RSA Manager
Description
The RSA Manager is a certificate management program for signotec signature pads.
The application makes it possible to replace the certificates and keys for signing a document or for encrypting biometric data. The RSA Manager application is described below.
User interface
Once the RSA Manager has been started up, all connected signature devices are listed in a table. This may take some time as all connected USBs and virtual serial devices (e.g. FTDI) must be searched for. Devices operated via Ethernet (IP) are not listed and cannot be used.
Once the search is complete, for each device that was found information is displayed regarding the serial number, pad type, firmware, connection types and (if applicable) certificates for signing and encrypting the specific device.
In addition, various buttons are available that can be used to manage the certificates in the devices. These buttons and their functions will be explained in more detail in the following sections.
Menu bar
The menu bar contains the following functions:
“File” can be used to exit the application.
The “?” icon can be used to display information on the version and contact details. The window also contains a button for releasing separately purchased functions.
Functions
Basic functions
The basic functions of the RSA Manager are free of charge. They include, in particular:
Exchanging the public key for encrypting the biometric data
Generating the key/certificate for signing in the pad
Exchanging the key/certificate for signing by means of a certificate generated externally
Creating a “Certificate Signing Request” (CSR) for creating a certificate externally
Import and export of the externally generated public certificate
Screenshot: RSA Manager with basic functions
Extended functions
By acquiring a license, you can activate additional functions for the RSA Manager.
The following extended functions are available:
Setting an “RSA password” to prevent accidental changes being made to the certificate settings
Constant activation of the “secure mode”
Constant deactivation of individual device functions
Screenshot: RSA Manager with extended functions
Licensing
To activate the extended functions, the RSA must be licensed (separate purchase). The licensing can be called via the Info dialog by clicking the “?” icon in the menu bar.
For licensing, a software code is displayed. This code must be sent to lizenz@signotec.de together with the invoice number. A license key is normally created within three hours. The key must be entered in the corresponding field. If the license key is valid, it will be saved in the “key.txt” file in the directory “%PROGRAMDATA%/signotec/RSAManager.”
Deactivating a license
Once the software has been activated, you can use the “Deactivate license” button to deactivate the license in order to turn off the extended functions.
Settings and use
The main window contains a large number of functions. These functions are explained below.
Device overview and selection
At the top of the main window, all the devices are displayed that were found when the application was started up. The following functions are available in the list:
Function | Description |
|---|---|
Deselect all | This button can be used to deselect (deactivate) all found devices in the list. Devices can also be deselected individually in the “Selection” column. |
Select all | This button can be used to select (activate) all found devices in the list. Devices can also be selected individually in the “Selection” column. |
Search for devices | This button can be used to repeat the search for signature pads, e.g. if additional pads are connected after the application has been started up. The software automatically searches for all USB devices and devices with virtual serial connection (e.g. FTDI). It is not possible to search for IP devices. |
Editing keys and certificates of selected devices
In the device overview, functions are displayed for managing the keys and certificates on the device. The functions are divided up into the sections “Encryption” and “Signing.”.
Encryption
In the “Encryption” section, the button “Change public key…” can be used to change the public key in the selected signature pads.
When this button is pressed, a dialog is displayed. If the device is protected with a password, the password must first be entered. As standard, there is no RSA password, so the input field can be left empty.
The desired public certificate (*.cer) can then be selected. Once the selection has been made, an attempt is made to load the public key on the selected device. This may take some time. Once the process is complete, a message will be displayed. The drop-down list displays the new certificate for the previously selected devices in the “Encryption” column.
Exchanging the key causes all the data encrypted in the pad to be encrypted with this key and they can then only be decrypted with the corresponding private key.
The certificate can also be changed via the software signoSign/2 or the signoPAD-API, as long as the signature pad is not blocked with an RSA password.
If you use your own key to encrypt the data, it must be ensured that the private key is kept safe. This is the responsibility of the person who created the key.
When the key is changed, any existing key is irreversibly deleted.
