CSPid Support

  • Downloads
  • History
  • Knowledgebase
CSPid Admin Guide CSPid Admin Guide
Admin Guide for version 5.1.0
CSPid CAPI Bridge CSPid CAPI Guide
Admin Guide for the CSPid PKCS$11 Bridge for 5.1.0
CSPid User's Guide CSPid User's Guide
User's Guide for version 5.1.0
CSPid 5.1.0 Release Notes
Release notes for version 5.1.0 (Windows)

CSPid Admin Guide CSPid Admin Guide
Admin Guide for version 4.0.0
CSPid User's Guide CSPid User's Guide
User's Guide for version 4.0.0
CSPid 4.0.0 Release Notes
Release notes for version 4.0.0 (Windows)

CSPid User's Guide CSPid User's Guide
User's Guide for version 3.1.0
CSPid User's Guide Using CSPid with Citrix
Guidance on using CSPid 3.0 and below in a Citrix environment
download icon CSPid VPAT 5/29/09

Section 508 VPAT for CSPid

Release 5.0.0

Package Enhancements:

  • client-side key generation is supported for use with CCMS 4 and above
  • support has been added for windows 10, Fiddler, and other .Net-based applications
  • added support for managed CRLs; on Windows, managed CRLs are installed into the Windows store
  • performance with Windows services using impersonation has been improved (requires password caching to be enabled and the password to be cached)
  • OCSP server configuration adds an option that causes CSPid to regard as "revoked" any certificate not explicitly validated by the server (e.g., with this option an "unknown" response is regarded as a validation failure)
  • additional key derivation options are now available when deriving symmetric keys from the user's PDU password
  • a fourth audit trail level, filtered debug, is now available that attempts to scrub sensitive information from the debug level
  • descriptions of the blacklist and whitelist options and functionality in both the administrator's guide and the Bagala Editor have been improved
  • the Balaga Editor text for the CCMS URL now supplies an example
  • keyboard shortcuts for common tasks have been added
  • the executables and MSI package are now signed using SHA-256
  • the type 2 Firefox add-on included with CSPid 5.0 has been digitally signed by Mozilla as required by Firefox version 43 and above
  • an RPM installation package is now available
  • due to customer demand, the combined CMU/CSPid package is again available
  • RSA 3072 and 4096 are now supported in the cspid_cli '--gen-p10-type' option
  • cspid_cli now supports per-session password caching on systems that do not include a system tray; use the CLI option '--cache' to cache the password and '--cache-quit' to clear the password and terminate caching
Operational Changes:
  • deleting a certificate in Advanced view no longer deletes the public and private keys associated with it
  • if CSPid Manager is configured to hide its system tray icon on startup, it offers a 'Hide' option rather than 'Exit'; to exit, the user must run 'cspid_ui --exit'
  • Renew now checks the validity of the user's certificates, including revocation checking, so that it can perform the renew operation if the user's certificate has been revoked
  • OCSP support has been renamed 'Windows Validation Client' and now supports revocation checking options of none, CRL, or OCSP on a per-host or per-issuer basis
  • The 'Renew my certificate' system tray option is now enabled if CCMS renewal is enabled
  • Register with applications (which is run whenever the CSPid Manager is started) now deletes all CSPid credentials from CAPI and then recreates them
  • most configuration strings are now trimmed of whitespace when CSPid reads them from the CSPid.xml file
  • CSPid falls into read only mode if the caling process is running at a low integrity level; applications that should run in read only mode may now be named explicitly in the configuration settings
  • when per-session password caching is enabled the CSPid library now attempts to eliminate unnecessary password prompts before CSPid Manager is started
  • 'cspid_cli --list' now outputs additional certificate information
  • improved handling of friendly name values in Microsoft CAPI: friendly names in PKCS#12 files are used as CKA_LABEL values during import, and CKA_LABEL values are used when exporting PKCS#12 files
  • on Windows, the program path in java_pkcs11.cfg has been changed to the System folder
  • on Linux, when installed in the default /opt/cspid location cspid_cli and spid_ui no longer require LD_LIBRARY_PATH to be set; the rpath value in the executables has been updated to include /opt/cspid
New Admin Features:
  • a new option is available to lock the user's PDU to a subset of the configuration options so that the PDU is only useable if the same or stronger settings are present at run time
  • the "Allow impersonation (Windows Only)' option in Bagala->General CSPid->Internal Use can be used to prevent services and other processes from impersonating the user and accessing their CSPid key store
  • the "Suppress CKR_USER_ALREADY_LOGGED_IN" option in Bagala->General CSPid->CSP can be used to specify applications for which CSPid should return CKR_OK instead of CKR_USER_ALREADY_LOGGED_IN
  • the "Assert CKF_PROTECTED_AUTHENTICATION_PATH" option in Bagala->General CSPid->CSP can be used to specify those applications for which CSPid should set the CKF_PROTECTED_AUTHENTICATION_PATH flag when C_GetTokenInfo is called and either per-session or permanent password caching is enabled
Bug Fixes:
  • corrected an issue where applications would stop working once the configured password timeout had expired.
  • the internal path validation module properly supports hierarchical PKIs with more than two levels
  • CSPid Manager no longer crashes when the CLI initializes the PDU
  • 'cspid_cli --cfg-update' now works when the current configuration is malformed
  • 'cspid_cli --ccms-retrieve' with '--debug' no longer returns a spurious invalid session handle error.
  • Internet Explorer and other applications should no longer crash when the Windows Validation Client is enabled
  • the JAWS screen reader now speaks the correct window titles for password prompts and CSPid Manager
  • Qt console output is now suppressed
Release 4.0.0

