stored correctly on the token and is suitable for
optimal use:

Figure 149: Certificate analysis: OK

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

75

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

3.10.2 Certificate Status Not Optimal

The certificate status is Not optimal:

Figure 150: Certificate analysis: Not optimal

When the status of a certificate is not optimal, this may result in suboptimal performance of the certificate
registration process. Therefore, the certificate analysis tool will indicate a number of causes why this could be
the case (as in the example above).
These causes can be verified when making a dump of the token contents (as described in paragraph 3.8).

3.10.3 Certificate Status Unusable

The certificate status is Unusable:

Figure 151: Certificate analysis: Unusable

This may occur when the private key could not be found on the token, or when the private key does not
match the public key in the certificate.
In this case, the certificate is unusable for any application.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

76

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

3.11

Change PIN Timeout

In SafeSign Identity Client1, it is possible to set a PIN timeout, for both PKCS #11 and CSP applications, for
Java Card v2.2+ cards.
By default, the PIN timeout is disabled. When the PIN timeout is enabled, you will be asked to (re-)login to the
token, i.e. the SafeSign PIN dialog will be displayed.
In practice, this means that for example when using Outlook to send signed e-mail messages, you will be
asked to enter your PIN again when the maximum amount of time has passed since the last time you logged
in to the token.
The timeout value for a particular token can be set in the Token Administration Utility2, through the menu
Token > Change PIN Timeout, if the (initialised) token is inserted and the correct PIN is entered.

Select Change PIN Timeout from the Token menu:

Figure 152: Token Administration Utility: Change PIN Timeout

Upon selecting Change PIN Timeout, the Change Timeout dialog will open:

Figure 153: Change Timeout: Timeout disabled

By default, the PIN Timeout is disabled.

Note that the PIN Timeout cannot be set to 0 (zero) seconds, as this will expire the PIN immediately when it is
entered and the credentials on the token cannot be used. The minimum PIN Timeout value is set to 20
seconds3.

From SafeSign Identity Client version 3.0.18 onwards ( 3.0.18).

The Token Management Utility does not include this option.
3
From SafeSign Identity Client 3.0.33 onwards ( 3.0.33).
2

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

77

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Deselect Pin Timeout disabled, after which you will be able to set the new Timeout Value:

Figure 154: Change Timeout: Timeout enabled

Drag the slider to the desired value (in our example, 60 seconds):

Figure 155: Change Timeout: New Timeout Value

Click OK

You will be asked to enter the PIN of your token:

Figure 156: Enter

Enter the PIN and click OK

Upon entering the correct PIN, the Timeout will be enabled:

Figure 157: Your PIN Timeout was successfully changed

Click OK

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

78

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

When the PIN Timeout is enabled, the Token Information will no longer display it is disabled:

Figure 158: Token Information: PIN Timeout enabled

Note that there is an error in the display of the PIN Timeout, which will be fixed in a future release of SafeSign
Identity Client.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

79

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Integration menu
When you have Mozilla Firefox and/or Entrust 6.x installed on your computer, the SafeSign Identity Client
InstallShield Wizard will allow you to install SafeSign Identity Client in Firefox / Entrust during the SafeSign
Identity Client installation procedure.
However, it is also possible to install SafeSign Identity Client in Firefox and Entrust at a later stage, through
the Integration menu of the Token Administration Utility, which also allows you to de-install SafeSign from
Firefox / Entrust.
For more information on installing SafeSign in Firefox / Entrust during installation, refer to the SafeSign
Identity Client Installation Guide.

4.1

Install SafeSign in Firefox

In the Token Administration Utility window, select Integration > Install SafeSign in Firefox:

Figure 159: Token Administration Utility: Install SafeSign in Firefox

Note

Note that there is an issue with Firefox version 3.5 and the installation of the SafeSign PKCS#11 Library as a
security module in Firefox, through the SafeSign Firefox Installer.
As of Firefox 3.5.x, it is no longer possible to install PKCS#11 modules automatically, as described in the
Firefox 3.5 release notes: Web pages can no longer automatically install PKCS11 cryptographic tokens. Users
are now required to do this manually or install an Add-on that installs them.
It is still possible to install SafeSign manually, as described in the Installation Guide.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

80

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

The Firefox Installer is loaded:

Figure 160: Firefox Installer: Install SafeSign in Firefox

It will list the version of Firefox present on your system and allows you to install SafeSign Identity Client as a
security module.