Signing
In the “Signing” section, the keys and certificates for signing data within the signature pad can be changed. The following functions are available:
Function | Description |
|---|---|
Generate key/certificate… | This button generates in all selected devices a new key pair/certificate for signing within the signature pad. The adjacent drop-down list can be used to select the desired key length between 1,024 and 4,096 bits and the validity of the certificate. The “maximum validity” ends in 2049. When this button is pressed, a dialog is displayed. If the device is protected with a password, the password must first be entered. As standard, there is no RSA password, so the input field can be left empty. The keys are then created. This may take some time. Once the process is complete, a message will be displayed. The drop-down list displays the new certificate for the previously selected devices in the “Signing” column. Changing the key causes all data signed on the pad to be signed with this key. |
Replace key/certificate… | This button replaces the key/certificate for signing data in all selected signature pads. When this button is pressed, a dialog is displayed. If the device is protected with a password, the password must first be entered. As standard, there is no RSA password, so the input field can be left empty. The desired certificate (*.p12 or *.pfx) can then be selected. Once it has been selected, the password for the certificate file must be entered. The software then attempts to load the certificate to the selected devices. This may take some time. Once the process is complete, a message will be displayed. The drop-down list displays the new certificate for the previously selected devices in the “Signing” column. The certificate can also be changed via the software signoSign/2 or the signoPAD-API, as long as the signature pad is not blocked with an RSA password. |
Save CSR… | This button saves a “Certificate Signing Request” (CSR) for all selected signature pads. The file is saved as “<serial number>.pem” and can be used to request a certificate from an in-house (internal) or external certification authority (CA). The requested certificate can then be replaced in the pad by means of the function “Replace public certificate...” The special feature of this function is that the keys were ultimately always generated in the signature pad. This method is particularly tamper-proof, as the private key never leaves the pad. |
Replace public certificate... | This button can be used to replace the public certificate in all selected signature pads. It is normally used when a public certificate was generated externally with the “Save CSR…” function. When this button is pressed, a dialog is displayed. If the device is protected with a password, the password must first be entered. As standard, there is no RSA password, so the input field can be left empty. A folder must then be selected that contains the public keys These keys must have the serial number as file name. The software then attempts to load the certificates to the selected devices. This may take some time. Once the process is complete, a message will be displayed. |
Save public certificate... | This button can be used to export the public certificate of all selected signature pads and save it as a file. The file that is created is named “<serial number>.cer.” |
Options released by license
This section is only displayed if a valid license key is saved in the software.
Change RSA password
In the “Change RSA password” section, the password can be configured to protect the RSA functions of the signature pad. The following functions are available:
Function | Description |
|---|---|
Change RSA password… | This button can be used to protect the RSA functions in all selected signature pads with a password. If the devices are password-protected, certificates and keys can only be replaced if a password is entered. |
Delete RSA password… | This button can be used to delete an RSA password in all selected signature pads. |
If a password has been forgotten, it can only be resetby having the firmware reset by signotec against a fee.
Activate secure mode / change/deactivate password
In the “Activate secure mode / change/deactivate password” section, “secure mode” can be configured. This configuration activates the signature pad’s “secure mode.”
When “secure mode” is activated, the signature’s biometric data can no longer be read out from the signature pad in unencrypted form. For real-time depiction, only rudimentary data are used that have no forensic significance. If “secure mode” was not activated, the software that is used can decide which functions of the signature pad are used and whether signatures are not encrypted within the pad, for example.
The following functions are available:
Function | Description |
|---|---|
Activate/change password… | This button can be used to activate secure mode for all selected or change the password for secure mode if it has already been activated. When this button is pressed, a dialog is displayed where you can enter an existing password and enter the new password. |
Deactivate secure mode… | This button can be used to deactivate secure mode, if it was activated previously. |
If a password has been forgotten, it can only be resetby having the firmware reset by signotec against a fee.
Deactivate features
In the “Deactivate features” section, individual functions of the signature pad can be permanently deactivated.
Clicking the button “Deactivate features…” opens a dialog with a selection of functions that can be deactivated permanently. You can use the drop-down list to select all the desired functions that are to be deactivated permanently.
The following functions can be deactivated:
Generate RSA key pairs
Save externally generated RSA key pairs
Save externally generated public RSA keys for encryption
Deactivate functions for signing externally generated data
Deactivate functions for encrypting externally generated data
The deactivation of device functions is permanent and can only be undone by having the firmware reset by signotec against a fee.