The following enhancements are included:

  • added support for centralized administration (with Bagala)
  • added ability to cache DAS responses and support for the new DAS Proxy API
  • improved FireFox integration
  • Windows port now uses CSP/KSP and no longer relies on any Microsoft smart card components (i.e., the smart card minidriver shim in the diagram below has been eliminated)
  • integrated certificate manager now sorts installed certificates into categories


Release 3.0.2 to Release 3.1.0


  • CSPid Manager now provides an 'Export all' menu item that allows you to export your certificates as individual .der/.p12 files
  • the configuration file supports two new options to provide control over private key export attempts from Firefox and to optionally display a system tray popup message when that is not allowed (see CSPID_INT_PRIVATE_ATTRIBUTE_EXPORT and CSPID_INT_PRIVATE_ATTRIBUTE_ACCESS_MESSAGE in the .cfg file)
  • CSPid will now attempt to remove the CAPI private key link file in 'AppData\Roaming\Microsoft\SystemCertificates\My\Keys' when deleting credentials

Release 2.1 to Release 2.2.5

Improvements in cspid_cli:

  • '--import' command now supports a '--replace' option
  • added '--graphical-prompt' option: when necessary, user is prompted for additional input (and program no longer hangs with an invisible window when used with REGAPPSCM)
  • '--export' command (with '--exp-pin-cspid' and password caching enabled) no longer prompts for a password and exports the user's keys without error

Improvements in CSPid Manager:

  • the CKA_LABEL field is now editable
  • command line now supports '--exp-pin-cspid' and properly logs in when a command is executed but the user is not yet logged in (say for 'Register with Applications')

Other improvements:

  • double clicking system tray icon makes active the resulting dialog (main UI or password prompt)
  • new PWCACHE=1 option caches password for entire session (requires system tray app to be running): on first use CSPid prompts for password and then behaves as for PWCACHE=2 until user logs off or quits system tray app, at which point the cached password is cleared
Release 2.0 to Release 2.1


  • #4489: added password timeout option to require password reentry after a period of inactivity
  • #4490: protects sensitive key and other material kept in memory; see CSPid User's Guide for details
  • #4511: added GUI command line option '--start-hidden' for use on operating systems that do not have a system tray

Corrected Defects:

  • #4443: '--export-all-keys' option now properly errors when unable save a file
  • #4467: password prompt for PKCS#12 import now includes the name of the file the user is trying to import
  • #4476: '--showsuccess' message no longer appears after each succesful PKCS#12 file is imported when using the '--import' GUI command line option
  • #4481: password creation dialog now informs the user when the entered passwords do not agree
Use of CSPid over RDP (#4749)

If you are using RDP to connect to a remote desktop on which CSPid is installed, RDP may redirect attempts to use CSPid to your local machine. In this situation you may see error messages like the following when attempting to sign a document opened in an Office application on the remote host:

"Your signature could not be added to the document. If your signature requires a smart card, ensure that your card reader is installed correctly."

This problem can be resolved by installing a special 'driver-only' version of CSPid on the local system.

Use of CSPid with certain versions of SA5CLI (#3333)
There appears to be compatibility issues between CSPid and SA5CLI versions 5.9.4 and 5.9.1 that we believe are due to bugs in those SecretAgent builds. If you encounter this problem, please request a SA5CLI update.
CAPI/CSPid interaction when a key is shared by two Windows accounts (#3309)

This issue only applies when roaming profiles are used by both Windows accounts.

If an existing CAPI key pair in one Windows account is loaded into CSPid in another account, CAPI will incorrectly mark the private key as being in CSPid for both accounts. This effectively makes the private key inaccessible from the first (CAPI-only) account.

If the key pair must be shared, CSPid should be installed on both accounts and the key pair either placed in a shared P15 file or duplicated in each user's individual P15 file.

Viewing security device in Firefox 2 causes crash on Linux platforms (#2844)
Clicking on "ISC CSPid" in the Firefox 2/Linux Security Devices dialog causes Firefox to crash with the error:
*** glibc detected *** free(): invalid pointer: 0x0a346c30 ***
This didn't happen with Firefox 1.5 and hasn't been noted on other platforms, so it is most likely a Firefox bug.
Current release:
  • {version}
CSPid Information