1. Introduction

This manual serves as a guide to successfully carry out the installation process of the Bit4id Kit for the use of cryptographic cards and the procedure for accessing and using the management application. The Bit4id Kit consists of the following components:

  • Bit4id Middleware: libraries that allow any Operating System application to operate with cryptographic cards.
  • Bit4id - PKI Manager: application for card management, which allows you to perform operations such as changing PIN or PUK, unblocking PIN, obtaining information about the card, importing or exporting certificates...

This manual will guide you in a simple way through the installation and use process of the Bit4id Kit.

1.1. Who is this document aimed at?

End users, who will use chip cards in Windows environments

2. Before you start

Make sure you have:

  • A standard, PC/SC compatible card reader that is properly connected, installed, and configured. Follow the instructions provided by the reader manufacturer to verify proper installation and operation.
  • The latest version of the Bit4id Kit . Link to download the latest version
  • To be able to perform the installation, it is essential to have Administrator permissions . If you do not have them, the installation will be denied.

3. Installation

If necessary, you will need to download and install the drivers so that your computer recognizes the reader you have purchased. To do this, go to the official website of the reader manufacturer.

Follow the instructions provided by the reader manufacturer to verify its correct installation and operation.

If you purchase a bit4id reader, if your version of Windows is equal to or higher than Windows 7, you do not need to install any drivers.
If your operating system does not recognize the reader, download the reader drivers ( https://cdn.bit4id.com/es/AOC/drivers/Bit4id_drivers_Windows.zip ).

3.1. PKI Manager Installation Wizard

  1. Go to the folder where you downloaded the file and run it.
  2. Follow the installer steps.

Seleccionar idioma

Inici instal·lació

Acceptar termes

Procés instal·lació

  1. Once the PKI Manager installation is complete, restart the computer.
  2. Once the restart is complete, open the application.

    App Bit4id a l'Escriptori

    This is how it looks without any devices connected:

    Imatge sense cap dispositiu conectat
  3. With the application open, connect the reader to a USB port and then insert the card. You can also do this process by connecting the token to a USB port.
Interficie principal PKI Manager

4. Unattended installation (for advanced users)

WARNING: This procedure is only for specific cases where you have been explicitly instructed to do so. Most users should not perform an unattended installation.

To perform an unattended installation, simply enter the installer in the command box, passing it as the “/S” parameter.

WARNING: Due to the interaction limitations of an unattended installation, previous or incompatible versions must be removed before proceeding. Also, the machine must be forced to restart once the installation is complete.

5. Problems during installation

You may have previous versions of the card management application (Bit4id PKI Manager) installed on your computer, so you will be asked to remove previous versions before running the installer. Remove these versions and run the installer again.

  • To remove versions older than Windows XP , go to the Start menu > Control Panel > Add or Remove Programs > Bit4id PKI Manager xxxx (where xxxx represents the installed version number)
  • To remove older versions in Windows Vista or 7 , go to the Start menu > Control Panel > Uninstall a program > Bit4id PKI Manager xxxx (where xxxx represents the installed version number)
  • To remove previous versions in Windows 8 , go to the right side menu > Settings > Control Panel > Uninstall a program > Bit4id PKI Manager xxxx (where xxxx represents the installed version number)
  • To remove previous versions in Windows 10 , go to the Start menu > Control Panel > Programs and Features > Bit4id - Universal MW xxxx (where xxxx represents the installed version number)
  • To remove versions previous to Windows 11 , go to the Start menu > Control Panel > Programs and Features > Bit4id - Universal MW xxxx (where xxxx represents the installed version number)

6.End of installation

Once the installation process is complete, a shortcut to the Bit4id PKI Manager application (Card Management) will be created on the desktop, allowing you to perform any type of operation with it.

App Bit4id a l'Escriptori

You can also access the Bit4id PKI Manager application through the Home section.

App Bit4id a Inici de Windows

7. Access to the application

The Bit4id PKI Manager application is accessible from the desktop by clicking on:

App Bit4id a Escriptori

Likewise, the Card Management application can be accessed through:

  • on Windows 8 or 10 , go to the Start menu > All Apps > Bit4id PKI Manager
  • in Windows 11 , go to the Start menu > All apps > Bit4id PKI Manager

8. Functionalities

The Bit4id PKI Manager application has multiple functionalities accessible from the main screen.

IMPORTANT: Bit4id PKI Manager comes by default with the user version. To have all its functionalities, you must switch to the administrator version using the command: Ctrl+A

PKI Manager admin version:

Finestra principal PKI Manager

8.1. Functionality tables

Basic functionalities:

Captura de les funcionalitats bàsiques

Basic functionality table

Function Description
Unlock PIN Function to unlock the card PIN.
Change PIN Function to change the card PIN.
Change PUK Function to change the card PIN.
Login/Logout Function for Login/Logout on the card.
Device information Tab where we will find the description of the connected device and the card.
Certificates Tab where we will find the user and CA certificates loaded on the card.

