XIMA and procilon GROUP enter into a partnership Taucha, Dresden April 04.04.2023th, XNUMX – FORMCYCLE is a low-code application from the Dresden-based XIMA MEDIA GmbH, the administrations at
Signature creation

FAQ & Tips
Check our FAQ for problems and questions.

Frequently asked questions on the following topics
intarsys products
Partner products
General topics
intarsys products
General (install, license...)
In rare cases it happens that Sign Live! CC or Sign Live! cloud suite bridge not start after the installation and that the following error message appears with possible error causes:
Practice has shown that the causes of error listed in the error message often do not lead to a solution to the problem. Another possible cause is that a required Microsoft Visual C++ runtime library is missing or outdated.
This runtime library is available in the Microsoft Visual C++ Redistributable package.
Please check the Windows settings under "Apps and Features" to see whether the current version of this software package is available on your computer.
Es wird at least the package with the Year number 2015-2019 or a newer version is required.
If this package is not available or is an older version, please update and then restart the intarsys application.
The current versions of the software package can be found at:
https://aka.ms/vs/17/release/vc_redist.x64.exe (for the 64 bit version of the application)
https://aka.ms/vs/17/release/vc_redist.x86.exe (for the 32 bit version of the application)
The standard configuration for the SLCC application log is stored under
\classes\config\logback.xml
The “FILE” appender is responsible for the SLCC application log.
So adjustments have to be made there.
To change the location/number/size of the log files to be created, change and/or .
You can find information on this under http://logback.qos.ch/manual/appenders.html.
To customize the layout of the log file, change this to suit your needs.
Information on the variables used in it can be found under
http://logback.qos.ch/manual/layouts.html
% p /% le /% level are e.g. B. for the level designation.
When reinstalling Sign Live! CC or when changing computers, it can be helpful to adopt settings from an existing installation.
The settings of Sign Live! CC are stored in the profile directory of the application.
- (Windows client: C:\Users\\.SignLiveCC_.)
- (Windows server: C:\ProgramData\.SignLiveCC_.)
The following subdirectories can be adopted:
"preferences" (includes settings made via "Extras > Settings")
"instruments" (includes configurations of service containers, signature pools, timestamps, configurations for signIT gears, etc.)
"licenses" (may include the license)
"db" (should be adopted if own certificates are stored in the certificate store of Sign Live! CC were imported)
A quick guide to migration is available as a Tutorial ready for download.
Variables are used when Sign Live! CC using the bin\SignLiveCC.exe.vmoptions file. These are defined using the "-Dproperty = value" option and a value is set. Environment variables can also be specified as values.
Examples:
-Dmy.test = test -Dmy.profile = $ {USERPROFILE}
These variables can be used, for example, when configuring Sign Live! CC via ${properties.my.test} or ${properties.my.profile}.
For more information on using the vmoptions file, see the Users Guide from exe4jused to create the Sign Live! CC Launchers for Windows is used.
Should several Windows services from Sign Live! CC are operated in parallel, a name must be specified when installing the service. To do this, customize the bin/SignLiveCC_service_install.bat file by specifying a name after the /install option.
Example:
……./install MySLCCService
The same name must be specified in the bat files for starting, stopping and uninstalling the Windows service.
Parameters for use in Sign Live! CC Windows services are passed using the "bin/SignLiveCC_service.exe.vmoptions" file. You can find more information on this here.
It may make sense to replace the with Sign Live! CC to use your own JVM.
For example, if you access the via JMX Sign Live! CC Want to access MBeans or the application remotely debug want.
Follow these steps:
- Name the directory with Sign Live! CC delivered JVM.
Windows: C:\Programs\SignLiveCC_7.1\jre --> C:\Programs\SignLiveCC_7.1\jre_off Linux: /opt/intarsys/signlivecc-7.1.7/bin/jre --> /opt/intarsys/signlivecc-7.1.7/bin/jre_off - Windows:
Define the root directory of the JVM to be used via the Windows system settings in the system variable EXE4J_JAVA_HOME (without the trailing "\").
If this does not lead to success, also define EXE4J_LOG=yes to get information about the behavior of EXE4J:
During operation, a message box provides information about where the log is stored.
Linux:
Set $CABARET_JAVA_HOME to the root directory of the desired JVM
(see also information in /opt/intarsys\signlivecc-7.1.7/bin/signlivecc.sh)
3. Start Sign Live! CC new. You should now find the defined JVM in the log under java.home.
Important NOTE
With Sign Live! CC delivered JRE uses the keystore.type = jks.
Separately installed JRE/JDK must be adjusted accordingly.
To do this, set in your Java installation in the file java.security --> keystore.type = jks.
When creating an installation medium for Windows, the software "InnoSetup" from "JRSoftware" is used.
Innosetup supports the "Silent Install" function. Installation parameters recorded once can be used in subsequent installations.
Example:
Create a file with your installation parameters by calling the following command line:
- setup_SignLive_CC_JRE_6.2.1_64Bit.exe /SAVEINF="c:\temp\install.inf"
Adjust the file if necessary and use the saved parameters via the call
- setup_SignLive_CC_JRE_6.2.1_64Bit.exe /SILENT /LOADINF="c:\temp\install.inf"
for further installations.
You can find more call parameters for Innosetup here
Note: If you have already installed the application in a same version or a previous version or if you are installing a patch:
- Exit the application, preferably via the system tray (taskbar), if it is running.
- If you have configured the software as a Windows service, stop the Windows service.
How to install the software on a Microsoft Windows system:
- Download the installation file with the extension ".exe".
- Run the downloaded setup file (double click).
- Start the installed application if it does not start automatically.
- Licensing is required to be able to use the software to its full extent.
You will find step-by-step instructions for downloading the software, installation and licensing here.
How to install the software on a Linux system:
- Download the file with the extension ".tar.gz".
- If you have already installed the application in a previous version or if you are installing a patch:
- Quit the application if it has started.
- If you have configured the software as a Linux service, stop the Linux service.
- Unzip the downloaded file as follows, using the file name of the downloaded file plus the version number as the name for the installation directory:
tar -xf signlivecc_*.tar.gz -C /var/signlivecc-7.1.11/ - Check your installation.
- Start the installed application.
Note: You should also unzip an update into a new directory in order to avoid the contents of different versions in the installation. Specific adjustments must be carried out again or adopted after the installation.
Note: Depending on the product, the file name of the downloaded file is different. For the example in point 3, the product 'Sign Live! CC, used.
To install the software on an Apple MacOS system:
- Download the file with the extension ".dmg".
- If you have already installed the same version or a previous version of the application: Quit the application, if it is started.
- After double-clicking on the DMG file (the disk image), a virtual drive appears in the finder.
- Drag the application icon into the application directory.
- Check your installation.
- Start the installed application.
To install a patch to an existing version:
- Download the file with the extension ".dmg".
- Please make sure that the application "Sign Live! CC” was started and stopped before installing the patch or exit the application if it was started.
- After double-clicking on the disk image, the appears Sign Live! CC patcher app.
- Run Sign Live! CC Double-click Patcher App.
- Check the version number displayed and confirm that you want to apply the patch.
- Choose the appropriate installation directory from Sign Live! CC and start the installation.
- After installing the patch, a success message appears.
- Check your installation.
- Start the installed application.
For step-by-step instructions on downloading the software, installation and product activation, visit our Tutorials.
A font copied into the fonts directory is not displayed in an intarsys product and cannot be used. What should I do?
Our products read the fonts from the standard directory. On Windows this is C: \ Windows \ Fonts. In the user view, not only the fonts from this directory are displayed, but also the fonts from the user directory. This can only be seen when the properties of a font are displayed.
Copied If you put a font in the directory C: \ Windows \ Fonts, it will be displayed there, but is de facto in the user directory. Our software does not access the user directory by default, so the font is not available even though you see it in the supposedly correct place.
Solution:
- Install the font instead of copying it. Use this for that context menu (right mouse button) and choose "Install for everyone". This will put the font in the correct directory.
Sign Live! CC
The current information about the operating systems and the tested hardware (e.g. signature cards and card readers) can always be found in the current data sheet. Thin client scenarios based on Windows Terminal Server or Citrix Presentation Server are also supported.
The application runs smoothly. Problems arise only when processing large files. The decisive factor is the size of a file while processing in the application. This is due to the size in bytes and through their structure. Problematic are e.g. E.g. many pages (>100), large images.
The following typical error messages can be seen in the log:
- java.lang.OutOfMemoryError: Java heap space
--> You can find more information on this in the FAQ – Make more memory available - e.g. B. java.net.SocketException: Software caused connection abort: socket write error
--> see below
These problems can occur when using the SOAP protocol.
