1. Introduction
This manual serves as a guide to successfully complete the Bit4id Kit installation process for using cryptographic cards and the procedure to access and use the management application. The Bit4id Kit consists of the following components:
Bit4id Middleware: libraries that allow any application of the Operating System to operate with cryptographic cards.
Bit4id - PKI Manager: application for managing the card, which allows you to perform operations such as changing PIN or PUK, unlocking PIN, obtaining information about the card, importing or exporting certificates...
This manual will guide you in a simple way in the process of installing and using the Kit Bit4id.
1.1. Who is this document for?
End users, who will use chip cards in Windows environments
2. Before you start
Make sure you have:
one standard card reader , compatible PC/SC that is properly connected, installed and configured. Follow the instructions provided by the reader manufacturer to verify correct installation and operation.
The latest version of Kit Bit4id . Link to download the latest version
To be able to carry out the installation, it is essential to have Administrator permissions . If you don't have them, the installation will be denied.
3. Installation
If necessary, you will have to download and install the drivers for your computer to recognize the reader you have purchased. To do this, go to the official page of the reader manufacturer.
Follow the instructions provided by the reader manufacturer to verify correct installation and operation.
If you purchase a bit4id reader, if your Windows version is equal to or higher than Windows 7, you do not need to install any drivers.
If your operating system does not recognize the reader, download the reader drivers ( https://cdn.bit4id.com/es/AOC/drivers/Bit4id_drivers_Windows.zip ).
3.1. PKI Manager Installation Wizard
Go to the folder where you downloaded the file and run it.
Follow the installer steps.
After the PKI Manager installation is complete, restart your computer.
Once the reboot is complete, open the app.
This is what it looks like without any device connected:
With the app open, connect the reader to a USB port and then insert the card. You can also do this process by connecting the token to a USB port.
4. Unattended installation (for advanced users)
ATTENTION: this procedure is only for specific cases where it has been explicitly indicated to you. Most users should not do an unattended install.
To be able to perform an unattended installation, it is only necessary to enter the installer in the command box, passing it as a "/S" parameter.
ATTENTION: due to interaction limitations of an unattended installation, older or incompatible versions must be removed before proceeding. Likewise, you must force restart the machine once the installation is complete.
5. Problems during installation
You may have older versions of the card management application (Bit4id PKI Manager) installed on your computer, so you will be prompted to remove older versions before running the installer. Please remove these versions and run the installer again.
- To remove previous versions a Windows XP , go to Start menu > Control Panel > Add or Remove Programs > Bit4id PKI Manager xxxx (where xxxx represents the installed version number)
- To remove previous versions a Windows Vista or 7 , go to Start menu > Control Panel > Uninstall a program > Bit4id PKI Manager xxxx (where xxxx represents the installed version number)
- To remove previous versions a Windows 8 , go to the right side menu > Settings > Control Panel > Uninstall a program > Bit4id PKI Manager xxxx (where xxxx represents the installed version number)
- To remove previous versions a Windows 10 go to the Start menu > Control Panel > Programs and Features > Bit4id - Universal MW xxxx (where xxxx represents the installed version number)
- To remove previous versions a Windows 11 go to the Start menu > Control Panel > Programs and Features > Bit4id - Universal MW xxxx (where xxxx represents the installed version number)
6. End of installation
Once the installation process is complete, a direct access to the Bit4id PKI Manager application (Card Management) will be created on the desktop that will allow you to perform any type of operation with it.
You can also access the Bit4id PKI Manager application through the Home section
7. Access to the application
The Bit4id PKI Manager application is accessible from the desktop by clicking on:
You can also access the Card Management application through:
- a Windows 8 or 10 , go to the Start menu > All Apps > Bit4id PKI Manager
- a Windows 11 , go to Start menu > All apps > Bit4id PKI Manager
8. Functionalities
The Bit4id PKI Manager application has multiple functionalities accessible from the main screen.
IMPORTANT: Bit4id PKI Manager comes by default with the user version. To be able to have all its functionalities, you need to switch to the administrator version using the command: Ctrl+A
PKI Manager admin version:
8.1. Functionality tables
Basic functionalities:
Table of basic functionalities
| function | Description |
|---|---|
| Unlock PIN | Function to unlock the card PIN. |
| Change PIN | Function to change the PIN of the card. |
| Change the PUK | Function to change the PIN of the card. |
| Login/Logout | Function for Login/Logout on the card. |
| Device information | Tab where we will find the description of the connected device and the card. |
| Certificates | Tab where we will find the user and CA certificates loaded on the card. |
To access the extra features, you must click on:
Extra features:
Table of extra features
| function | Description |
|---|---|
| Login/Logout | Sign in or Sign out of card content. |
| Refresh content | Refresh the token/card content to see new certificates. |
| Change the device name | Define the name under which the device appears. |
| Change PIN | Function to change the PIN of the card. |
| Unlock PIN | Function to unlock the card's PIN using the card's PUK. |
| Change the PUK | Function to change the PUK of the card. |
| Import a certificate | Function to import a certificate to the card. |
| Erase the device | Function to erase ALL certificates and keys from the card token. |
- Sign in
To access any functionality offered by the software, you must enter the card's PIN
- Change PIN
To change your PIN, enter your card's PIN and enter your new PIN. The new PIN must be between 4 and 16 alphanumeric digits.
