Copy link
1. Introduction
This manual serves as a guide to successfully complete the Bit4id Kit installation process for using cryptographic cards and the procedure for accessing the management application. The Bit4id Kit consists of the following components:
- Bit4id Middleware: libraries that allow a any Operating System application to operate with cryptographic cards.
- PKIManager-aoc: application for a card management, which allows you to perform operations such as a changing PIN o PUK, unlocking PIN, obtaining information about the card, importing o exporting certificates…
This manual will guide you in a simple way through the installation process i using the Bit4id Kit.
1.1. A who is this document addressed to?
End users, who will use chip cards in MacOS environments.
2. Before you start
Make sure you have:
- A standard, PC/SC compatible card reader that is properly connected, installed and configured. Follow the instructions provided by the reader manufacturer to verify proper installation and operation.
- The latest version of the Bit4id Kit . Link for a <a href="https://cdn.bit4id.com/es/AOC/middleware/Bit4id_AOC_Middleware.dmg" rel="noopener noreferrer" target="_blank">download l'latest version
- To be able to perform the installation, it is essential to have Administrator permissions . If you do not have them, the installation will be denied.
3. Installation
If necessary, you will need to download and install the drivers so that your computer can recognize the reader you have purchased. To do this, go to the official website of the reader manufacturer.
Follow the instructions provided by the reader manufacturer to verify its correct installation and operation.
If you purchase a bit4id reader, if your Mac OS version has the PCSC drivers installed by default, you will not need to download any drivers. Otherwise, you must download i to install the reader drivers:
- Processors with Intel chip: <a href="https://cdn.bit4id.com/es/AOC/drivers/Bit4id_drivers_MacOS.zip" rel="noopener noreferrer" target="_blank">https://cdn.bit4id.com/es/AOC/drivers/Bit4id_drivers_MacOS.zip .
- Processors with Apple chip: <a href="https://cdn.bit4id.com/es/AOC/drivers/Bit4id_drivers_MacOS.zip" rel="noopener noreferrer" target="_blank">https://cdn.bit4id.com/es/AOC/drivers/Bit4id_drivers_MacOS.zip .
3.1. PKI Manager Installation Wizard
- Addressa't a the folder where you downloaded l'file i execute'l.
- Follow the steps of l'installer.
- Once the PKI Manager installation is complete, restart your computer.
Once the restart is complete, open the l'application.
This is how it looks without any devices connected:
- With the lapplication open, connect the reader to a USB port i then insert the card. You can also do this process by connecting the token to a USB port.
4. Problems during installation
You may have previous versions of l'Card Management application (Bit4id PKI Manager) installed on your computer, so you will be asked to remove previous versions before running l'installer. Remove these versions i run l'installer again.
How to uninstall a previous version of PKI Manager?
- Open Finder
- Go to the Applications tab.
- Select l'app a uninstall with one click
- Direct-te a File in the upper area of the screen
- Click: Move a to the trash
5. Firefox a configuration
ATTENTION: if you are using a version of Mac OS Big Sur o later you can skip-this step, because in the new versions the libbit4xpki.dylib libraries are already incorporated into the system. If it does not recognize the certificates, continue.
To be able to use the certificates contained in the smart card in the Mozilla Firefox browser, it is necessary to manually incorporate some Bit4id Universal Middleware libraries.
The automated incorporation of security devices in Firefox was disabled since version 3.5 as a a security measure.
- Open Mozilla Firefox, go to a
? Preferences( 
)
- A l'section of
Privacy i Security, search l'certificates section i click a Security Devices
- S'will open l'Device Manager. Click a Load
- When this window opens, you need to find the PKCS#11 device driver. Click Browse… to a search-it on your computer.
In the previous window, the following data must be entered:
- Module Name : Bit4id Universal Middleware
- Module archive: /Applications/PKIManager-bit4id.app/Contents/Resources/etc/libbit4xpki.dylib
A then click Accept. The module will be successfully installed, i the Firefox installation will be completed.
6. a Adobe Reader Configuration
ATTENTION: if you are using a version of Mac OS Big Sur o later, you can skip-this step, because in the new versions the libbit4xpki.dylib library is already incorporated into the system. If it does not recognize the certificates, continue.
To be able to sign with the certificates contained in the smart card in Adobe Reader, it is necessary to manually incorporate some libraries from the Bit4id Universal Middleware.