In this case, limiting settings must be increased.
To do this, create the file /classes/cxf/bus.properties e.g. B. with the following content:
org.apache.cxf.stax.maxTextLength = 512000000
and restart the application.
This increases the message size from approx. 100 MB (standard) to 512 MB.
Note that the message size is always larger than the actual file size (factor approx. 64) due to the base1,3 encoding.
When opening very large files, the Sign Live! CC The available memory is not sufficient (error message: ... "Java heap space"). The log provides information about the maximum memory Java requests from the operating system. Eg:
[2019.11.20-09:29:57.818][I][d.i.tools.logging][executor singleton][] maxmemory=477626368
First, check that the operating system can actually provide that much memory for Java. Operating system and other applications also require memory!
If enough memory is available, please gradually increase the memory claimed by Java.
So put in Sign Live! CC more memory available:
- Copy the fileINSTALLATION DIRECTORY> \ demo \ vmoptions \ more memory \* .vmoptions1 after \bin.
- Starten Sie Sign Live! CC New.
- If the main memory is not sufficient, the value in the vmoptions file can be edited with an editor and the value can be increased to -Xmx2048m, for example. The maximum value depends on how much RAM is available on your computer.
Important note:
- For operation as a Windows service, the signivecc_service.exe file must also be created with identical content.
1) The name of the vmoptions file depends on the operating system used.
Setting up a PDF printer is required for various actions. This is done in Sign Live! CC "Ghostscript" used.
When installing Sign Live! CC version 7.1.7 – or older – please use Ghostscript 9.53.3 or older.
Do you have Sign Live! CC installed in the current version, the current version of Ghostscript can also be used.
Sign Live! CC starts with the language settings of the operating system.
To get the operating language of Sign Live! CC you need administrator rights to manipulate them.
Follow these steps:
- Quit Sign Live! CC.
- Use Windows Explorer to switch to the installation directory for Sign Live! CC. In most cases this is "C:\Program Files\Sign Live CC " or "C:\Program Files (x86)\Sign Live CC".
- Navigate further into the subdirectory "demo\vmoptions\language english".
- Copy the SignLiveCC.exe.vmoptions file from this directory.
- Change to the “bin” subdirectory of the installation directory Sign Live! CC and drop the SignLiveCC.exe.vmoptions file there.
- Starten Sie Sign Live! CC new so that the language settings are loaded.
By doing this, the entire user interface of Sign Live! CC presented in English.
To reset to German, delete the "SignLiveCC.exe.vmoptions" file from the bin directory and start it Sign Live! CC New.
When trust centers switch to a new PKI infrastructure, it can happen that signatures that were created with very new signature cards are not validly validated. This is due to the fact that the new Trusted Lists (TSL) and / or Root CAs were not yet implemented at the time our software was released.
The Update of the trust lists in Sign Live! CC these signatures are validated again.
Via menu item Tools> Certificates> Update Trust Lists trigger the update of the trust lists manually.
When trust centers switch to a new PKI infrastructure, it can happen that signatures that were created with very new signature cards are not validly validated. This is due to the fact that the new Trusted Lists (TSL) and / or Root CAs were not yet implemented at the time our software was released.
The Update of the trust lists in Sign Live! CC these signatures are validated again.
- Via menu item Tools> Certificates> Update Trust Lists trigger the update of the trust lists manually.
In server installations it makes sense to have the update triggered time-controlled. To do this, adapt the preconfigured service container:
- Via menu item Tools> Services> Service Container Management Configure the schedule of the "Trusted List Update Scheduler" service container and automatically trigger the update of the trust lists:
In cases where the validating Sign Live! CC-Instance has / may not have an Internet connection and therefore cannot reach the TSL server, the following workaround is available:
- Install a Sign Live! CCTSL instance on a computer that is permitted to access TSL servers on the Internet.
Version and patch level should match those of the Sign Live! CCValidation instance. - Run on the Sign Live! CC-TSL instance updating the TSL by using menu item Tools> Certificates> Update Trust Lists trigger the update of the trust lists manually.
The updated trust lists (TSL) can usually be found in the directory \tsl – for example C:\Users\\.SignLiveCC_7.\tsl - Replace on the Sign Live! CC-Validation instance the contents of the directory \tsl by the TSLs on the Sign Live! CC-TSL instance.
It is important that the replacement takes place completely! Everything else requires detailed know-how about the internal structure of the TSLs. - Run on the Sign Live! CC -Reboot validation instance.
This workaround uses internal Sign Live! CC- Processes that you cannot influence.
When validating, the validity of certificates is usually first checked via OCSP query (online status query). This requires access to the Internet. Only if this query fails is a blocked list used for the check. However, blacklists are not made available by all trust centers.
Please check the following settings when installing Sign Live! CC:
- Tools > Settings > Signatures > Signature Validation > Certificate Validation:
Is the "Perform online status check" option enabled? - If you use a proxy to access the Internet, the access data must be configured under Extras> Settings> Internet connection.
If both settings are correct, please send a test document with the signature that showed the error during validation to for further error analysis Email to support. If this is not possible, carry out the incorrect validation again and send us the current log file.
Depending on the characteristics of the license you are using, various actions may have restrictions. An example is the number of possible signatures per day. Once the limit is reached, the application continues to work very slowly.
- If the license used is not sufficient for you, please contact us at the e-mail address about a license upgrade support@intarsys.de in connection.
- It is best if you let us know the license key you are currently using. You can find this under the menu item EXTRAS > LICENSE MANAGEMENT at the far right.
- Information about current versions (updates) is provided via newsletters. With the appropriate setting, an update check is carried out on the software side. The update is not installed automatically.
- Please note:
- If you use our software in connection with third-party software, please inquire advance at the manufacturer whether the update is to be carried out.
- The license is usually inherited within a master release. A new license is required when changing the master release. In any case, please note the release notes.
- If you obtained the software from one of our partners, you will normally be informed accordingly by this partner.
- Since January 01.01.2019st, XNUMX, our licenses have generally been so-called term licenses with a defined expiry date. Until this expiration date the update to the current version is free of charge.
- Please check whether the manufacturer of your card reader provides drivers for MAC.
The company's card reader drivers PURE SCT are here available. - You can find a list of the signature cards and card readers that we have tested in the Sign Live! CC data sheet.
A hotfix too Sign Live! CC is provided as a ZIP file. To install the hotfix, the zip file must be extracted and the file(s) it contains copied to a specific directory. This FAQ explains how to get the files into the application directory of Sign Live! CC be copied.
Please note the information in the hotfix about the directory to which the files should be copied.
- If open, exit Sign Live! CC
- For example, save the zip file to the desktop
- Double click on the zip file. This is automatically unpacked and the unpacked folders and files are made available
- Navigate to using the Finder Programme, Mark your choiche Sign Live! CC, Open the context menu and choose Show package contents. The "Contents" folder is displayed
- Open the folders Contents / Resources
- Copy the unzipped folders and files - which were made available in the previous step - into this folder or into the folder specified in the hotfix
- Launch Sign Live! CC new
SignLive! CC creates log files. These help us to analyze errors and to help you quickly.
- In SignLive! CC under Extras -> Settings -> Basic settings set the 'Log level of detail' to 'All details'.
- Then please reproduce the error again.
Then go to Window -> Show log file.
A dialog with the log files appears. - Note the dialog heading. The path to the log files is displayed there.
- Go with the Finder -> Go to -> Go to folder ... to the displayed folder and please send us all files with the ending ".log".
(The log files are usually stored under /Users//Library/Application Support/SignLiveCC_/.)
Please note that the driver software of the REINER SCT card readers may have to be updated as a result of MAC OS X updates.
If you are from Sign Live! CC click on the "Send current document" button, the file attachment is not created under Mac OS X.
This is because passing file attachments using the Mac OS X mailto protocol is not supported.
Solution:
Save file and attach later.
The card reader may be connected after the system has started, but not removed while the computer is running.
Occurs after updating MAC OS X after installing Sign Live! CC the error message "Sign Live CC.app can't be opened because Apple can't scan it for malware.", Sign Live! CC can be opened as follows:
Right-click, select Open, confirm dialog.
The libfreetype.so library, which is required for displaying a document, is no longer included in the standard deb packages for Ubuntu 12.x. The package libfreetype6-dev must be installed afterwards.
The libpcsclite library, which is required for communication with a card reader, is no longer included in the standard deb packages for Ubuntu 12.x. The package libpcsclite-dev must be installed afterwards.
