PKCS#11
The PKCS#11 provider creates a session with a cryptographic device (fore example HSM, USB token) to perform cryptographic operations. The cryptographic device often requires a driver module (middleware). Find more information about required drivers in the documentation of your cryptographic device.
PKCS#11 cryptographic provider offers options to configure various digital signature types:
- PADES-B-B: Basic digital signature type that requires no time-stamp authority (TSA) nor revocation information (CRL, OCSP).
- PADES-B-T: Digital signature with a timestamp token.
- PADES-B-LT/LTA: Digital signature with a timestamp token and signature validation data.
The PKCS#11 Tech Note provides detailed information about configuring a PKCS#11 device to work with the Pdftools Conversion Service.
Configure PKCS#11 Signing Service
The following sections introduce Configuration example and provide detailed descriptions of each configuration option in the Identity settings and Provider settings sections.
Configuration examples
This section includes screenshots from the Conversion Service Configurator with configuration details of each signature type provided by the PKCS#11 cryptographic provider.
-
PaDES-B-B: Basic digital signature type that requires no time-stamp authority (TSA) nor revocation information (CRL, OCSP).
-
PaDES-B-T: Digital signature with a timestamp token.
-
PaDES-B-LT/LTA: Digital signature with a timestamp token and signature validation data.
Identity settings
The following sections describe specific configuration options in the identity section of the digital signature configuration.
Common Name
The name of the signing certificate. This is the common name of the certificate subject with limited support for placeholders.
Thumbprint
The SHA-1 thumbprint (also called fingerprint) of the signing certificate, with limited support for placeholders, is required for certificate selection.
If this value is incorrect, the error message in the service log is:
"Certificate not found in store.".
The thumbprint value must be a string of hexadecimal digits and its characters must be in the ranges 0-9, a-f, A-F, and spaces. You can directly use the Thumbprint value displayed in the Windows certificate dialog.
Examples:
005572a2d0242a0121c8dee341463a63ae9cabdf00 55 72 A2 D0 24 2A 01 21 C8 DE E3 41 46 3A 63 AE 9C AB DF
Supported placeholders:
[custom:<OPTION-NAME>]- A custom placeholder.
TSA
The URL of the trusted TSA from which you acquire a timestamp.
Applying a time stamp requires an online connection to the time server and you must configure firewall accordingly.
If a web proxy is used, ensure the following MIME types are supported:
application/timestamp-queryapplication/timestamp-reply
Add Revocation Information
Whether to add recovation information (OCSP, CRL) to the document time-stamp signature. For example, to make a signature with enabled Long Term Validation (LTV).
Signature-level
The signature level is a general setting for every signature provider. Review Signature level for more information.
Provider settings
Library
The path to the PKCS#11 driver library (DLL). PKCS#11 is a standard interface offered by most cryptographic devices such as HSMs, USB tokens, or sometimes even soft stores (for example openCryptoki).
Slot ID
The ID of the slot that contains the signing certificate and its private key. If the slot ID is not defined, the first slot that contains a running token is used.
Pin
The PIN (password) required to access the private key.
If it is not defined, the submission for the PIN is activated via the pad of the token. If this is not supported by the token, the following error message is raised when signing: "Private key not available."