- Open a PDF document with Adobe Reader. Then go to a Tools ? Certificates
- Select l' Digitally Sign option
- S'will open a pop-up window. Click "Set up digital ID"
- Select the first option (“ Use a signature creation device ”) i click Continue
- Click "Manage Digital ID"
- S'will open a pop-up window. In the left side menu, make sure "PKCS#11 Modules and Tokens" is selected. Click "Attach Module"
- S'will open another pop-up window. It asks you to enter the path of the PKCS11 library.
- Library Path: /Applications/PKIManager-bit4id.app/Contents/Resources/etc/libbit4xpki.dylib
- Verify that the bit4id PKCS#11 module has been created. Then restart Adobe Reader.
- Open Adobe i and perform steps 1 i 2 again. It will show you the available certificates for the cryptographic device you have connected.
- Select the desired certificate i click Continue
- Enter the PIN i click Sign
7. Functionalities
LThe Bit4id PKI Manager application has multiple functionalities available from the main screen.
IMPORTANT: Bit4id PKI Manager comes by default with the user version. To a have all its features, you must switch to the administrator version using the command: Command+A
7.1. Functionality tables
Basic functionalities:
Basic functionality table
| Function | Description |
|---|---|
| Unlock PIN | Function to a unlock the card PIN. |
| Change PIN | Function to a change the card PIN. |
| Change PUK | Function to a change the card's PUK. |
| Login/Logout | Function for a logging in/out of the card. |
| Device information | Tab where we will find the description of the device connected to the i card. |
| Certificates | Tab where we will find the luser i certificates of the CA loaded on the card. |
To access a extra features you must click:
Extra features:
Table of extra features
| Function | Description |
|---|---|
| Login/Logout | Log in/out of card content. |
| Refresh | Update the token/card content to a see new certificates. |
| Change device name | Define the name under which the device appears. |
| Change PIN | Function to a change the card PIN. |
| Unlock PIN | Function to a unblock the card's PIN using its PUK. |
| Change PUK | Function to a change the card's PUK. |
| Import certificate | Function to a import a certificate to your card. |
| Erase device | Function to delete ALL i certificates and keys from the card token. |
- Login
To a access a any functionality offered by the software, you must enter the card PIN.
- Change PIN
To a change your PIN, enter your card PIN i the new PIN. The new PIN must be between 4 i and 8 alphanumeric digits.
- Unlock PIN
To a unblock the PIN, enter the card's PUK i the new PIN. The new PIN must be between 4 i and 8 alphanumeric digits.
- Change PUK
Enter the old PUK of the i card and the new PUK. The new PUK must be between 4 i and 8 alphanumeric digits.
- Import
This option allows the import of certificates on the card. The formats accepted by a for the import of certificates on the card are .p12 o .pfx since these formats include the private key of the certificate, essential for a to perform cryptographic operations.
To a start the import, first select the certificate from its location, as shown in the following image:
Once the certificate is selected, press “Open”:
The system will ask you for the password of the l'PFX file o P12 (certificate i private key thereof) that you want to import, i which contains your certificate i key pair. Insert-the i complete the import options according to your convenience, where:
– Import certificates without associated key peer: allows you to import the entire certification hierarchy included in the PFX file o P12. It is recommended that you DO NOT CHECK this option.
– Define CKA_AND from PKCS#11: identifier that certain applications use a l'when displaying the certificate. It is recommended to enter a useful identifying value, for example pedro_signature, pedro_access, pedro_encryption, etc.
I the certificate import will be complete:
In case you want to check that the certificate has been correctly saved, remember that you can review all the certificates stored on the a card through l's “View” option of Bit4id PKI Manager.
- Certificate details
Once the card PIN is entered, you can see the certificates included in it. In the pop-up window that displays the l'application, you can see information
- Card information
It offers detailed information about the card: model, serial number, manufacturer label.
It is possible that support (<a href="mailto:soporte@bit4id.com">soporte@bit4id.com ) requests this information to a know the type of card you are using.
8. Frequently asked questions
Can I combine núonly i letters for the núonly PIN of the card?
Sí, there is no problem, as long as the new PIN is between 4 i 8 digits.
Is there a maximum number of PIN entries in case I have any questions i I don't remember my PIN number? When can the card be blocked?
If the PIN code is entered incorrectly more than 3 times, it is blocked. Follow the steps to unblock the PIN indicated in the previous point.