You can sign in ELSTER from various applications – for example ADDISON from the company “Wolters Kluwer”.
To do this, you need PKCS#11 drivers, which we can find in Sign Live! CC provide.
You can find them in Sign Live! CC via menu item Tools> Settings> Libraries> PKCS # 11.
Please note:
- An RSA signature card – for example the D-TRUST – is required. Signature cards that use ECC (Elliptic curve cryptography) are not supported by this library.
- Sign Live! CC is required at least version 7.1.9.
Please configure the driver directly in the application to be used.
Please note that you are alone with Sign Live! CC cannot sign in ELSTER.
If you are doing the submissions in conjunction with Addison, you can go to the signature Sign Live! CC use. You can download the software from our shop at https://www.chipkartenleser-shop.de/intarsys/sign-live-cc relate.
Unfortunately, if you want to make the submissions directly to ELSTER using the Elster Authenticator, our solution is not suitable.
In this case, please contact ELSTER directly.
Sign Live! CC DATEV Edition
In cooperation with DATEV, the product Sign Live! CC DATEV Edition developed. Important information can be found under the following links:
Article in DATEVmagazine, issue 12/2018 on the DATEV assistant for qualified signatures:
https://www.datev-magazin.de/2018-12/produkte-services-2018-12/so-signieren-sie-dokumente-digital/
Practical information from the WPK on the subject Electronic examination notes and reports:
https://www.wpk.de/mitglieder/praxishinweise/elektronische-pruefungsvermerke-und-berichte/
In the service video "Qualified digital signature of reports“The complete signature process is described in detail.
https://www.datev.de/web/de/service/self-service/servicevideo/berichte-qualifiziert-digital-signieren/
In addition to the signature software, you also need a signature card and a card reader. You can obtain the signature card from D-TRUST (Federal Printing Office) at https://www.bundesdruckerei.de/de/bestellen acquire. We recommend as a card reader PURE SCT RFID convenience.
In order to ensure that the signature from the DATEV environment runs smoothly, it is imperative that the Sign Live! CC DATEV edition is installed. Access to this version is set up individually.
The Order process of the Sign Live! CC DATEV edition you can under https://www.intarsys.de/DATEV-Edition-erwerben trigger.
For the signature from the DATEV environment compellingly the Sign Live! CC DATEV edition be installed. Otherwise, the proper execution of a signature from the DATEV environment cannot be guaranteed. The Sign Live! CC DATEV edition is available for download in a protected area on our homepage. The required access rights are set up individually. You will receive the information about this together with the license you have purchased.
You will be informed by email about the setup of the user data. If necessary, please also check your spam folder.
If you have not been granted access, please send an appropriate email to support@intarsys.de.
The Sign Live! CC DATEV edition is also available as a server version and is therefore executable under DATEVasp.
Unfortunately, only the software products provided directly by DATEV are available under DATEVsmartIT. Please inquire directly with DATEV whether Sign Live! CC DATEV edition part of it.
Sign Live! CC Sparkasse Edition
Will in the Sign Live! CC SPARKASSEN edition If the validation report is generated with "extended options", the report can be attached to the original document. This causes the signatures to be marked with a red X. The message "The document has been changed since it was signed and is no longer valid" appears with the signatures.
According to the current PDF specification, the signature must be "broken" when the document is changed (page was attached). This behavior is correct according to the PDF specification.
Solution:
Do not attach the validation report to the original document, but save it as a separate file. By default, the report is given the name .valreport.pdf.
When opening a bank statement in the Sign Live! CC Sparkasse Edition it will be validated automatically. This can take a few seconds. Once this process is complete, you will see on the left side of the screen on the "Sidebar" that the signature is valid.
If the message "Identity is unknown" appears in the validation report, you probably have an old version of the Sign Live! CC Sparkasse Edition in action. Please take one update to the current one Sign Live! CC SPARKASSEN edition before. You can obtain access to the current version from your Sparkasse.
The Sign Live! CC Sparkasse Edition was programmed exclusively for Windows.
Customers using MacOS X can download the software for Mac at https://www.intarsys.de/dl_slcc download. Even without a license, Sign Live! CC signatures are checked.
There are the following differences to the Sparkassen edition:
- During installation you will be asked for a product key. This query can be skipped.
- The test reports as PDF can only with watermark and reference to a demo version be generated.
For the interactive verification of signatures, this solution can be used analogously to Sign Live! CC Sparkasse Edition should be used.
The Sign Live! CC Savings Bank Edition was commissioned by the DSGV (German Savings Banks and Giro Association) and made available to the business customers of the savings banks free of charge. It is intended for checking the signatures on account statements.
You will receive the download link from your Sparkasse.
Sign Live! cloud suite gears
The Tomcat standard configuration limits the maximum processing size of a POST request to 2 MB.
You can increase or remove this limit in \conf\server.xml via the maxPostSize parameter (-1):
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000″
maxPostSize="-1″
redirectPort="8443" />
For configuring the font in Sign Live! cloud suite gears - for example of signature fields - you have to know the exact name of this font. This is not always the display or file name. To determine the correct name, look in the latest gears log file and look for the desired font. Here using Arial Bold as an example:
[22.07.2021-08:48:23.888][T][de.intarsys.cwt.font][...] font registry register C:/WINDOWS/Fonts/arialbd.ttf with [TrueType]Arial Negreta
[22.07.2021-08:48:23.888][T][de.intarsys.cwt.font][...] font registry register C:/WINDOWS/Fonts/arialbd.ttf with [TrueType-postscript]Arial-BoldMT
[22.07.2021-08:48:23.888][T][de.intarsys.cwt.font][...] font registry register C:/WINDOWS/Fonts/arialbd.ttf with [TrueType-canonical]Arial,Bold
[22.07.2021-08:48:23.888][T][de.intarsys.cwt.font][...] font registry register C:/WINDOWS/Fonts/arialbd.ttf with [Any]Arial Negreta
[22.07.2021-08:48:23.888][T][de.intarsys.cwt.font][...] font registry register C:/WINDOWS/Fonts/arialbd.ttf with [Any-postscript]Arial-BoldMT
[22.07.2021-08:48:23.888][T][de.intarsys.cwt.font][...] font registry register C:/WINDOWS/Fonts/arialbd.ttf with [Any-canonical]Arial,Bold
[22.07.2021-08:48:23.889][D][de.intarsys.cwt.font][...] FontEnvironment loaded font 'Arial,Bold' from C:\WINDOWS\Fonts\arialbd.ttf
Based on this example, the following "FontNames" can be used:
- Ariel Negreta
- Arial BoldMT
- Arial, Bold
When opening the Sign Live! cloud suite bridge from Sign Live! cloud suite gears a security question appears.
The message can be switched off for a specific protocol using a RegistryKey:
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ ProtocolExecute \ csbridge]"WarnOnOpen"=dword:00000000
or
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Internet Explorer \ ProtocolExecute \ csbridge]"WarnOnOpen"=dword:00000000
For more information, see https://stackoverflow.com/questions/37702082/internet-explorer-or-edge-how-to-display-the-warning-that-appear-if-you-open-c?rq=1
This error appears z. B. when the "demo" profile has been deactivated.
In this case, the following entry in gears.properties is required:
spring.liquibase.enabled = false
proNext Archive Manager
As an IT system that preserves the value of evidence, the proNEXT Archive Manager creates an electronic archive time stamp for archived documents and signatures and automatically re-signs the has tree over and over again. The component offers all cryptographic extensions that are necessary to ensure the probative value of electronic documents in accordance with § 71 a of the Code of Civil Procedure.
In addition to archives, the software can also be integrated into document management systems and/or e-file solutions and is certified according to BSI 03125 TR -ESOR.
In accordance with the eIDAS regulation is the exact procedure for Germany in the technical guideline BSI TR 03125 (BSI TR-ESOR) clearly described. The BSI also publishes the security-relevant cryptographic algorithms in the form of a catalogue.
So within the framework of long-term archiving the Maintaining the probative value of electronic signatures can be used, the point in time at which the signature was created must be documented conclusively in a suitable "evidence-preserving" IT system. This creates one Archive Timestamp and signs archived documents including their signatures again and again.
If a signed document is then requested from the archive system at any time and it is determined during verification that the cryptographic algorithms and parameters are no longer suitable for security, a Evidence document (with all timestamps generated to date) be proven that this electronically signed document was re-signed in a timely manner and its get legal usability at a hunt.
In contrast to paper documents, the evidentiary suitability of electronically signed documents can "disappear" over time. The reason for this is the Loss of security suitability of cryptographic algorithms. In addition, the directories and documents required for checking certificates may no longer be available.
