On this dialog page you can select a signature level and a signature key you want to use to sign files electronically.
In this dialog section you can select the signature level, which you want to use for signing your files.
|
Note: The selected signature level is again displayed no the last dialog page "Sign". Please check your selected setting again on this page. |
The following selection is available:
· All: This selection has no restrictions; even keys can be used that were originally created for authentication or encryption.
· Advanced: This selection allows selecting software keys from the file system. In addition, keys can be selected from a signature card. However, the section "Key selection" only displays keys from the signature card that are not suited for qualified signatures.
· Qualified: This option greys out the selection of software keys from the file system. You must select a key from a signature card that must be available in a connected card reader. Please mind that qualified signatures are legally equivalent to your genuine manual signature.
In this dialog section you can select where you want to obtain the key from, for creating the signature. The following chapters explain the options in this dialog section.
Please note that you can only create advanced signatures with a key from a file. You must therefore select the "Advanced" option in the "Signature Level" dialog section, see above. If the "Qualified" signature level is selected, the "Load key from file" option is greyed out.
If you want to load a key from a file, click this icon and navigate to the location in the file system where this key is stored. A keystore must be loaded whose file name ends with the suffix p12 or pfx. A keystore contains a software certificate and the required key pair for asymmetric encryption. Please also read chapter 9.4 about asymmetric encryption. Please note that in case of software certificates, the authenticity of the signer can only be proven if a trust centre has issued the software certificate and you have provided identification documents for the issuance. When loading the keystore file, you will be asked for the PIN for the keystore. Note the order:
· Determine signature level: set the signature level to "Advanced".
· Load key from file: Select a keystore and enter the PIN.
· Select key: If one or more keys are found in the keystore that are suitable for creating a signature, they will be displayed here. If the keystore does not contain any keys that are suitable for signing, an error message is displayed. Select the key you want to use for signing by clicking on it.
The following figure shows the selection dialog with an example keystore.
Figure 39: Selection for signing with a signature key from a file
Characteristics for key selection from a file
· Signature level: When signing with a key from a file, the signature level is "Advanced". In the "Signature level" dialog section, see chapter 6.4.4.1, "Advanced" must be selected, otherwise the button for selecting a key from a file is greyed out.
· Restrictions: You can pass a file or a batch of files to sign with a key from a file. A batch may not contain more than 500 files. The PIN for the key from a file must be specified only once when selecting the keystore file. After that, any number of files can be signed with this key, without further PIN entry.
· Duration of key selection: The key from a file remains effective as the selected key until either another key has been selected or DATA Boreum has been restarted.
This option is only displayed in case a card reader is connected and a signature card is inserted. Below the symbol the card readers name is displayed as recognised by Governikus DATA Boreum. You can connect up to 10 card readers. In case you want to connect more card readers please read the document about system requirements. Usually you can create qualified electronic signatures with a signature card.
· Determine signature level: Signature cards are usually used to create qualified electronic signatures. Often, keys for advanced signatures are also still present on the signature card. Therefore, please make sure that you set the signature level to "Qualified" if you want to create qualified electronic signatures. This is the only way to display only those keys that are suitable for qualified electronic signatures.
· Smart card reader connected and signature card inserted: The key selection for the signature card is only displayed if a smart card reader is connected and a signature card is inserted.
· Select key: The keys on the signature card that are suitable for creating a qualified electronic signature are displayed. Select the key you want to use for signing by clicking on it.
The following figure shows the selection dialog with an example.
Figure 40: Selection for signing with a signature card
Characteristics for the key selection from a signature file
· Signature level: The signature level depends on the selection of the signature level in the dialog section above the key selection, see chapter 6.4.4.1.
- If you have selected the "Advanced" signature level, only signature certificates for advanced electronic signatures that are stored and valid on the signature card will be displayed.
- If you have selected the "Qualified" signature level, only the signature certificates for qualified electronic signatures that are stored and valid on the signature card are displayed.
· Restrictions: You can submit one file or a batch of files for signing with the signature card. A batch cannot contain more than 500 files.
- If you use a signature card for single signatures, you must specify the PIN for each file to be signed.
- If you are using a multi-signature card, you must specify the PIN only once for each batch that is passed.
· Duration of key selection: The signature card remains effective as the selected key until either another key is selected or DATA Boreum is restarted.
Important note
|
Attention: · Disconnecting card reader: Do not disconnect a card reader from the computer, as long as the program is running. Exit the program before disconnecting a card reader. · Removing signature card: Do not remove the signature card from the card reader during the signing process. Wait until the program has finished the signing process. |
Signing with contactless signature cards
If you are using a signature card that is accessed contactless together with an appropriate card reader, you have to enter the card access number CAN first. The six-digit CAN is printed on the signature card.