- Unlock PIN
To unlock the PIN, enter the card's PUK and enter the new PIN. The new PIN must be between 4 and 16 alphanumeric digits.
- Change the PUK
Enter the card's old PUK and the new PUK. The new PUK must be between 4 and 16 alphanumeric digits.
- import
This option allows the import of certificates to the card. The accepted formats for importing .p12 or .pfx card certificates as these formats include the certificate's private key, which is essential to perform cryptographic operations.
To start the import, first select the certificate from your location, as shown in the image below:
Once the certificate is selected, press "Open":
The system will ask you for the password of the PFX or P12 file (certificate and its private key) that you want to import, which contains its certificate and key pair. Insert it and complete the import options according to your convenience, where:
– Import certificates without associated key pair: allows importing the entire certificate hierarchy included in the PFX or P12 file. We recommend NOT TICKLING this option.
– Define PKCS#11 CKA_ID: identifier that certain applications use when displaying the certificate. We recommend entering a useful identification value, for example pedro_firma, pedro_acceso, pedro_cifrado, etc.
And the certificate import will be completed:
If you want to check that the certificate has been correctly saved, remember that you can review all the certificates stored on the card through the "View" option of Bit4id PKI Manager.
- Certificate Details (Certificates)
Once the card PIN is entered, you can see the certificates inside. In the pop-up window displayed by the application, you can see information about the previously selected certificate
- Card Information (Device Information)
Provides detailed card information: model, serial number, manufacturer and label.
Support ( soporte@bit4id.com ) may ask you for this information to know the type of card you are using.
9. Additional checks for malfunctions
The results of the following checks are necessary for the resolution of any type of incident. These results must be reported to the technical department in the face of any incident related to the use of their certificates stored on the cards. In this way, the resolution time will be reduced.
9.1. Checking for uploading certificates to the Windows store
Make sure you have:
- Card reader connected to the machine
- Smart card inserted into the reader
- At least one certificate stored on the card
This test is intended to verify the correct loading of the card's certificates into the Windows certificate store, which is essential for the use of our certificates in Microsoft applications.
That's why you need to open this warehouse:
- in Windows 8 or 10, go to the Start menu > Enter certmgr.msc
- in Windows 11, go to the Start menu > Enter certmgr.msc
Once the window has run, open the Personal folder and then the Certificates tal i folder
as the following image shows:
If you are shown information regarding your card's certificates, the check will have ended satisfactorily.
In case they are not imported automatically, it can be forced as follows:
9.2. Checking for uploading certificates to the Firefox store
If you have the Mozilla Firefox browser in any of its versions on your machine, also perform the following test:
Open Mozilla Firefox, go to
-> Options 
preferencesIn the section of
Privacy and Security, look for the certificates section and click on See certificates...
- Enter the card's PIN
- After entering the PIN, go to the View Certificates tab as shown below
If you are shown information regarding your card's certificates, the check will
successfully completed.
NOTE: in addition to the results of the checks set out in this section, it indicates al
technical department the version of Kit Bit4id. To find out the version of your kit follow the instructions
set out in the next section Frequently Asked Questions, specifically in the answer of the
question How can I check that I have the latest versions of the Bit4id Kit?
10. Frequently asked questions
What can happen if, using Card Manager, I get the error message “C_OpenSession due to error 0x1”?
Check with the card provider (Certification Authority) about the status of the card, indicating all the steps you have taken.
What can happen if, using Card Manager, I get the error message “C_Login due to error 0x5”?
Your card PIN may be in an inconsistent state. Try changing it. If the error remains, check with the card provider (Certification Authority) about the status of the card, indicating all the steps you have taken.
What can happen if you get the error message “C_SetPIN due to error 0x6” when trying to change your card PIN?
Make sure the new PIN is between 6 and 8 alphanumeric digits.
Can I mix numbers and letters for the card PIN number?
Yes, no problem, as long as the new PIN is between 6 and 8 digits long.
Is there a maximum number of PIN entries in case you have any questions and can't remember my PIN number? When can the card be blocked?
If you enter the PIN code incorrectly more than 3 times, it is blocked. Follow the 'Unlock PIN' steps above to unlock it.
Is there a maximum number of PUK entries to try to unlock the PIN? What happens if the card is blocked?
If you enter the PUK code incorrectly more than 3 times, it is blocked. For security reasons, the card is completely blocked.
How can I check that I have the latest versions of the Bit4id Kit?
