Add Certificate from Library (PKCS#11)

The Library tab in the Add Certificate dialog enables administrators to select and add certificates stored on hardware security devices connected to the server. Signotaur has been tested with YubiKey, SafeNet eToken, and Certum Card, but it should also work with any device that supports the PKCS#11 standard.

Before adding a certificate, ensure that a tool for communicating with the hardware device is installed on the server.

Required Software

  • YubiKey: Install the Yubico PIV Tool, which includes libykcs11.dll — a library for PKCS#11 communication. We recommend the 64-bit version on Windows, which by default installs to: %ProgramFiles%\Yubico\Yubico PIV Tool\bin\libykcs11.dll.

  • SafeNet eToken: Install the SafeNet Authentication Client, which includes eTPKCS11.dll for PKCS#11 communication. By default, it installs to: %SystemRoot%\System32\eTPKCS11.dll.

Note: Ensure that the user account running the Signotaur service has access to the PKCS#11 library path.

Add certificate - Library tab

Adding a Certificate from a Library

  1. Specify Library Path
    Enter or select the path to the PKCS#11 library in the Path to PKCS#11 Library field. The dropdown will list any known library paths which exist on your server. Click the Load tokens arrow to retrieve tokens once you've specified a library.

  2. Select a Token
    Once tokens are loaded, choose the token containing the certificate you wish to use from the PKCS#11 Token dropdown.

  3. Enter PIN/Password
    Enter the PIN or password associated with the selected token in the PIN/Password field, and click Load certificates.

  4. Add Certificate
    A list of code-signing certificates with private keys will appear. Select the certificate you wish to use, and click Add Certificate.