To access the extra features, click on:

Click

Extra features:

Captura funcionalitats extres

Extra features table

Function Description
Login/Logout Log in or out of card content.
Refresh content Update the token/card content to see new certificates.
Change device name Define the name under which the device appears.
Change PIN Function to change the card PIN.
Unlock PIN Function to unlock the card PIN using the card's PUK.
Change PUK Function to change the card's PUK.
Import a certificate Function to import a certificate to the card.
Erase device Function to delete ALL certificates and keys from the card token.
  • Log in

To access any functionality offered by the software, you must enter the card PIN.

Inicia sessió

  • Change PIN

To change your PIN, enter your card PIN and enter your new PIN. The new PIN must be between 4 and 16 alphanumeric digits.

Canviar PIN

  • Unlock PIN

To unblock the PIN, enter the card's PUK and enter the new PIN. The new PIN must be between 4 and 16 alphanumeric digits.

Desbloquejar PIN

  • Change PUK

Enter the old PUK of the card and the new PUK. The new PUK must be between 4 and 16 alphanumeric digits.

Canviar PUK

  • Import

This option allows the import of certificates to the card. The accepted formats for importing certificates to the card are .p12 or .pfx as these formats include the private key of the certificate, essential for performing cryptographic operations.

To start the import, first select the certificate from your location, as shown in the image below:

Seleccionar certificat

Once the certificate is selected, press “Open”:

The system will ask you for the password of the PFX or P12 file (certificate and its private key) that you want to import, which contains your certificate and key pair. Insert it and complete the import options as you wish, where:

Contrasenya del certificat

– Import certificates without associated key pair: allows you to import the entire certification hierarchy included in the PFX or P12 file. We recommend NOT CHECKING this option.

– Define PKCS#11 CKA_ID: identifier that certain applications use when displaying the certificate. We recommend entering a useful identifying value, for example pedro_firma, pedro_acceso, pedro_cifrado, etc.

And the certificate import will be complete:

Importació OK

If you want to check that the certificate has been correctly saved, remember that you can review all the certificates stored on the card through the “View” option of Bit4id PKI Manager.

  • Certificate details (Certificates)

Once the card PIN is entered, you can view the certificates inside. In the pop-up window displayed by the application, you can view information about the previously selected certificate.

Informació del certificat
  • Card information (device information)

It offers detailed card information: model, serial number, manufacturer and label.
Support ( soporte@bit4id.com ) may ask you for this information to know the type of card you are using.

Informació del dispositiu

9. Additional checks in case of malfunction

The results of the following checks are necessary for the resolution of any type of incident. These results must be reported to the technical department in the event of any incident related to the use of your certificates stored on the cards. This will reduce the resolution time.

9.1. Checking the loading of certificates into the Windows store

Make sure you have:

  • Card reader connected to the machine
  • Smart card inserted into reader
  • At least one certificate stored on the card

This test aims to verify the correct loading of the card certificates into the Windows certificate store, which is essential for the use of our certificates in Microsoft applications.

That's why you have to open this warehouse:

  • in Windows 8 or 10, go to the Start menu > Enter certmgr.msc
  • in Windows 11, go to the Start menu > Enter certmgr.msc

Once the window is running, open the Personal folder and then the Certificates folder as follows:
as shown in the following image:

Magatzem de certificats a Windows

If you are shown information regarding your card's certificates, the check will have been completed satisfactorily.

If they are not imported automatically, you can force it as follows:

Força certificats

9.2. Checking the upload of certificates to the Firefox store

If you have the Mozilla Firefox browser on your machine in any of its versions, also perform the following test:

  1. Open Mozilla Firefox, go to -> Options Preferences
  2. In the section of Privacy and Security, look for the certificates section and click on View certificates…

Veure certificats al Firefox

  1. Enter your card PIN

Contrasenya

  1. Once you have entered the PIN, go to the View Certificates tab as shown below

Certificats a la targeta

If you are shown information regarding your card certificates, the verification will be required.
completed satisfactorily.

NOTE: in addition to the results of the checks set out in this section, indicate to the
technical department the version of the Bit4id Kit. To find out the version of your kit follow the instructions
set out in the following Frequently Asked Questions section, specifically in the answer to the
Question How can I check that I have the latest versions of the Bit4id Kit?

10. Frequently asked questions

What can happen if, when using Card Manager, I get the error message “C_OpenSession due to error 0x1”?
Check with the card provider (Certification Authority) about the status of the card, indicating all the steps you have taken.

What can happen if, using Card Manager, I get the error message “C_Login due to error 0x5”?
Your card PIN code may be in an inconsistent state. Try changing it. If the error persists, check with your card provider (Certificate Authority) about the status of your card, indicating all the steps you have taken.

What can happen if when trying to change the card PIN you get the error message “C_SetPIN due to error 0x6”?
Make sure the new PIN is between 6 and 8 alphanumeric digits.

Can I combine numbers and letters for the card PIN number?
Yes, there is no problem, as long as the new PIN is between 6 and 8 digits.

Is there a maximum number of PIN entries in case I have any doubts and don't remember my PIN number? When can the card be blocked?
If you enter your PIN incorrectly more than 3 times, it will be blocked. Follow the "Unblock PIN" steps above to unblock it.