As a result, when archiving digital documents, it must not only be ensured that these can be found at any time are, but also for one possible evidence in court can be used.
The filing and storage of electronic documents and data is an implementation of Security goals at the highest possible level of technology necessary. The elementary evidence for this can be found in the Code of Civil Procedure (ZPO) § 371 a "Probative value of electronic documents". This is also reinforced by the eIDAS regulation, which applies throughout Europe.
Partner products
Software for bailiffs
If you use software from Baqué & Lauter GmbH as a bailiff and with Sign Live! CC want to sign must in Sign Live! CC a certain "Service" to be set up.
If during the installation of the bailiff software the software Sign Live! CC was already installed, this service should have been set up automatically. Otherwise, this can also be done manually. You will find the corresponding instructions here.
If you use software from Baqué & Lauter GmbH as a bailiff and with Sign Live! CC want to sign must in Sign Live! CC a certain "Service" to be set up.
If during the installation of the bailiff software the software Sign Live! CC was already installed, this service should have been set up automatically. Otherwise, this can also be done manually. You will find the corresponding instructions here.
Remote signature BNotK
The new BNotK card will be in Sign Live! CC supported from version 7.1.11
In future, the Federal Chamber of Notaries will provide its signature certificates via the remote signature service and no longer via a personal signature card.
The authentication for signature creation at the remote signature service is carried out using a personal smart card.
This requires a completely new procedure for signature creation. This signature is not triggered via the signature device "signIT smartcard CC", but via "signIT BNotK". When signing in the signature assistant, please select the appropriate signature device. If your signature certificate is not available, please contact the support of the Federal Chamber of Notaries.
If you are using a Reiner SCT card reader with an RFID function, you must switch off the RFID function so that there are no problems reading the authentication certificate on your card.
If you Sign Live! CC from a specialist application, please inquire with the manufacturer whether the new signature device has been connected.
When assigning individual PINs, it is permissible to assign a PIN with more than 8 characters.
In the case of a PIN change, the new PIN must have the same number of characters as the "old" PIN or more characters. The BNotK card does not allow you to change from a 9-digit PIN to an 8-digit PIN, for example.
In Sign Live! CC until Version 7.1.11.1, a maximum of 8 characters can be entered during the signature process with a BNotK card.
Solution:
With update from Sign Live! CC on the version 7.1.11.2 is a PIN entry from up to 16 characters is possible.
Check in Sign Live! CC via menu item Help> About which version you are using and update if necessary.
After entering the PIN, the following message is displayed
Error message:
error 401 calling service 'https://loging.bnotk.de/auth/reams/RemoteSignature/auth/tls', Unauthorized
Possible Cause:
- Signature card blocked:
This error message is displayed when access to the signature card is blocked by another application, for example GV software or online banking.
Solution: Please close the third-party application completely (system tray) and restart the signature process. - Can not reach server:
If the server of the Federal Chamber of Notaries is temporarily unavailable, the above message also appears. In this case, wait and start the signature process again later.
Error message:
No keys available
- In this case, please ask the support of the Federal Chamber of Notaries whether your signature certificate has been created and is available.
Remote signature D-Trust Sign-Me
You can find various information about sign-me here .
Remote signature Swisscom AIS
Problems with the AIS signature service are often due to the following:
- Basic service problems
In this case, please check the Swisscom AIS status pagewhether such a problem exists.
There you will also find the link to Swisscom support. - Problems with incorrect, expired, no longer valid registration data
In this case, please check first whether you can generally sign.
Find the information you need here .
Very often, access problems are related to differences in the identification data collected and the one you provided.
You cannot check these differences! Only Swisscom has access to the recorded identification data.
In this case, you must contact Swisscom directly:
Direct access to Swisscom support:
- Website Swisscom support
- Email: ent.incident-data@swisscom.com
- Telephone: +41 (0) 800 724 724, menu selection "Data Services", keyword "All-in Signing Service"
- Have your PRO number (PRO-00xx) ready. You can find it on the cover sheet of your service contract.
This speeds up processing considerably.
The following circumstances cause the deactivation of the identification data and make a new identification necessary:
- Identity document has expired.
- Change of mobile number.
- Change of authorization from SMS-TAN to Mobile ID app.
(for non-Swiss customers: the Mobile ID app MUST be activated before identification)
More information about the AIS service:
Card reader and signature pads
For security-relevant applications - such as signature with Sign Live! CC or internet banking, card readers are divided into security classes.
To generate a qualified electronic signature, you need card readers of security class III. One of the distinguishing features of these devices is that they have a display in addition to the keyboard. There Sign Live! CC has been certified by the BSI, we recommend card readers that also have this certification.
A list of manufacturers and the names of the card readers tested can be found in Sign Live! CC data sheet here.
Sign Live! We test CC in all constellations with different signature cards and card readers. We use the latest driver software from the hardware manufacturer for these tests.
If you Sign Live! CC to sign, you should ensure that the driver software for your card reader is up to date.
Please select your card reader type when selecting the product.
Sign Live! By default, CC only support card readers with secure PIN entry. As a result, when using a class 1 card reader (without keyboard and display) the error message "Card reader with secure PIN entry required" appears when creating a signature.
In order to be able to carry out a signature with a class 1 card reader, settings that deviate from the standard setting must be made.
To do this, proceed as follows:
• Open the Sign Live! settings dialog via "Extras > Settings". CC.
• Navigate to the section "Signatures > Signature devices > signIT smartcard CC"
• Disable the option "Require secure PIN entry".
With the subsequent signature, the PIN is entered via a screen dialog or via the keyboard of your computer.
The ACS ACR38T USB reader, which is typically used in Switzerland with a SuisseID certificate, does not support secure PIN entry. This causes the error message "Card reader with secure PIN entry required" to appear when creating a signature.
In order to be able to carry out a signature with the USB reader, settings that deviate from the standard setting must be made.
To do this, proceed as follows:
• Open the Sign Live! settings dialog via "Extras > Settings". CC.
• Navigate to the "Signatures > Signature devices > signIT smartcard CC" section.
• Disable the option "Require secure PIN entry".
• Activate the option "Disable secure PIN entry".
With the subsequent signature, the PIN is entered via a screen dialog or via the keyboard of your computer.
To ensure that the CHERRY KC 1000 works with secure PIN entry, please follow the installation instructions carefully. If you have any questions, please contact the manufacturer.
REINER SCT has discontinued driver and technical support for the following card readers
- cyberJack pinpad
- cyberJack e-com (Version 2.0)
- cyberJack e-com Plus
The cyberJack e-com 3.0 USB will continue to be supported. (Please refer www.reiner-sct.com/old)
As a result, we have discontinued devices for Sign Live! CC no longer test since versions 6.3.x.
This also means that in the event of an error we cannot provide support for signatures with the obsolete devices. It means notthat these devices with Sign Live! CC are no longer functional.
In principle, no signature card must be inserted in the card reader when the computer is started. Even if the signature card is only inserted into the card reader when the computer has already started up, it may happen that the card reader is not recognized.
In addition, applications that also use (signature) cards (e.g. banking or booking systems) can block the card reader and no longer release it.
In this case, disconnect the USB connection and restart the computer. It may be sufficient to restart the service for the smart card in the task manager.
For smooth signing in Sign Live! CC with the signature tablet signotec LCD Signature Pad Sigma (ST-BE105-2-FT100-B) the installation of a driver software is necessary.
Contrary to the information on the signotec website, the driver software for the above signature tablet is also available at Windows 10 are required for operation.
You can find the download of the driver software here
You may still need the FTDI driver, for example here available for download.
Operation on terminal server:
You can find detailed information and documentation on the operation of signotec signature pads on the Signotec website.
Especially when card readers are connected via USB device server, the intervening network can lead to the timeout of 5 seconds being exceeded and Windows deregistering the signature card.
By adding / setting the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\TransactionTimeoutDelay can be increased from the default of 5 seconds up to 60 seconds.
Signature cards
The medical profession ID cards G2.x from D-TRUST, Telesec, DGN and medisign are issued by Sign Live! CC from version 7.1.11.x supported. If necessary, please carry out an update and observe the release notes.
We do not assume any liability for other medical profession IDs. But that doesn't mean they don't work.
Bundesdruckerei (D-TRUST) has been issuing new signature cards since the beginning of October 2020. These can in Sign Live! CC from version 7.1.6 be used.
What Sign LIVE! CC – You can use the version you are using via the menu item Help> About check. An update may be required. If you Sign Live! CC within or in combination with another partner software use, talk about installing the new version please beforehand with the manufacturer of this application. Please also note the release notes.
