Making digital signatures with a browser

This page contains informations about how to use a certificate or your electronic identity card (eID card) for making digital signatures with your browser.

This page is split into the following sections :

Technical requirements
Getting a digital certificate
Setup for Internet Explorer
Setup for Firefox
Troubleshooting

1. Technical requirements

Creating a digital signature has additionnal requirements over digital authentication. For instance, it requires up-to-date browsers and libraries for encrypting data. The components required for making digital signatures are the following :

Internet Explorer >= 5.5 or Firefox >= 3.0 (other browsers may work but are not officially supported).
A digital signature certificate (an eID card contains one).
For Internet Explorer :
- The CAPICOM library (should be automatically installed, see section 3).
For Firefox :
- If you are using an eID card, the eID middleware must be correctly configured and the PKCS#11 module must be registered into Firefox.

Isabel Office Sign does not support Firefox. You cannot make a digital signature using your Isabel certificate with Firefox. Use Internet Explorer instead.

2. Getting a digital certificate

A certificate is needed to sign data. Such a certificate is included in your belgium electronic identity card. If you do not have an eID card, you can get one from one of the following Certificate Authorities :

Only Isabel, GlobalSign, Certipost and QuoVadis certificates are currently accepted by the FPS Finances (complete list here).

Only class 3 certificates are allowed. These certificates are named "Qualified Certificates" by Certipost, or "PersonalSign3 Pro" by GlobalSign. Certificates from eID cards are also class 3 certificates.

If you want to use your eID card, please make sure that the required softwares are correctly installed and configured on your machine (appropriate operating system, card reader and eID middleware installed, browser correctly configured). Instructions for the installation, the configuration and the use of you eID card are available on the following sites:

Site of the Federal Public Service about the eID card : http://eid.belgium.be.
Site of Zetes about the installation, the configuration and the use of the eID card : http://readers.eid.belgium.be.

Please use a middleware version 3.0 minimum. Previous versions might cause various problems, for instance with Windows Vista.

3. Setup for Internet Explorer

In order to avoid problems, we heavily recommend that you put the Web site of the Ministry of Finances in the list of trusted sites :

Go in menu "Tools > Internet Options...", tab "Security"
Click on "Trusted Sites", button "Sites..."
Type in the text box "*.minfin.fgov.be", and click on "Add" to add the site to the list of trusted sites. See screenshot below.
Click on "OK", and next on "Ok".

Add *.minfin.fgov.be to the list of Trusted Sites

Using such configuration, you can jump directly to section 3.2.

3.1. Installation of the CAPICOM library

This library is used to digitally sign data, verify digital signatures, envelop data for privacy, hash data, encrypt/decrypt data and more. If this library is not present on your computer, it is automatically installed, when possible. Depending on your configured security level, you may have to perform the following steps :

Low security level configured, or site minfin.fgov.be belonging to trusted sites

With such configuration, the CAPICOM library is automatically installed. You can jump to section 3.2. To see how to add the site of the Ministry of Finances to the list of trusted sites, see here.

Medium security level configured, site minfin.fgov.be not belonging to trusted sites

With this configuration, Internet explorer will first ask you if ActiveX controls can be actived. Click on the bar located on the top of the screen, and click on "Install ActiveX Control...".

Internet Explorer will next ask you the authorization to install the CAPICOM library. You can safely install this component. Click on "Install".

Highest security level configured, or manual installation of CAPICOM

If you need to manually install the CAPICOM library, a version for Internet Explorer 6.0 SP1 and above can be manually downloaded and installed from the Microsoft web site.

A copy of the CAPICOM library is also locally available here. Follow these steps to register this library in Windows:

Download capicom.cab
Unzip the file
Copy the capicom.dll library to the system directory of Windows, usually C:\Windows\System32
Open a Command Prompt as Administrator :
Start > Programs > Accessories > right click on Command Prompt > Run as... > Administrator
Enter the system directory : cd \Windows\System32
Register the library : regsvr32 capicom.dll
Restart the browser

3.2. Installing a digital certificate into Internet Explorer

eID certificates are automatically installed in your browser. If you are using an electronic ID card, you can jump to the next section.

The digital certificate need to be registered into your browser(s). If you use an eID card and have the eID middleware installed, your certificates are automatically installed the first time you insert your card in the reader. For a software digital certificate, many certificate providers give a tool to register it automatically. When the certificate is only provided as a file, the following steps are needed for loading it in your browser.