Is there a maximum number of PUK insertions to try to unblock the PIN? What happens if the card is blocked?
If you enter the PUK code incorrectly more than 3 times, it is blocked. For security reasons, the card is completely blocked.

How can I check that I have the latest versions of the Bit4id Kit?

  • To check the installed version easily in Windows XP, go to the Start menu > Control Panel > Add or Remove Programs > Bit4id PKI Manager Admin xxxx (where xxxx represents the installed version number)
  • In Windows Vista or 7, go to the Start menu > Control Panel > > Uninstall a program > Bit4id PKI Manager Admin xxxx (where xxxx represents the installed version number)
  • In Windows 8 or 10, go to the right side menu > Settings > Control Panel > Uninstall a program > Bit4id PKI Manager Admin xxxx (where xxxx represents the installed version number)
  • In Windows 11, go to the right side menu > Settings > Control Panel > Uninstall a program > Bit4id PKI Manager Admin xxxx (where xxxx represents the installed version number)

What can happen if when I run the Bit4id Kit installer I have a previous version installed on my computer?
It is always recommended to remove previous versions before installing. However, the installer is designed to automatically detect and remove previous versions. Please follow the on-screen instructions carefully.

11. Glossary

Certification Authority: is the trusted entity responsible for issuing and revoking electronic certificates used in electronic signatures. The Certification Authority, by itself or through the intervention of a Registration Authority, verifies the identity of the applicant for a certificate before its issuance or, in the case of certificates issued with the status of revoked, eliminates the revocation of the certificates by verifying this identity.

Expiration of the digital certificate: the digital certificate has a validity period that is stated on the certificate itself. It is generally 2 years, although the law allows a validity of up to 5 years. Once the certificate has expired, it will not be possible to use the services offered by the Administration that require an electronic signature, and any electronic signature made from that moment on will not be valid.

Digital certificate: document on computer media issued and signed by the Certification Authority, which guarantees the identity of the owner.

Recognized certificate: certificate issued by a Certification Service Provider that meets the requirements established in the Law regarding the verification of the identity and other circumstances of the applicants and the reliability and guarantees of the certification services they provide, in accordance with the provisions of Chapter II of Title II of Law 59/2003, of December 19, on electronic signatures.

Electronic signature: a set of data, in electronic form, attached to other electronic data or functionally associated with them, used as a means to formally identify the author or authors of the document that contains it. There are 3 types of electronic signature: simple, advanced and recognized electronic signature.

Simple electronic signature: set of data, in electronic form, attached to other data.

Advanced electronic signature: electronic signature that allows the signer to be identified and any subsequent changes to the signed data to be detected, which is uniquely linked to the signer and to the data to which it refers and which has been created by means that the signer can maintain under their exclusive control.

Recognized electronic signature: an advanced electronic signature based on a recognized certificate and generated by a secure signature creation device is considered a recognized electronic signature. The recognized electronic signature will have the same value with respect to data recorded electronically as a handwritten signature with respect to data recorded on paper.

Hash function: it is an operation that is performed on a data set of any size, so that the result obtained is another data set of fixed size, regardless of the original size, and which has the property of being uniquely associated with the initial data, that is, it is impossible to find two different messages that generate the same result when applying the hash function.

Hash or fingerprint: fixed-size result obtained after applying a hash function to a message and which meets the property of being uniquely associated with the initial data.

Integrity: integrity is the quality possessed by a document or file that has not been altered and that also allows verification that no manipulation has occurred in the original document.

Certificate Revocation Lists or Revoked Certificate Lists: list that contains exclusively the lists of revoked or suspended certificates (not expired ones).

Non-repudiation: the sender who electronically signs a document will not be able to deny that he sent the original message, since it is attributable to the sender through the private key that only he knows and that he is obliged to keep. Non-repudiation also allows you to verify who participated in a transaction.

Non-repudiation or non-repudiation is a security service closely related to authentication and which allows to prove the participation of the parties in a communication. The essential difference with authentication is that the former occurs between the parties establishing the communication and the non-repudiation service occurs before a third party.

Certification Service Provider or PSC: a natural or legal person who issues electronic certificates or provides other services in relation to electronic signatures. See Certification Authority.

PIN: sequence of characters that allow access to certificates. Personal Identification Number, sometimes called NIP.

PUK: sequence of characters that allows the PIN to be changed or unblocked. Personal Unblocking Key.

Renewal: Renewal consists of requesting a new certificate using a valid certificate that is about to expire. In this way, before a certificate expires, you can request renewal, which means that a new valid certificate will be issued.

Revocation: definitive cancellation of a digital certificate at the request of the subscriber, or on the initiative of the Certification Authority in case of doubt about the security of the keys. Revocation is an irreversible state. You can request the revocation of a certificate after a suspension situation or at the will of the people authorized to request it. Similarly, in the case of a suspended certificate, if the maximum suspension period has passed, if the certificate has not been enabled, it becomes definitively revoked. When the certification body revokes or suspends a certificate, it must state this in the Certificate Revocation Lists (CRL), to make this fact public. These lists are public and must always be available.

Smart card: any card with integrated circuits that allow the execution of certain programmed logic.