As a user of the Sign Live! CC DATEV edition please make sure that you download the Sign Live! CC DATEV Edition 7.1.6 must be registered on our website.
Batch signatures are with the D-TRUST multicard 3.0 only with the qualified certificate possible. When signing with the advanced certificate, a PIN entry is required for each signature.
As of D-TRUST multicard 3.1, a batch signature with the qualified and the advanced certificate is possible.
The PIN change mechanism from Sign Live! CC by default only allows numbers to be entered. The certificates of all German trust centers are designed in such a way that the personal PIN – to create a qualified electronic signature – must consist of numbers. The card readers certified by the BSI (Federal Office for Information Security) are also designed for entering numbers.
In contrast to German signature cards, signature cards from Switzerland allow an alphanumeric PIN. Because these PINs not suitable for creating qualified signatures according to SigG are, the use of alphanumeric PINs from Sign Live! CC not offered. Would you still like to Sign Live! CC to initialize (create individual PINs) Swiss signature cards, please proceed as follows:
- Turn the secure PIN entry. (Menu "Extras> Settings> Signatures> Signature devices> signIT smartcard").
- Launch Sign Live! CC and select the menu item "Tools > Smart Card Tools > PIN Management".
- Select the certificate you want and click on "Initialize".
- After reading the instructions on the next window, click "Complete".
- In the next window click on the switch "Input via keyboard".
- Open any text editor and enter the desired PIN.
- Highlight the entered PIN and copy it with the key combination CTRL+C.
- Switch to Sign Live! CC and paste the new PIN into the “new PIN” and “repeat new PIN” field using the key combination CTRL+V.
- Confirm your input by clicking on the "Finish" button.
Please note:
- That this only applies to signature cards from Switzerland, since German signature cards only allow numbers.
- Before you use alphanumeric PINs, you should consider that it is not possible to create qualified signatures according to the German SigG with alphanumeric PINs.
If you have problems with your signature card - for example with the initialization (PIN assignment) or with sending the confirmation of receipt - please contact the Telesec support.
On the general Telesec support page you will find answers to questions from various areas as FAQ.
Before using a Telesec signature card, it must be initialized. You assign individual PINs. In addition, receipt of the signature card must be confirmed. This can be done online.
Telesec provides the Sign Live! toolbox available for free. You can find it here under “Public Key Service – Software Toolbox Sign Live! CC".
After receiving your Telesec signature card, you must initialize it (PIN assignment) and send the confirmation of receipt to Telesec. This is usually done through the Sign Live! toolbox. You received a corresponding note together with your signature card.
A subsequent sending of the confirmation of receipt is on the Telesec side here is possible.
If you use your passport to apply for a new card for a signature card, various dates are sometimes incorrectly accepted.
In this case, select "ID" instead of "Passport" when selecting the ID card type. Then it should work.
In order to be able to use the signature card, you have to initialize various PINs on the card. You can do this for free Sign Live! toolbox use, which is available for download on the Telesec website. Please go through all the steps. This initializes all PINs and finally the confirmation of receipt is automatically sent to Telesec.
T-Systems switches after receipt of the confirmation of receipt your signature card and sends a corresponding email to the email address specified in the application.
If you use the Telesec signature card and a contactless reader (e.g. REINER SCT cyberJack RFID Komfort), errors can occur if the signature card is in the contactless (rear) slot. The TeleSec card can work to a limited extent via contactless connections, but SigG PINs 1 and 2 cannot be used.
In this case, please use the front slot.
There are 4 PINs on a TeleSec signature card, which you all assign individually. Please make a note of all assigned PINs and keep this information in a safe place.
SignG PIN 1 (for qualified signature) – with this PIN you execute the qualified signature.
Global PIN 1 (for encryption and authentication) – you use this PIN to encrypt documents or log on to a portal.
SignG PIN 2 and Global PIN 2 you will need if you have blocked the respective PIN 1 by entering it incorrectly several times. This is comparable to a PUK, with the difference that you also assign the PIN2 yourself.
How is it that PIN 2 cannot be initialized with the message "The card reader ... is not supported"?
Card reader security is divided into classes. The card reader you are using probably has maximum security class II and supports it in combination with the signature card used none secure PIN entry.
Solution:
Please disable in Sign Live! CC Secure PIN entry via menu item EXTRAS settings.
We strongly recommend using a card reader certified by the BSI (Federal Office for Information Security). The card readers we tested can be found in our data sheet.
With a TeleSec card, you assign one when you initialize (activate) the card SigG PIN2 and Global PIN2. These have the function of a PUK.
To restore the PIN that has been blocked due to multiple incorrect entries, start Sign Live! CC and select the menu item "Tools > Smart Card Tools > Reset PIN". Follow the instructions in the dialogs.
If you have not assigned a PIN2, the signature card is blocked.
You have received a new signature card. Before you can use it to create a signature, it must be initialized, i.e. activated.
Depending on the trust center, individual PINs can or must be assigned during this process.
Depending on the trust center, you will receive information about which software you can use to initialize your card together with the signature card – or with a separate PIN letter.
In principle, this initialization can also be done with Sign Live! CC be carried out provided you have Sign Live! CC licensed.
Please note:
After initialization, a confirmation of receipt must be sent to the trust center. This usually happens online. Only then will the certificate of your signature card be included in the directory service and a signature created with this signature card can be validated.
Supplied with Sign Live! CC a lot of certificates are included. These are shown in groups. For the sake of clarity, it makes sense to have a create your own groupin which you can file your own certificates.
To get a certificate e.g. B. from a signature card to third parties, save the certificate in this new group and export it.
How to export a certificate from your signature card using Sign Live! CC.
- Starten Sie Sign Live! CC and there EXTRAS-->Certificates-->Certificate Management.
Editing icons are displayed in the top left. - Click on that first symbol to a new group to create.
(If the icon is not active, click a white area in the Filter window). - Give the new group one Namur (in the window on the left), e.g. B. "My certificates" and confirm with "Close".
- Select menu item EXTRAS-->Certificates-->Certificate management again.
Now select the new group "My Certificates".
(Ensure the card reader is connected to your PC and the card is inserted.) - Click on the icon "Add entry".
Select the action "Import certificate from a SmartCard" and "Next".
The connection to the card is established and all certificates on the card are displayed. - Select the certificate you want off and "Next".
(If the recipient would like to paste the certificate into Adobe Reader, for example, in order to check your signature there in the future, select the "Qualified Signature" certificate.) - In the next window you have the opportunity to do that Name certificate or accept the default identifier.
- In the next window, please mark the certificate as "trustworthy".
- After "Finish" the selected certificate is entered in the group.
- Now you can use the symbol for "Export entry" save the certificate in any directory.
You can use the exported certificate e.g. B. by e-mail to a third person. The recipient must import the certificate into their software.
How to get a certificate in Sign Live! CC importing is described in the FAQ "Importing certificates".
Addendum:
All the necessary functions are available to you via the context menu (right mouse button).
How to import a certificate in Sign Live! CC:
- Starten Sie Sign Live! CC and choose
Menu item Tools> Certificates> Certificate Management. - Highlight the group in which the new certificate is to be included and select (top left) the second icon to add the entry.
- Highlight in the next window the desired action and press "Next".
- Follow the further instructions.
If you enter the PIN incorrectly several times, the signature card will be blocked. Whether you can remove the block again depends on the signature card used.
Some cards are blocked forever after multiple incorrect PIN entries. In this case, you must apply for a new (replacement) signature card, since the blocking cannot be removed. For cards for which you have also received a PUK from TrustCenter, you can enable PIN entry again (reset) by entering the PUK.
Please notethat the reset in general a maximum of ten times can be carried out. It is also common for the reset to reset the PIN to the "old" value.
Those issued from January 2023 EHBA-TeleSec signature cards also behave in the same way.
With "normal" TeleSec signature cards, you assign a SigG PIN2 and a global PIN2 during initialization. These PIN2 have the function of a PUK. To restore the PIN that was blocked due to multiple incorrect entries, start Sign Live! CC and select the menu item "Tools > Smartcard Tools > Reset PIN". Follow the information in the dialogs.
Most signature cards are delivered with a transport PIN. You can take this transport PIN with you Sign Live! CC change to your personal PIN. Depending on the signature card, this can also be several transport PINs, which then all have to be changed one after the other.
To do this, start Sign Live! CC and please select the menu item "Tools > Smart Card Tools > PIN Management". Follow the instructions in the dialogs.
General topics
eIDAS regulation
The eIDAS regulation came into force on July 01.07.2017st, XNUMX. The TRUST centers (Telesec, D-TRUST etc.) have therefore adjusted their certificates. In order to be able to continue validating these certificates successfully, in Sign Live! CC an update to version 7.x is required.