In Internet Explorer : go to "Menu Tools" > "Internet Options..."
Click on tab "Content", next on button "Certificates...". A list appears with all your installed certificates.
Click on "Import...". This opens a wizard. Click on "Next".
On the dialog box that appears, enter the complete path to your certificate file, and click on "Next".
Enter the password you received from the certificate authority. You can also mark the private key as exportable. Click on "Next".
Choose "Automatically select the certificate store..." and click on "Next".
You will received a message indicating whether the import was successful or not. Click on "Finish".
The newly imported certificate should now appear in the tab "Personal" of the "Certificates" dialog box. You can check the validity of the certificate by double-clicking on it. You should see the mention "You have a private key that corresponds to this certificate".

3.3. Configuring Internet Explorer

If the site minfin.fgov.be is in the list of trusted sites, the following options should already be correctly configured.

Some options must be activated to allow you to make a digital signature:

Go to menu Tools" > "Internet Options...".
Click on tab "Security", "Custom Level".
Make sure that "Microsoft VM > Disable Java" is NOT checked.
Check that "Scripting > Active scripting" is set to Enabled.
Check that "Scripting > Scripting of Java applets" is set to Enabled.
Check that "ActiveX controls and plug-ins > Download signed ActiveX controls" is set to Prompt or Enabled.
Check that "ActiveX controls and plug-ins > Run ActiveX controls and plug-ins" is set to Enable.
Check that "ActiveX controls and plug-ins > Script ActiveX controls marked safe for scripting" is set to Enable.
Click on "OK", and "Apply".

4. Setup for Firefox

For Firefox, the required actions are:

If you use an eID card, you must register the PKCS#11 module into Firefox
Otherwise, you just have to install your certificate into Firefox

Isabel Office Sign does not support Firefox. You cannot make a digital signature using your Isabel certificate with Firefox. Use Internet Explorer instead.

4.1. Register the Belgium eID middleware in Firefox

The first time it is used, the "Belgium Identity Card PKCS#11" module must be registered in Firefox. This module can be registered automatically by opening a special html page located on your hard drive, usually at the following locations :

Windows: C:/Program Files/Belgium Identity Card/beid-pkcs11-register.html
Linux: /usr/share/beid/beid-pkcs11-register.html .

(Note that the location of this file may vary, according to your platform or installation options.)

4.2. Installing a digital certificate into Firefox

This section is useless if you use an eID card.

The authority that delivers the certificate usually provides instructions or tools to register the certificate in many applications. You should follow them in priority. The instructions given below may differ and are only indicative. For any problem related to the installation of your certificate in Firefox, please contact the authority that provided the certificate.

When the certificate is provided as a file, the following steps are needed for loading it in your Firefox. The certificate must be in the PKCS12 format. If it is not, the certificate can still be imported and exported into this format using Internet Explorer, or by using openssl. Contact your certificate provider for more informations about these questions.

Here are the necessary steps to register a certificate in Firefox.

4.2.1 Open the Certificate Manager of Firefox

Go in menu "Tools > Options... > Advanced" or "Edit > Preferences > Advanced" depending of the version of Firefox.
Click on tab "Security" or "Encryption" depending of the version of Firefox.
Click on "Show certificates" or "View certificates". This opens the Certificate Manager

4.2.2 Check that the certificate of your provider is trusted by Firefox

Firefox will not trust your certificate unless the certificate authority is in the list of trusted authorities. Here is how to check that your certificate authority (e.g. GlobalSign, Certipost or QuoVadis) is in this list :

In the Certificate Manager of Firefox, select tab "Authorities".
For GlobalSign certificates : check that the certificate "GlobalSign PersonalSign Class 3 CA" is present.
For Certipost certificates : check that the following certificates are present : "Certipost E-Trust Primary CA for Qualified certificates" and "Certipost E-Trust Secondary Qualified CA for Physical Persons".
For QuoVadis certificates : check that the following certificates are present : "QuoVadis EU Issuing Certification Authority G2" and "QuoVadis EU Issuing Certification Authority G3".

You can known which certificate must be imported by looking at the name of the certificate authority that emitted your certificate. This name can be viewed on Windows simply by opening the certificate.

If the certificate of your authority is missing, ou must import it. Here is how to do that :

Import the certificate of the authority:
- either click on the certificate(s) of your authority :
  - GlobalSign Root CA (for GlobalSign certificates, should be already trusted by Firefox)
  - GlobalSign Primary Class 3 CA (for GlobalSign certificates)
  - GlobalSign PersonalSign Class 3 CA (for GlobalSign certificates)
  - Certipost E-Trust Primary Qualified CA (For Certipost Certificates)
  - Certipost E-Trust Secondary Qualified CA for Physical Persons (For Certipost Certificates)
- either (a bit more complicated but safer) :
  1. download the certificate of your provider from his web site (http://www.certipost.be/ , http://www.globalsign.com/ or https://www.quovadisglobal.be). Contact your certificate provider for more informations.
  2. Open the Certificate Manager of Firefox (see section 4.2.1).
  3. Select tab "Authorities", and click on "Import".
  4. Select the certificate of the provider.
In each popup window that appears, check all boxes and click on "OK". See figure below.

