Key Storage Configuration Options

PKCS12 Key Storage Options

PKCS12 key storage requires below parameters to be filled out:

  • path: the path of the PKCS12/PFX key store file on disk of the local PC. You can use below parameters:
    • {drive} makes the Trax signing applet scans multiple drives (that match the driveRegex parameter) for the key store file. This parameter is only allowed at the start of the path.
    • {user.home} makes the Trax signing applet use the user’s home directory on the local PC for constructing the key store file path. This parameter is only allowed at the start of the path.
    • When creating an EBICS digital signature, below list of parameters can also be used in the file name portion of the path:
      • {ebicsUser} gives the EBICS userID
      • {ebicsProfile} gives the Trax connection profile code
      • {ebicsBank} gives the Trax bank server code
      • {ebicsHostID} gives the EBICS bank server hostID
      • {ebicsCustomerID} gives the EBICS partner customerID
      • {ebicsSignatureVersion} gives A004, A005 or A006
  • driveRegex: regular expression for all drives that should match with the {drive} parameter. For example [A-Z]:\ would match all drives from A:\ to Z:\
  • passwordLabel: the label to be used on the PKCS12 password dialog
  • driveLabel: the label to be used on the PKCS12 drive selection dialog

PKCS12 Password Prompting

By default, Trax will prompt for the password of the PKCS12 keystore file twice when using it for signing EBICS transmissions. This is because the PKCS12 is encrypted with a keystore file password that prevents Trax from reading its public certificates.

Note: this is in contrast to smartcards or cryptographic USB tokens where certficates are publicly readable without password.

As a system user, you can optionally add key storage parameter with name storePass on key storage PKCS12. The value you enter there is the shared PKCS12 keystore file password that will be used by the signing applet to open all PKCS12 keystore files to list the public certificates. The private key is still secured by a PIN that only the signer knows.

When using this for signing EBICS transmissions (i.e. signature methods PKCS12_EBICS_A004, PKCS12_EBICS_A005 or PKCS12_EBICS_A006), you also need to add parameter storePass on the EBI-EbicsExportSignatureKeyRule action with the same value as above.

Caution: this will make the resulting PKCS12 file non-standard (i.e. can no longer be read or imported by most 3rd party software) because the keystore file password and private key password are no longer the same