The eIDAS regulation (eIDAS stands for "Electronic Identification And Trust Services") is a regulation on electronic identification and trust services for electronic transactions in the 28 member states of the European Union. eIDAS represents a real legal innovation, the stated purpose of which is to encourage the development of digital applications in Europe. The eIDAS is divided into two main points:
• Electronic identification
• Trust Services
• Electronic signature / remote signature
• Electronic seals / remote seals
• Electronic timestamps
• Audit and Preservation Service
• Electronic registered mail and delivery service
• Website authentication
The new EU regulation enables a new, simplified procedure for personal electronic signatures. The qualified certificate does not necessarily have to be on a smart card, but can be kept in a secure IT environment of a qualified trust service provider. This means that the electronic signature can also be triggered remotely, for example with mobile devices such as tablets and smartphones.
With the publication of the eIDAS Implementation Act on July 28, 2017 in the Federal Law Gazette, it came into force on July 29, 2017. At the same time, the Signature Act of May 16, 2001 and the Signature Ordinance of November 16, 2001 are no longer in force. The core of the eIDAS Implementation Act is the Trust Services Act (VDG). This transposed the EU regulation eIDAS into national law.
The eIDAS regulation simplifies existing signature procedures with the introduction of a so-called remote signature. The electronic signature can be triggered without a signature card or reader, for example via mobile devices such as smartphones or tablets. With this new procedure, the user's private signature key is stored on a highly secure server (hardware security module) of the qualified trust service provider. A qualified signature is generated via two-factor authentication (TAN-SMS) by the user.
According to the eIDAS regulation, Article 3 (16), a trust service is an electronic service that is usually provided for a fee and is responsible for generating the seal, signature and website certificates, among other things. A qualified trust service is a trust service that meets the relevant requirements of the eIDAS regulation, Article 3 (17) and is checked every two years in a complex process by an accredited conformity assessment body and the result is communicated to the responsible supervisory authority (BNetzA or BSI). The status as a qualified trust service provider can be verified throughout Europe via a trust list and a seal of approval. The German trust list is on the EU's Trusted List Browser website https://webgate.ec.europa.eu visible.
The eIDAS regulation defines two different signature types - advanced and qualified. Advanced and qualified services differ in their legal meaning. For example, if written form is required in Germany, this can only be achieved with a qualified electronic signature. If the assessment of evidence is of interest for a business transaction, the following applies to qualified certificates:
- ZPO §371a (1): The regulations on the probative value of private documents apply accordingly to private electronic documents that are provided with a qualified electronic signature.
- eIDAS Art. 35 (2): For qualified electronic seals, the presumption of integrity of the data and correctness of the proof of origin of the data applies.
- eIDAS Art. 41 (2): Qualified electronic time stamps are presumed to be accurate of the date and time indicated therein and of the integrity of the data associated with the date and time.
- eIDAS Art. 43 (2): For qualified electronic registration and delivery services, the presumption of integrity of the data and the correctness of the proof of origin of the data and the time of transmission applies.
The eIDAS regulation for seal, signature and time stamp to the trust service providers. The eIDAS does not place any direct requirements on the signature application component. It is no longer possible for the competent supervisory authority to publish certifications or manufacturer declarations.
However, with the M/460 of the EU [STANDARDIZATION MANDATE TO THE EUROPEAN STANDARDIZATION ORGANIZATIONS CEN,CENELEC AND ETSI IN THE FIELD OF INFORMATION AND COMMUNICATION TECHNOLOGIES APPLIED TO ELECTRONIC SIGNATURES] defines corresponding standards to be used in the development of Sign Live! are taken into account.
Encrypt and decrypt
In principle, the following applies to ALL signature cards (including follow-up cards!) from all signature card providers:
The "old" emails/documents were encrypted with your "old" public key and can therefore only be decrypted with your "old" private key (which is stored on your "old" signature card).
You will receive a new key pair with a follow-up card / new card. This new key pair cannot be used for your existing emails / encrypted documents.
It is therefore advisable not to dispose of the "old" signature card.
That a card has expired when decrypting DOCUMENTS with Sign Live! CC no influence. The signature card expiration date is displayed in Sign Live! CC checked only with the signature.
If a PDF document already has an internal signature, it can no longer be encrypted using a password.
To effectively secure a document with a password, all of the payload it contains must be encrypted. This process inevitably compromises existing signatures.
Sign and validate
Users are increasingly noticing that documents signed with Internet-based signature service providers in combination with Sign Live! CC signed cannot be fully validated correctly. The following typical cases have occurred:
– docusign removes other existing signatures before creating a docusign signature.
– docusign and AdobeSign create final signatures that prevent adding more valid signatures.
- AdobeSign creates a certification signature as a completion signature after one or more confirmation signatures. This procedure contradicts DIN/ISO 32000.
– AdobeSign currently (10.03.2023/XNUMX/XNUMX) uses a signature certificate whose validity status returns the status “unknown” via OCSP. This leads into Sign Live! CC to the validation result "unknown".
We can only advise our customers to contact the creators of the signatures and work towards creating interoperable signatures.
The signature servicest d.velop sign Fortunately, it creates interoperable signatures.
PDF documents can be signed invisibly or visibly. In the case of the visible signature, the standard display is usually used, in which various data from the signature certificate are displayed in the defined signature field.
When displaying the signature individually, the signature date can be entered as a variable. The available alternatives are:
- system.millis:d = full case (2021_04_14-09_12_52_610)
- system.millis:ds = shorthand (14.04.21 09:12)
- system.millis:dm = middle notation (14.04.21/09/12 06:XNUMX:XNUMX)
- system.millis:df = long notation (Wednesday, April 14, 2021 09:12 CEST)
- system.millis:dd = Date Only (Wednesday, April 14, 2021)
- system.millis:dt = Time only (17:10 CET)
- system.millis:dd(YYYY) = Java Format (2016)
Please note that this is the system time at the time the signature field representation is generated. This can deviate from the signature time (e.g. from a time stamp).
The procedure for the individual display of the signature can be found in the tutorial. You can find this and other helpful tutorials here here .
For the packaging register must embedded Signatures in PAdES format be generated. PDF signatures are in Sign Live! CC created by default in the required PAdES format.
How to create an embedded signature in Sign Live! CC:
- Starten Sie Sign Live! CC
- Open the PDF file to be signed with Menu item File > Open
- The signature process is carried out via the menu Tools> Signature Functions> Sign Document started.
- Select PDF signature – PDF internal signature according to PDF specification and press [Next].
- In the window Signature field position select the option Create a new signature field. After pressing [Next] the mouse pointer changes. Now, while holding down the left mouse button, open a field in the desired position and size on the PDF.
- As soon as you release the left mouse button, the window opens Signature field representation. Choose here Standard [Continue].
- Select as signature device You SignIT smartcard CC – Sign with a signature card and card reader at your workplace [Further]. If you have not already done so, please insert the signature card into the card reader.
- Im Identity window the card reader used and the certificate from the signature card are displayed. Depending on the setting, several certificates can be displayed. Please select the certificate with the Purpose: qualified signature [Continue].
- The Attribute Certificates window can with [Next] skipped .
- You will now be prompted to enter your personal PIN. Enter the PIN on the card reader and confirm your entry also on the card reader.
- The successful signature is saved in Sign Live! CC displayed in the left application window.
Please note that in order to create a qualified signature Sign Live! CC must be licensed. A license for Windows or Mac OS can be obtained from our Shop be acquired.
The presentation of the signature can be designed individually. The procedure is in the tutorial "Design signature field display" described which you here available for download.
It is important to ensure that the last variable in the Appearance window contains a value. A newline as the last variable would lead to an error message (internal cryptographic library error).
For the qualified electronic signature you need in addition to the Software additionally a Signature card and a Card reader.
You can obtain signature cards from trust service providers (VDA). The of Sign Live! CC Supported signature cards and card readers can be found in our service description and system requirements.
Purchase the signature application software here Sign Live! CC for different operating systems.
Documents are saved in Sign Live! CC signed in "Trusted Mode". This requires additional memory and can cause large files Error message "...Java heap space" to lead
To sign large files, the Sign Live! CC "Trusted Mode" can be switched off. When the file is opened, "All files (*.*)" is set as the file type.
How to sign large files with Sign Live! CC:
- Via menu item "Tools> Settings> Trusted Mode" check box "Ensure document integrity" deactivate.
- Sign Live! Reboot CC.