Import the certificate of your CA into Firefox

4.2.3 Import your certificate

In the Certificate Manager of Firefox, select tab "Your Certificates".
Click on "Import".
Select the file that contains your certificate, and click on "Open".
Depending on your configuration, you will be asked to enter the password of the security device of Firefox.
Next, enter the password of the certificate, received from your provider, and click on "OK".
Your certificate should now appear in the tab "Your certificates".

4.2.4 Check that your certificate is correctly installed

In the Certificate Manager of Firefox, select tab "Your Certificates".
Select your certificate and click on "View".
Check that Firefox recognizes the usage of the certificate (see figure below).

Check that your certificate is correctly installed in Firefox

4.3. Configuring Mozilla Firefox

Some options must be activated to allow you to make a digital signature :

Go in menu "Tools > Options... > Web Features" (Or "Edit > Preferences > Web Features" in old versions).
Make sure "Enable Javascript" and "Enable Java" opions are both checked.
Check also that your browser does not block popup windows coming from FPS Finances.

4.4 Usage of your certificate for making signatures

This section describes how to use your certificate to produce a digital signature in an application of the FPS Finances.

When a signature is required, a popup window looking like this appears
Select your cetificate and, if needed, type the password that protects the access to all your certificates. By default, this password is not defined in Firefox. In this case, leave this field blank and click on "OK". Note that this password is not the one that protects your certificate, and that was given by your certificate provider. It is instead the password that you can define here in Firefox: Menu Edit > Preferences > Advanced > Encryption > Security Devices, select Software Security Device and click on "Change Password". It is heavily recommended to define such password to protect the access to your certificates.

5. Troubleshooting

Error 101 : No data to sign

There is no data to sign. This problem usually appears if you used the "back" button or if some error occurred in the application. In such situations, it may happen that the application "loses" the document that you wanted to sign. You probably need to go a few steps backward, and restart the signature processus.

Error 501 : The CAPICOM library is not properly installed, aborting. (IE only)

The CAPICOM library was not found. Make sure that a file named capicom.dll is present in your Windows system directory (usually C:\Window\System32\ or C:\Winnt\System32). This library should have been automatically installed, provided that you authorized the installation, see section 3.1.

To enable automatic installation, you can tell the browser to trust the Web site of the Ministry of Finances :

Go in menu "Tools > Internet Options...", tab "Security"
Click on "Trusted Sites", button "Sites..."
Type in the text box "*.minfin.fgov.be", and click on "Add" to add the site to the list of trusted sites. See screenshot below.
Click on "OK", and next on "Ok".

Error 502 : The certificate store does not contain any certificate. (IE only)

You do not have any certificate installed in your browser, or no certificate is suitable for signing a document. Make sure you successfully imported your digital certificate in the browser, see http://readers.eid.belgium.be/ for informations about how to import a certificate into Internet Explorer.

Error 503 : Failed to access the keys of the selected certificate. Permission was probably denied. (IE only)

This is a permission issue. The current user does not have sufficient permissions to access the key of your certificates. These keys are stored in "Key containers" for which you should have access. The steps to resolve this problem depend on the version of Windows you are using :

Windows NT :

The permission of the key container are specified in the registry. To change these permissions, open regedt32 (not regedit!), open the hive HKEY_LOCAL_MACHINE and highlight the key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MachineKeys\<container name>. Select Security/Permissions from the menu and make sure Everyone has Full Control over this key.

Windows 2000 and Windows XP :

In Windows Explorer, locate the C:\Documents and settings\<username>\Application Data\Microsoft\Crypto\RSA\ directory. Change the access rights on this directory and all the files it contains by performing the following steps :

Right-click on the C:\Documents and settings\<username>\Application Data\Microsoft\Crypto\RSA\ directory.
Point to Properties
Click Security tab.
Make sure that You, the Administrator and the System have full control over this directory (check that all Allow boxes are checked).
Click Advanced.
Select the two check boxes (Inherit... and Replace...) on the bottom to enable the propagation of these access rights to all sub-directories and files.
Click Apply, then Yes, and OK.
Click OK.

You may have to reproduce these steps for the C:\Documents and settings\All Users\Application Data\Microsoft\Crypto\RSA\ directory

Note These are hidden files. In order to view these hidden files you must turn on the Display hidden files and folders option in Windows. To display hidden files and folders, perform the following steps:

Click Start, point to Settings, and then click Control Panel.
If you are in Category View : click Appearance and Themes
Click Folder Options.
On the View tab, under Hidden files and folders, click Show hidden files and folders.