Select your Firefox browser from the list and click Install

Upon selecting Firefox from the list and clicking Install, the browser will open (with an empty browser
window), prompting you with the question whether you want to install the SafeSign Identity Client security
module and identifies its name and file for you to verify:

Figure 161: Firefox Installer: Are you sure you want to install this security module?

To install the SafeSign Identity Client security module, click OK

Click Cancel to cancel installation of the SafeSign Identity Client security module.

Upon clicking OK, you are notified that a new security module has been installed:

Figure 162: Firefox Installer: A new security module has been installed

Click OK

Upon clicking OK, the security module is installed and you can close the browser window to return to the

Firefox Installer window, which has remained in the background (Figure 160).
If you have finished installing SafeSign Identity Client in your Firefox browser, click Close to close the Firefox
Installer.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

81

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

4.2

Install SafeSign in Entrust

In the Token Administration Utility window, select Integration > Install SafeSign in Entrust:

Figure 163: Token Administration Utility: Install SafeSign in Entrust

The Entrust Installer is loaded:

Figure 164: Entrust Installer: Install SafeSign in Entrust

Click Install to install SafeSign Identity Client in Entrust

Upon clicking Install in the Entrust Installer window, SafeSign Identity Client will be installed in Entrust and
you will be notified if this has been successful:

Figure 165: Entrust Installer: successfully installed

Click OK to close this dialog, upon which the Entrust Installer window will close

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

82

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Tasks menu
The Task Manager allows you to start (a) certain task(s) when a (specific) token is inserted.
The Token Administration Utility includes a Tasks menu:

Figure 166: Token Administration Utility: Manage tasks

Clicking on Manage tasks will open the Manage tasks dialog, which already contains one task by default,
which is that of checking certificate expiration:

Figure 167: Manage tasks: Tasks

You can add a task by clicking Add task

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

83

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Upon clicking Add task, the Welcome to the add new task wizard dialog opens:

Figure 168: Add new task wizard: Welcome to the add new task wizard

Click Next

Upon clicking Next in the Welcome to the add new task wizard window, step 1 will allow you to select a task
type:

Figure 169: Add new task wizard: Step 1

You can select two task types:

1.

Launch an application when a token is inserted: for example, open Internet Explorer ((on a particular
(secure) web site)) or set up a Remote Desktop Connection / Citrix connection;

2.

Launch a plug-in when a token is inserted: for example, to change the Transport PIN of the token.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

84

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

5.1

Launch an application
Upon selecting the option Launch an application when a token is inserted, Step 2 will allow you to select the
application to launch and specify its parameters (if required / desired):

Figure 170: Add new task wizard: Step 2

In our example, we will launch a Remote Desktop Connection, which can be found in the system32 directory
and is called mstsc.exe.

Select the application

When you have selected the application, you can specify command-line parameters for this application:

Figure 171: Add a new task wizard: Step 2 - application to launch

Note that these parameters are application-specific. For example, in order to start up a Remote Desktop
Connection, you should enter: /v:<server name>.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

85

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Thus, in our example, step 2 is completed as follows:

Figure 172: Add new task wizard: Step 2 - Command-line parameters

You can also select in this window, whether you want to close the task when the token is removed.

Click Next to continue

Note

Note that when selecting the option to close the application when the token is removed, the Task Manger will
try to close the application launched, when possible. However, there are some scenarios in which this is not
possible, for example when launching the remote desktop application (mstsc.exe) with parameters to connect
to a particular session. In that case, the SafeSign Task Manager cannot close the session for the user or the
application itself.
The next step in the process is to select if the task applies to all tokens, or only to a specific token:

Figure 173: Add new task wizard: Step 3

When no token is inserted in the reader, the window above will be shown (with the option This task only
applies to the following token greyed out).

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

86

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

When a token is inserted, this option is selectable and when completed, will look as follows:

Figure 174: Add new task wizard: Step 3 This task applies to the following token

Note that it is possible either to select the task to apply to a specific token with a specific serial number or to
select the task to apply to any token with the specified token label.