- With menu item "File> Open" the file with Sign Live! Open CC. Please set "All files (*.*)" as the file type.
The file is opened (recognizable by the fact that the file name is displayed in the tab), but not displayed (message: The content of the document cannot be displayed because the document format is unknown). - Via symbol or menu item "Tools> Signature functions> Sign document" start the signing process. During the signing process, the file can be time-stamped if the time-stamp is set up. A PKCS#7 signature is generated.
Various providers of trust services (formerly Trustcenter) offer qualified time stamps with the highest evidential value for a fee.
Sign Live! CC supports all common timestamps.
To use the timestamp you have to be in Sign Live! CC perform two actions:
- Configure access to the timestamp provider
- Configure the signature to embed the timestamps.
The time stamp service is offered during the signature process.
We deprecated appending the signature file extension to a PKCS#7 signature Sign Live! CC Version 7.x revised.
A file TEST.PDF is signed here as an example.
Via menu item Tools > Settings > Signatures > Signature Creation > Signature PKCS#7 The following settings are relevant here:
- Check box "Replace file extension instead of appending" aktiv: A signature file is created according to the ..p7s scheme (TEST.PDF.p7s).
- Check box "Replace file extension instead of appending" not active: A signature file is created according to the .p7s scheme (TEST.p7s)
What is a comfort signature?
In principle, a comfort signature is a small "mass processing" in which several documents are signed via a so-called service as soon as they are in the defined input directory. The signature PIN is entered once and the number of documents defined by the license is provided with an invisible signature. If this number is exceeded, another PIN entry is required.
Requirement:
- License for comfort signature is installed
- Multisignature card is available
facility in Sign Live! CC:
- Via menu item Tools> Settings please by Signatures> Signature device> signITsmartcard the check boxes PIN entry required and PIN entry only via secure terminal deactivate.
- Allow PIN caching Please visit activate. Close the settings window with [OK].
- Via menu item Tools> Services> Service Container Management open this.
- Add a service container there with the green plus sign and select "File system" as the type [OK].
- In the "General container settings" Assign an ID (name of the service container) and press the green plus sign under Services.
- Select the service type "Signature creation"And as type"Signature with smart card session". [OK]
- With FSM monitoring you can define the directories. By default, the directories are in the directory
<
benutzen is>
/<
.SignLiveCC>
/<
name of service>
created.
You start the signature service with the green arrow.
Despite a valid signature, the validation result contains the information that no valid blacklist was found.
This can be fixed as follows.
- Close _Sign Live! CC_
- Copy the file
<
home>
/demo/vmoptions/auth tunneling into the directory<
home>
/am. (Home = installation directory). - Starten Sie Sign Live! CC new and validate the document again.
You can see the time stamp in Sign Live! CC in the Signature Browser sidebar.
- To do this, open the signed file with Sign Live! CC.
The default is Sign Live! CC set in such a way that every document is already checked for a signature when it is opened. This check may take a moment.
- After the verification is complete, the signature overview is displayed in the left part of the window.
If this is not the case, the signature overview in the menu "View -> Sidebars -> Signature overview" be switched on.
In the best case, all areas are marked with a green tick.
- One of the hooks is labeled “The timestamp is qualified and valid.”.
In addition, "Signed on:" is accompanied by the addition "(Source: time stamp)".
In order to validate, the application should specify that a block list check is carried out and – if this fails – an OCSP check (online status check) all certificates are to be checked for blocking. With this setting, Sign Live! CC delivered.
- If a document is not validated despite having a valid signature, check the settings. To do this, open the settings dialog (menu item "Tools> Settings"), navigate to the "Signatures> Signature Validation> Certificate Validation " and answer the question "Which certificates should be checked using OCSP?" with "All certificates".
- Please make sure that the checkboxes "Restriction list check" and "Online status check" are activated.
Checking the signature again should produce a valid result.
Note:
Various trust centers have discontinued checking by blacklist and currently only use OCSP responders.
When trust centers switch to a new PKI infrastructure, it can happen that signatures that were created with very new signature cards are not validated. This is due to the fact that the new Trusted Lists (TSL) and/or Root CAs were not yet implemented when our software was released.
The Update of the trust lists in Sign Live! CC these signatures are validated again.
- Via menu item Tools> Certificates> Update Trust Lists trigger the update of the trust lists manually.
In server installations it makes sense to have the update triggered time-controlled. To do this, adjust the preconfigured service container service to be started.
- Via menu item Tools> Services> Service Container Management Configure the "Trusted List Update Scheduler" service container and automatically trigger the update of the trust lists:
Others
What does Sign Live! CC implements the valid catalog of algorithms"?
An algorithm catalog defines which cryptographic algorithms are currently and for a future period considered secure. In doing so, it largely defines the security level of a PKI(1).
By June 30.06.2017, 01.07.2017, the Signature Act and the Signature Ordinance (SigG/SigV) defined a PKI for qualified electronic signatures and required an algorithm catalog that was constantly updated. Since July XNUMXst, XNUMX, this has been regulated throughout Europe in the eIDAS regulation.
The BSI (Federal Office for Security in Information Technology) creates the alogorthm catalogue, each based on a forecast of 7 years. i.e. the algorithms considered can be considered safe today and in all probability for at least the next 7 years. Very often these periods are extended on a yearly basis. If an algorithm is expected to become insecure, users have a warning period of 7 years. It has not happened since the existence of the SigG algorithm catalog that known attacks suddenly jeopardize the security level of crypto-algorithms that a period of validity had to be shortened.
Sign Live! CC implements the specifications of the algorithm catalog valid at the time of publication of the software.
What happens to the algorithm catalog through the implementation of the eIDAS-VO?
In order to implement the eIDAS regulation in Germany, SigG/SigV will be replaced by the Trust Services Act and the associated regulation at the end of 2017. An algorithm catalog is e.g. Currently not anchored in the eIDAS-VO. It is still unclear whether the EU administration will decide on the necessary rules at EU level by then or whether Germany will continue to adhere to the German catalog as long as there is no EU catalogue. We will keep you informed on this topic.
(1) PKI = Public Key Infrastructure. For detailed information see https://de.wikipedia.org/wiki/Public-Key-Infrastruktur
You will be informed by us via newsletter about current versions. With the appropriate setting, an update check is carried out on the software side. The update is not installed automatically.
Since January 01.01.2019st, XNUMX, our licenses have been so-called runtime licenses with a defined expiry date. Until this expiration date the update to the current version is frees.
You have Sign Live! CC before 01.01.2019/XNUMX/XNUMX acquired or no runtime license in use? Then please check whether you have concluded a maintenance contract with us. During the term of the maintenance contract, the update to the current version is free of charge.
Please note:
- If you use our software in connection with third-party software, please inquire advance at the manufacturer whether the update is to be carried out.
- The license is usually adopted within a master release. A new license is required when changing the master release. Please see the release notes.
Please note:
If you have purchased the software used in your company via a subscription, as a runtime license (LTL) or have concluded a maintenance contract with us, you as a customer will receive important information exclusively - for example information about the free updates and bug fixes to which you are entitled. This information is communicated via newsletters. In that case, you should subscribe to the newsletter not to unsubscribe.
We received your e-mail address through a business contact with your company. At the end of each intarsys newsletter there is a section to unsubscribe from the newsletter. If you no longer wish to receive newsletters from intarsys in the future, please use the link in the newsletter and confirm it. You will then no longer receive any newsletters from intarsys.
Are intarsys products affected by CVE-2022-22965 "Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell)"?
- https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/
intarsys products are not affected because
- only the intarsys product Sign Live! cloud suite gears spring used
- Sign Live! cloud suite gears is operated with Java 8
- Sign Live! cloud suite gears does not use spring-webmvc or spring webflux.
Are intarsys products affected by the security vulnerability?
The BSI has the following security warning published.
The actual problem is explained in a PDF, which is continuously updated on the BSI website.
intarsys products are not affected by the security problem!
You can find the following intarsys products in the supported versions continue to operate without changes:
- Sign Live! CC
- Sign Live! CC DATEV edition
- Sign Live! CC SPARKASSEN edition
- Sign Live! cloud suite bridge
- Sign Live! cloud suite gears
- Sign Live! cloud suite SDK
The Java library that is causing the problem is in these products not .
This also applies to the Archisoft product from FHI-SIT in versions 1.1.1.8 and 1.1.1.9, which is sold by intarsys.
Product-specific explanations
- In Sign Live! cloud suite gears Third-party products used up to version 8.7 are based on the critical Log4j version 2.14, but in the context of gears the dangerous library log4j-core- *. jar neither delivered nor used. There is therefore no potential risk.