Reread signature card
|
Attention: Please read the following section if a signature card is no longer readable by Governikus DATA Boreum. |
If a signature card is used by a signature application component of another vendor while Governikus DATA Boreum is running, it may happen that Governikus DATA Boreum can no longer read the signature card. This is, because the signature application component of the other vendor is blocking the card.
If you want to continue using the signature card with Governikus DATA Boreum please proceed as follows:
· It is imperative to end the signature application component of the other vendor.
· Withdraw the signature card from the card read and insert it back again, or
· Click on the "Reset" button in the dialog section "Connected card readers".
The signature card is reread and afterwards you can again select keys from the signature card. The card reader however that holds the signature card is not affected by this action and operates as it did before.
|
Note: If you have selected the option "Yes, the remote signature service should be used." in the "Settings" in the "BNotK" tab, the option to sign with a signature card is not displayed in "Storage location of key". |
If the Sign Service has been configured, the selection "DATA Deneb Sign Service" can be selected here. You have usually received the login data required here together with the configuration data you entered in the "Governikus" tab in the settings, see chapter 5.4.
If you have selected the "DATA Deneb Sign Service" by clicking on it, the login dialog for the authentication service will be displayed, see next figure.
Figure 41: Selection for signing with the DATA Dene Sign Service
DATA Boreum uses the login data to connect to the authentication service. Then the authentication service passes the request to DATA Deneb's Sign Service. DATA Deneb returns the keys for which you are authorized and DATA Boreum displays them. You can select the key you want to use for signing by clicking on it.
Features for DATA Deneb signature service key selection.
· Determine signature level: The signature level depends on the selection of the signature level in the dialog section above the key selection, see chapter 6.4.4.1 and on the available key material. DATA Deneb can access card readers with multi-signature cards and software keys (keystores) for signing. The keys for which you are authorized are stored in the authentication server. Only these are displayed for you to select. You can be authorized for one or more keys.
- If you have selected the "Advanced" signature level, only keys from keystores for which you are authorized are offered for selection.
- If you have selected the signature level "Qualified", only signature certificates for qualified electronic signatures stored on multi-signature cards for which you are authorized are displayed for you to select.
· Restrictions: You can submit one file or a batch of files for signing. A batch cannot contain more than 500 files.
· Duration of key selection: DATA Boreum stores login data in temporary memory (cache). This data is valid as long as DATA Boreum is not terminated. If you exit DATA Boreum and call it up again, you will have to enter this login data again.
BNotK is the abbreviation for Bundesnotarkammer (Federal Chamber of Notaries). In order for the BNotK remote signature service to be displayed in the "Storage location of key" dialog section, the "Yes, the remote signature service should be used." option must first be selected in the "Settings" in the "BNotK" tab, see chapter 5.5.
Figure 42: Selection for signing with the BNotK remote Signature Service
To use the BNotK's remote signature service, you need an authentication card, the corresponding PIN and a chip card reader. Insert the BNotK authentication card into the chip card reader and enter the PIN. The name of the key that you can use for remote signatures is displayed.
Features for the key selection of the BNotK remote signature service
· Signature level: Signatures using the BNotK remote signature service are qualified electronic signatures.
· Restrictions: You can submit a file or a batch of files to the BNotK remote signature service for signing. A batch may not contain more than 100 files.
· Duration of authentication: Authentication by entering the PIN creates a session that is valid for up to one hour. This means that several signature processes can be performed in succession. After the validity has expired, the BNotK remote signature service must be selected again as the key and the PIN has to be entered again.
|
Note: If you have selected to use the BNotK remote signature service, a button that may have been displayed previously for selecting a smart card reader with signature card will no longer be displayed. |
After selecting the signature unit, the available keys are listed by their corresponding certificates. A keystore or signature card may contain several keys. If so, you must select exactly one key from the list.
· : The displayed key belongs to a certificate that you can display by clicking on this magnifier symbol. You can either:
- End the certificate display with the OK button or
- Save it as a file with the save button.
- Use the certificate symbol button to execute an online validation of the certificate. The inspection sheet is displayed in a separate window.
If you select a signature card or a keystore that only contains invalid certificates (validity period expired) you cannot select one of these certificates. You can only use certificates for creating a signature that are valid at the time of the signature creation.
Special case: If you select a signature card or a keystore that contain partly valid and partly invalid certificates you can select every of these certificates. However, if you select an invalid certificate here it is rejected when executing the signing process.
As explained in chapter 6.3 you can save the settings on this page as default. If you use the navigation arrows in the lower right area of the dialog in later signing calls, this dialog is omitted. However, the default is ignored in case the saved key is no longer available.
|
Attention: Only qualified electronic signatures are the same as your legally binding, personal, handwritten signature. As of now these electronic signatures can only be created with signature cards that are issued by an accredited certification authority according to the German Digital Signature Act. |
Shortcuts on this page
· Alt + c = Display selected certificate