- To check the installed version easily in Windows XP, go to the Start menu > Control Panel > Add or Remove Programs > Bit4id PKI Manager Admin xxxx (where xxxx represents the installed version number)
- In Windows Vista or 7, go to Start menu > Control Panel > > Uninstall a program > Bit4id PKI Manager Admin xxxx (where xxxx represents the installed version number)
- In Windows 8 or 10, go to the right side menu > Settings > Control Panel > Uninstall a program > Bit4id PKI Manager Admin xxxx (where xxxx represents the installed version number)
- In Windows 11, go to the right side menu > Settings > Control Panel > Uninstall a program > Bit4id PKI Manager Admin xxxx (where xxxx represents the installed version number)
What can happen if I have an older version installed on my computer when I run the Bit4id Kit installer?
It is always recommended to remove previous versions before installing. However, the installer is designed to automatically detect and remove older versions. Follow the on-screen instructions carefully.
11. Glossary
Certification Authority: it is the trusted entity, responsible for issuing and revoking the electronic certificates used in the electronic signature. The Certification Authority, by itself or through the intervention of a Registration Authority, verifies the identity of the applicant for a certificate before it is issued or, in the case of certificates issued with the condition of being revoked, removes the revocation of certificates when verifying this identity.
Expiration of the digital certificate: the digital certificate has a period of validity that is stated in the certificate itself. It is generally 2 years, although by law a validity of up to 5 years is allowed. Once the certificate has expired, you will not be able to use the services offered by the Administration that require an electronic signature, and any electronic signature made after that time will not be valid.
Digital certificate: document in computer support issued and signed by the Certification Authority, which guarantees the identity of the owner.
Recognized certificate: certificate issued by a Certification Service Provider that meets the requirements established in the Law regarding the verification of the identity and other circumstances of the applicants and the reliability and guarantees of the certification services they provide, in accordance with the provisions of Chapter II of Title II of Law 59/2003, of December 19, on electronic signatures.
Electronic signature: set of data, in electronic form, attached to other electronic data or functionally associated with them, used as a means to formally identify the author or authors of the document that collects it. There are 3 types of electronic signature: simple, advanced and recognized electronic signature.
Simple electronic signature: set of data, in electronic form, annexed to other data.
Advanced electronic signature: an electronic signature that allows the signer to be identified and any subsequent changes to the signed data to be detected, that is uniquely linked to the signer and the data it refers to, and that has been created by means that the signer can maintain under its exclusive control.
Recognized electronic signature: An advanced electronic signature based on a recognized certificate and generated using a secure signature creation device is considered a recognized electronic signature. The recognized electronic signature will have the same value with respect to the data entered in electronic form as the handwritten signature in relation to those entered on paper.
Hash function: is an operation that is performed on a data set of any size, so that the result obtained is another data set of fixed size, regardless of the original size, and that has the property of being uniquely associated with the data initials, that is, it is impossible to find two different messages that generate the same result when applying the hash function.
Hash or fingerprint: A fixed-size result obtained after applying a hash function to a message that satisfies the property of being uniquely associated with the initial data.
Integrity: integrity is the quality of a document or file that has not been altered and that also allows you to verify that no manipulation has occurred in the original document.
Certificate Revocation Lists or Lists of Revoked Certificates: the list that contains exclusively the relations of revoked or suspended certificates (not the expired ones).
Do not repudiate: the sender who electronically signs a document cannot deny that he sent the original message, since it is imputable to the sender by means of the private key that only he knows and that he is obliged to keep. Non-repudiation also allows you to check who participated in a transaction.
Non-repudiation or non-repudiation is a security service that is closely related to authentication and that allows to prove the participation of the parties in a communication. The essential difference with authentication is that the former occurs between the parties establishing the communication and the non-repudiation service occurs in front of a third party
Certification Service Provider or PSC: natural or legal person that issues electronic certificates or provides other services in relation to the electronic signature. See Certification Authority.
PIN: sequence of characters that allow access to certificates. Personal Identification Number, sometimes called NIP.
PUK: sequence of characters that allow changing or unlocking the PIN. Personal Unlocking Key.
Renewal: Renewal is applying for a new certificate using a certificate that is valid but is about to expire. In this way, before the expiry of a certificate you can apply for renewal and this means that a new valid certificate is issued.
Revocation: definitive cancellation of a digital certificate at the request of the subscriber, or at the Certification Authority's own initiative in case of doubt about the security of the keys. Revocation is an irreversible state. You can request the revocation of a certificate after a suspension situation or at the will of the persons authorized to request it. Likewise, in the case of a suspended certificate, if the maximum suspension period has passed, if the certificate has not been enabled, it becomes definitively revoked. When the certification body revokes or suspends a certificate, it must state this in the Certificate Revocation Lists (CRL), to make this fact public. These lists are public and must always be available.
Smart card (smartcard): q any card with integrated circuits that allow the execution of certain programmed logic.
