The public key, generated in the DL Signer cards, is placed in the body of the request while creating the certificate signing requirement (hereinafter CSR). The request is signed in the card itself with an appropriate private key that never leaves the card itself and in no way it can be read after generating key pairs.
Further, the CSR is sent to the certification body in order to create and sign the X.509 certificate based on it. This end-entity certificate is placed in the DL Signer card with other certificates from the chain of trust and is ready to digitally sign data and documents. The user can send CSR to any certification body whose services he wishes to use. Digital Logic has provided a mechanism for issuing end-entity certificates for the purpose of testing the system.
One of the basic characteristics of the end-entity certificate is that the private key, which is paired with the public key that such certificates contain, must not be used to sign other certificates.
The Windows software tools that initiate the generation of cryptographic keys pairs, generate CSRs, manages the PIN and PUK codes of the DL Signer cards, manipulates the contents of the X.509 certificates, and signs the data and files, is distributed as “ufr-signer”.
“Signature-verifier” is a Windows application validating RSA and ECDSA digital signatures.
Digital signing and validation of signatures can also be done from the Adobe Acrobat Reader DC application using the ufr-pkcs11 module that we developed for this purpose. Our PKCS#11 module can also be used with popular Mozilla’s e-mail client and web browser, as well as with other software tools that are compatible with the PKCS#11 specification.
We also provided web services for online checking of X.509 certificates and signed pdf files.