When you have selected the desired configuration, click Next

The next step is to enter a name for your task (to make it easily identifiable in the task list):

Figure 175: Add new task wizard: Step 4

In our example, the task is called My Remote Desktop Connection.

Click Next to continue

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

87

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

These four steps conclude the Add a new task wizard:

Figure 176: Add new task wizard: Task added successfully

Click Finish

The task will now be added to the Manage task window in the Token Administration Utility:

Figure 177: Manage tasks: Remote Desktop Connection

When a token is inserted, the Remote Desktop Connection will start (due to the parameters given).

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

88

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

5.2

Launch a plug-in
Upon selecting the option Launch a plug-in when a token is inserted, Step 2 will allow you to select the plug-in
to call:

Figure 178: Add new task wizard: Step 2

In our example, we will launch a plug-in called demoplugin.dll, that will allow you to change the Transport
PIN of a token (when set).

Select the plug-in to call

When you have selected the plug-in to call, as follows:

Figure 179: Add a new task wizard: Step 2 plug-in to call

Click Next to continue

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

89

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

The next step in the process is to select if the task applies to all tokens, or only to a specific token:

Figure 180: Add new task wizard: Step 3

When no token is inserted in the reader, the window above will be shown (with the option This task only
applies to the following token greyed out).

When a token is inserted, this option is selectable and when completed, will look as follows:

Figure 181: Add a new task wizard: Step 3 This task applies to the following token

Note that it is possible either to select the task to apply to a specific token with a specific serial number or to
select the task to apply to any token with the specified token label.

When you have selected the desired configuration, click Next

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

90

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

The next step is to enter a name for your task (to make it easily identifiable in the task list):

Figure 182: Add a new task wizard: Step 4

In our example, the task is called Change Transport PIN.

Click Next to continue

These four steps conclude the Add a new task wizard:

Figure 183: Add a new task wizard: Task added successfully

Click Finish

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

91

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

The task will now be added to the Manage task window in the Token Administration Utility:

Figure 184: Manage tasks: Remote Desktop Connection

5.3

Remove a task
It is not possible to edit an existing task, but it is possible to remove a task.
In the Token Administration Utilitys Manage tasks window, select the task you want to remove:

Figure 185: Manage tasks: Remove task

Click Remove task to remove the task.

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

92

Edition: 3.0

SafeSign Identity Client Standard

User Guide Token Administration Utility (TAU)

Index of Notes
CA certificate format ________________________________________________________________ 46
Certificate Expiration Warning _________________________________________________________ 25
Certification Path ___________________________________________________________________ 12
Change Transport PIN _______________________________________________________________ 52
Device Error ____________________________________________________________________ 41, 45
Field requirements _______________________________________________________________ 39, 44
Import CA certificates _______________________________________________________________ 28
Key Size Error______________________________________________________________________ 30
Menu availability ____________________________________________________________________ 3
Multiple tokens and readers ____________________________________________________________ 5
Note _____________________________________________ 1, 7, 3, 17, 26, 32, 36, 37, 60, 64, 67, 80, 86
Note for Administrators ______________________________________________________________ 25
PIN / PUK length ____________________________________________________ 18, 29, 34, 49, 54, 59
Private Key non-exportable ___________________________________________________________ 12
Registration _______________________________________________________________________ 22
Re-initialise token __________________________________________________________________ 42
Removal of the token _________________________________________________________________ 2
SafeSign applet installed in series ______________________________________________________ 38
Save to file ________________________________________________________________________ 20
Secure PIN entry ____________________________________________________________________ 4
Set the label of the ID on the token to a non default-value ___________________________________ 28
Smart Card Logon___________________________________________________________________ 74
Token availability ____________________________________________________________________ 5
Token Locked ______________________________________________________________________ 62
Token out of Memory ________________________________________________________________ 31
Unknown ATR______________________________________________________________________ 71
Wrong Password ___________________________________________________________________ 29
Wrong PIN in different item ___________________________________________________________ 52
Wrong PUK in different item __________________________________________________________ 62
Your Java Card may not be correctly configured ________________________________________ 41, 46

2009 A.E.T. Europe B.V.

Doc ID: TAU_Guide_SafeSign-IC-Standard_v3.0

Edition: 3.0