Is there a maximum number of PUK insertions to a attempt to unblock the PIN? What happens if the card is blocked?
If the PUK code is entered incorrectly more than 3 times, it is blocked. For security reasons, the card is completely blocked.
9.Glossary
Certification Authority: is l'trusted entitya, responsible for issuing i revoke electronic certificates, used in electronic signature. L'Certification Authority, by itself o through the intervention of a Registration Authority, verifies the identity of the applicant for a certificate before its issuance o, in the case of certificates issued with the condition of revoked, eliminates the revocation of the certificates by checking this identity.
Expiration of the digital certificate: the digital certificate has a validity period that is stated in the certificate itself. It is generally 2 years, although by law a validity of up to a 5 years is allowed. Once the certificate has expired, the services offered by l'Administration that require an electronic signature cannot be used, i any electronic signature made a from that moment on will not be valid.
Digital certificate: document on computer media issued i signed by l'Certification Authority, which guarantees the identity of its owner.
Recognized certificate: certificate issued by a Certification Service Provider that meets the requirements established in the Law regarding a verification of the identity i other circumstances of the applicants i a reliability i guarantees of the certification services they provide, in accordance with the provisions of Chapter II of TTitle II of Law 59/2003, of 19 December, on Electronic Signatures.
Electronic signature: set of data, in electronic form, annexed a other electronic data o functionally associated with them, used as a means to a formally identify a l'author o the authors of the document that contains it. There are 3 types of electronic signature: simple electronic signature, advanced i recognized.
Simple electronic signature: set of data, in electronic form, annexes a other data.
Advanced electronic signature: electronic signature that allows the signatory to be identified i to detect any subsequent change to the signed data, which is uniquely linked to the signatory i a the data a to which i refers that has been created by means that the signatory can maintain under their exclusive control.
Recognized electronic signature: an advanced electronic signature based on a recognized i certificate generated by a secure signature creation device is considered a recognized electronic signature. The recognized electronic signature will have the same value with respect to data recorded electronically as a handwritten signature with respect to data recorded on paper.
Hash function: it is an operation that is performed on a data set of any size, so that the result obtained is another data set of fixed size, regardless of the original size, i which has the property of being uniquely associated a with the initial data, that is a to say, it is impossible to find two different messages that generate the same result when applying the hash function.
Hash o Fingerprint: fixed-size result obtained after applying a hash function a to a message i that meets the property of being uniquely associated a with the initial data.
Integrity: integrity is the quality possessed by a document o file that has not been altered i which a also allows verification that no manipulation has occurred in the original document.
Certificate Revocation Lists o Revoked Certificate Lists: list containing exclusively the lists of suspended revoked certificates o (not expired ones).
Non-repudiation: l'sender who electronically signs a document will not be able to deny that he sent the original message, since this is attributable a l'sender through the private key that only he knows i and is obliged a to keep. Non-repudiation also allows a to verify who participated in a transaction.
Non-repudiation o non-repudiation is a security service closely related to l'authentication i that allows to prove the participation of the parties in a communication. The essential difference with l'authentication is that the former occurs between the parties establishing the communication i the non-repudiation service occurs against a third party
Certification Service Provider o PSC: natural person o legal entity that issues electronic certificates o provides other services in relation to electronic signatures. See Certification Authority.
PIN: sequence of characters that allow laccess to certificates. NúPersonal Identification Number, asometimes called PIN.
PUK: sequence of characters that allow the change o unblocking of the PIN. Personal Unblocking Key.
Renewal: Renewal consists of a requesting a new certificate using a valid certificate that is a about to expire. In this way, before the expiration of a certificate, renewal can be requested i which implies that a new valid certificate is issued.
Revocation: definitive cancellation of a digital certificate a request of the subscriber, o on the initiative of the l'Certification Authority in case of doubt about the security of the keys. Revocation is an irreversible state. The revocation of a certificate can be requested after a suspension situation o by the will of the authorized persons a requesting-it. Similarly, in the case of a suspended certificate, if the maximum suspension period has passed, if the certificate has not been enabled, it becomes a definitively revoked. When l'certification entity revokes o suspends a certificate, it must make-it appear in the Certificate Revocation Lists (CRL), to a make this fact public. These lists are public and must always be available.
Smart card: any card with integrated circuits that allow the execution of certain programmed logic.