- With Sign Live! CC delivered Exampleimplementations (SDK / JMS) use Log4j version 1.x. These are only activated by calling the command line on the system and are also required a special Log4j configuration. They are therefore not considered to be a potential hazard.
Further safety information on the required basic components
tom cat 9 does not use Log4j in its basic configuration without standard and other web apps.
General safety information on the required basic components
Use the JVM in the required version (Java 11, SLcs gears: Java 8) at the most current patch level possible.
The Sign Live! CC / PDF / A Live! integrated JVM fulfills this (Java 11).
For Sign Live! cloud suite gears should be at least Azul JDK 8u312 + .
Further background information
In the following, you will learn how to set up a remote connection to a JVM for as a function test via jconsole.
Safety aspects are deliberately left unconsidered. For this and more in-depth information, please refer to the linked information.
- Prepare JVM
Digression for Sign Live! CC/ PDFA Live! /Sign Live! cloud suite bridge:
A complete JRE is required on the client side (where the intarsys product is operated) to use JMX.
The above products are delivered with reduced JREs. Therefore, it must first be ensured that the intarsys product starts with a complete JRE.
You can find information on this in this FAQ Starting SLCC with “my” JVM.
Configuration of the JVM for remote access
A port must be defined for remote access to the JVM and, for the sake of simplicity, security mechanisms must be switched off.
Add the following definitions to your Java configuration (any free port can be used as a port)-Dcom.sun.management.jmxremote.port=50999 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false
For z. B. Sign Live! CC put this data in the file C:\Program Files\Sign Live CC 7.1.7\bin\SignLiveCC.exe.vmoptions and restart the application.
Your JVM is now configured for remote access via JMX. - Establish a connection to the JVM with jconsole
Start the Java tool jconsole on the client.
You can find it in your Java installation (JDK) e.g. B. in the path C:\Program Files\Java\zulu11.48.21-ca-jdk11.0.11-win_x64\bin\jconsole.exe
Select the JVM to be monitored via the defined connection data:
acknowledge the warning
... and you get access to the JVM. After switching to the MBeans tab, read e.g. B. the current license status:
More information
- The version of the client JDK is independent of the one used in the intarsys product.
It must be a JDK. - When accessing from localhost, there is no need to define a port and switch off security.
More detailed information
According to the GDPR, all persons involved in the signature process must be informed about which of their personal data is stored in the signature. Sign Live! CC offers the possibility to display all information stored in the certificate before creating a signature. After the signature, all information stored in the signature can be viewed.
Should a VDA (VtrustDservicesAprovider) for testing services according to the eIDAS VO take over the test, these are in the sense of the BDSG / DSGVO (BandesDAtenSchutzGset / DAtenSchutzGroundVregulation) processors and must provide corresponding AV contracts or agreements.
The trust services electronic seal and electronic time stamp remain unaffected by the GDPR.
You will certainly understand that we cannot provide any information about the beA. Current information can be found on the website of the Federal Bar Association.
- Save the installation medium locally on your computer
- In the file explorer, select the installation file and right-click on the context menu and select the "Properties" option.
- Select the "Digital Signatures" tab.
- Highlight the signature of "intarsys" and view the "Details" of the signature.
The dialog shows whether the signature is valid. If this is not the case, the installation medium is no longer in its original state. In this case, do not carry out the installation, but contact the manufacturer of the software.
It is also possible to check the certificate yourself by using "Show certificate" to find out details of the certificate. You can find the current data of the code signing certificate here .
terms
A distinction is made between different forms of electronic signatures, all of which are legally binding, but have different probative value and are therefore suitable for very different areas of application.
- The simple signature does not make any requirement to identify the person signing the data. There is also no requirement as to how the signed data is linked to the signature and therefore no prescribed way of checking this. The digitized lettering of a signature (e.g. using a signature pad) represents a simple signature, as does the use of an e-mail footer. Simple signatures can be enhanced by using a certificate to create them. This allows the integrity of the data to be checked. If a qualified seal is used for this, the assessment of evidence according to eIDAS Art. 35 (2) applies.
- The advanced signature is generated by means that the signer can maintain under his sole control. The requirements for the identification and storage of the key used are publicly stored in the Certification Practice Statement (CPS). All important information about the Certificate Authority (CA), its guidelines and procedures are summarized in the CPS. This results in a clear assignment of the owner. The integrity of the document can also be ensured by signing with such a certificate.
- Within the qualified electronic signature the owner of the signature can be clearly and securely assigned, since the identification takes place, for example, via PostIdent, VideoIdent or the online ID function (eID). A qualified certificate is used, which was issued by a trust service provider confirmed in accordance with eIDAS. Only this type of signature complies with the written form BGB §126a and is after ZPO §371a proving.
It should be possible to check whether a signature is valid, i.e. valid, even after many years. In order to be able to check a signature again, several pieces of information must be available:
- Was the end user certificate used valid at the time it was used?
- Was the issuing CA (Certificate Authority) of this certificate trustworthy at the time the end user certificate was created and was the root certificate valid?
- What was the quality level of the certificate used? Basic, advanced or qualified?
To confidently answer these questions, a validation application such as Sign Live! several exams. An important aspect of this check are revocation checks using OCSP (Online Certificate Status Protocol), ie queries to the trust service provider (VDA) that issued the end user certificate used. In order for these OCSP queries to be carried out, this service must be made available online by the VDA (directory service). The replies from the VDA are in turn signed by the latter so that the trustworthiness can be checked and thus ensured. This is then done in turn with the inclusion of OCSP queries. International standards (ETSI) regulate how this is to be done in full. At the end of these queries, the validation application can then provide a trustworthy status of the end user certificate used.
But what if the necessary directory service is temporarily or permanently unavailable? A temporary disruption can occur if the required directory service is simply not available online. Or what if this was switched off by the VDA being discontinued? The central deletion of information after the retention periods have expired also represents a cut. The end user certificate used cannot be checked in such cases and therefore the complete signature check does not lead to a clear result.
LTV signatures are different. With this type of signature, all required information is embedded in the signature, again according to international standards (ETSI). In the case of PDF documents and signatures, this is technically regulated, for example, by the PAdES standard (ETSI EN 319 142) in the context of the PAdES-B-LT profile.
The necessary information can be embedded both when the signature is created and later during validation. However, it is rare for this to happen when the signature is created, since the time required to create the signature also includes the time required for verification. The enrichment of the LTV signature for validation before archiving is therefore a good idea. From this point on, the signature is always checked offline and takes place without access to the directory service. A check is therefore independent of the availability of this service, regardless of the reason why it is not available.
Does the LTV signature do even more?
How the validity of certificates is checked is based on different models (chain, shell or modified shell model). These different models also make sense for the different uses of certificates. The validity of an SSL certificate should be checked differently in the browser than a certificate that was used to sign documents that have to be verifiable for decades.
Let's take Adobe Reader as an example. Adobe Reader will no longer classify a signature as trustworthy after the end user certificate used has expired, even if the signature was made during the validity period.
This behavior can be avoided by the LTV signature if the LTV signature is done before the expiration date. With the timely LTV signature, the Adobe Reader tick stays green and the signature continues to be positively checked - permanently. This is an important step on the way to greater user acceptance of the signature.
How to create an LTV signature with Sign Live! CC generated?
Signatures generated with intarsys products produce results in some validation tools that contain the terms "PARTIAL/FULL PDF" or "Empty Revision".
This is due to the fact that intarsys signature products integrate LTV* information into the PDF document as a new revision.
Many validation tools ignore this technical detail.
However, some validation tools alert the user to this fact by labeling the subject of the validation as PARTIAL PDF describe EU DSS demonstration WebApp or indicate that the document is a empty revision includes. These statements have no relevance to the validity of the verified signatures. The generated signatures are spec-compliant and even have to be generated that way if the LTV information is added after the signature.
*LTV – Long Term Validation
LTV information includes OCSP responses and/or revocation lists for the certificates required for an exam. This data makes it easier to check the signatures later and makes it possible for the check to be carried out without a network connection.
According to the eIDAS regulation, Article 3 (16), a trust service is an electronic service that is usually provided for a fee and is responsible for generating the seal, signature and website certificates, among other things. A qualified trust service is a trust service that meets the relevant requirements of the eIDAS regulation, Article 3 (17) and is checked every two years in a complex process by an accredited conformity assessment body and the result is communicated to the responsible supervisory authority (BNetzA or BSI). The status as a qualified trust service provider can be verified throughout Europe via a trust list and a seal of approval. The German trust list is on the EU's Trusted List Browser website https://webgate.ec.europa.eu visible.