Error 504 : Failed to access the keys of the selected certificate. Permission was probably denied. (IE only)

See Error 503.

Error 505 : Failed to access the keys of the selected certificate. Probable conflict between some of your certificates. (IE only)

There exists two possible causes : either you are using an old eID middleware, or there is a conflict between some of your certificates.

First, check the version of your Belgium eID Run-time. You may lauch the belgium eID utility program, usually located at "C:\Program Files\Belgium Identity Card\beidgui.exe". The version is shown in the "info" tab, it should be 3.0 (or higher). Please consider upgrading to the latest version available. This can be donwloaded from the eid belgium website at http://eid.belgium.be.

If this does not solve the problem, then the problem most probably lies in some conflict between the certificates that are registered by the eID middleware. This problem can be solved by manually deleting certificates.

To delete a certificate on Windows 2000 or Windows XP:

Click Start and select Run.
Type mmc and press ENTER.
On the File menu, select Add/Remove Snap-In.
Click Add.
Double-click Certificates.
Select My user account.
Click Finish.
Click Close and then OK.
Double-click Certificates - current user.
Double-click Personal and then Certificates.
Click the certificate to delete.
Press DELETE and click Yes.
Close the Console1 window.

Your eID certificates will be re-registered automatically when you insert your eID card. If you had a class 3 certificate, then you will have to re-register it.

Error 506 : Failed make the signature. You card is maybe not present or not correctly inserted. (IE only)

Internet explorer is unable to access the certificates because your card is either not detected or not present. This error appears for instance when you want to make a signature but you removed the eID card after the authentication.

Error 507 : Failed make the signature. You card is maybe not present or not correctly inserted. (IE only)

Internet explorer is unable to access the certificates because your card is either not detected or not present. This error appears for instance when the eID card is ejected just before validating the PIN code.

Error 508 : Failed to make the signature. The browser seems to be confused. You probably need to restart it. (IE only)

Internet explorer is confused and cannot access your certificates. This error usually appears after other errors like the ones described above. You probably need to restart Internet Explorer.

Error 509 : Failed to make the signature. The certificate could not be found. (IE only)

This error appears when Internet Explorer cannot find the certificate selected. This error appears with Isabel certificates. This error is cause by a faulty update of the Isabel certificates by Isabel Office Sign. A solution is available on the Isabel on-line support (www.isabel.be), section "Isabel Web Support", under document ID 48700 (make a search using this ID). If this does not solve the problem, contact the Isabel Helpdesk.

Error 510 : An error occurred during the signature process (IE only)

The CAPICOM library failed to create the digital signature. Depending on the actual error, one or more of the following actions may help resolve this problem :

Re-install the CAPICOM library. You can simply delete the capicom.dll file in your Windows System directory (e.g. C:\Windows\System32), and next perform the installation procedure described in section 3.
Re-import your certificate, as it might be corrupted.
If you are using an eID card, install the latest version of the eID Middleware.
Try with Firefox.

Error 601 : Your browser failed to sign. (Firefox only)

Your certificate is not correctly installed in Firefox and/or Firefox does not trust it.

If you are using a GlobalSign, Certipost or QuoVadis certificate, check that Firefox trusts your certificate. For that, open the Certificate Manager of Firefox (see section 4.2.1) and check that Firefox trusts your certificate (see section 4.2.4).

For any problem, please read section 4.2 and check that:

your certificate has not expired
the certificate of you provider is in the list of trusted certificate authorities of Firefox (see section 4.2.2)

If you encounter other problems related to the use of your certificate with Firefox, please contact your certificate provider (GlobalSign, Certipost or QuoVadis).

If you are using an eID card, check the trust settings of the "Citizen CA" authority. In order to do that, open the Certificate Manager of Firefox (see section 4.2.1) and adapt if needed the trust settings as shown below :

Error 602 : No suitable certificate has been found. (Firefox only)

Firefox failed to find a valid certificate. Check that your certificate is still valid and follow the instructions given in section 4.2.

If you are using an eID card, check that the eID middleware is correctly installed and that the PKCS#11 security module is regsitered in Firefox (see section 4.1).

When I click on "OK", the popup window for selecting certificates appears again (Firefox only).

The password provided is not correct. Warning, the password asked by Firefox is not the password of your certificate (the one given by the certificate provider), but is instead the password defined in Firefox for your "Security Device". This password is not defined by default in Firefox. In such case, leave the field blank and click on OK. See section 4.4.