CSPid Support

  • Downloads
  • History
  • Knowledgebase
CSPid Admin Guide CSPid Admin Guide
Admin Guide for version 5.1.9
CSPid User's Guide CSPid User's Guide
User's Guide for version 5.1.9
CSPid 5.1.9 Release Notes
Release notes for version 5.1.9
CSPid CAPI Bridge CSPid CAPI Guide
Admin Guide for the CSPid PKCS#11 Bridge for 5.1.x

CSPid Admin Guide CSPid Admin Guide
Admin Guide for version 4.0.0
CSPid User's Guide CSPid User's Guide
User's Guide for version 4.0.0
CSPid 4.0.0 Release Notes
Release notes for version 4.0.0 (Windows)

CSPid User's Guide CSPid User's Guide
User's Guide for version 3.1.0
CSPid User's Guide Using CSPid with Citrix
Guidance on using CSPid 3.0 and below in a Citrix environment
download icon CSPid VPAT 5/29/09

Section 508 VPAT for CSPid

Release 5.1.9

Enhancements and bug fixes:

  • #6590 Small keys may now be imported when running in non-FIPS mode
  • #6730 The Options dialog now requires that a filename be provided if "Use File" is checked
  • #6763 Imported certificates are now properly associated with existing private keys when the private keys were generated externally (using 'cspid_cli --gen-p10', Firefox, etc.)
  • #6799 On Windows, setting the environment variable CSPID_INT_PREVENT_LOAD will cause CSPid to refuse to load
  • #6800 The system tray application now displays a warning when the user selects Exit alerting them that dependent applications may stop working
  • #6857 The user's guide has been updated to make it clear that the Push CKA_LABEL option is only available in the Windows version
  • #6858 When using Internet Explorer in protected mode, CSPid no longer logs an error when the password cache can't updated (set or cleared); such events are now logged as status messages
  • #6859 The "Exit if not initialized filename" option now supports a Unix alternative so that the same configuration file can be used on multiple platforms
  • #6867 Typographical errors in the advanced password quality setting were corrected in the Bagala template file (cspidtemplate.xml)
  • #6869 On Windows, CSPid will attempt to read the P12EXPORT attribute value from HKEY_CURRENT_USER\Software\Policies\InfoSecCorp\CSPid. If found, this value (0 or 1) will override the P12EXPORT/General CSPid->Import/Export->Enable PKCS #12/PFX private key export setting in the configuration
  • #6879 The network timeout value for ALL network transactions is now controlled by the DASTIMEOUT/DAS/Network Client->Network Timeout option (specified in seconds)
Release 5.1.8

Enhancements and bug fixes:

  • #6733 Firefox/Thunderbird profiles are now configured automatically; to work on Linux, an appropriate version of modutil must be installed and in the user's PATH

    All Firefox versions using cert8.db/key3.db/secmod.db, as well as newer versions using cert9.db/key4.db/pkcs11.txt are supported
  • New configuration options NSS_P11_LIBNAME/NSS_P11_LIBNAME_UNIX have been added (located in the Bagala Editor under General CSPid->Netscape/Mozilla/Thunderbird as PKCS#11 Library (Windows)/(UNIX)). These options allow the administrator to specify the PKCS#11 library that will be used when CSPid attempts to configure a Firefox/Thunderbird profile
  • #0000 '--wait' added to CLI for NSS for use with '-r' to wait for a Firefox profile to appear before allowing the 'register with applications' process to complete
  • #6854 Linux version no longer displays the Misc options tab
  • #6855 'cspid_cli --initialize' now works properly if permanent password caching is enabled, exits with an error (if the system tray application is running), and no longer creates error messages in innocuous situations
  • #6804 Linux version no longer gets stuck in an infinite loop when validating certificate paths containing multiple cross-certificates
  • #6805 C_GetTokenInfo properly sets the CKF_LOGIN_REQUIRED flag when password caching is enabled and the password is cached successfully
  • #6845 ALL_APPS blacklist routines now allow the client clock to differ from the CA's clock by up to 60 seconds when considering which certificates to select as the best/newest for signing
  • #6398 OCSP client now checks input certificate array values for NULL pointers and handles that situation appropriately
  • #6590 Small RSA and ECC private keys can no longer be imported
  • #6594 Linux versions are now built with '-fstack-protector-all' per NIAP recommendations
  • #6665 Documentation updated to make it clear that the 'cspid_cli --export' command accepts either '--path' or '--filename' as a destination
  • #6731 The Options->Misc tab item for syncing CKA_LABEL with Friendly name now includes "what's this" help text
  • #6732 The Options tab now unchecks 'Use File' if the user selects critical information only (as no log file items are created when that option is selected)
  • #6847 A configuration option has been added to control the number of bad password entry attempts allowed before the GUI or CLI exits with an error. PWENTRYLIMIT or Password Control->Exit on Bad Password in the Bagala Editor configures this option. The default value is 3. If set to 0, no limit is enforced. There is an artificial delay inserted between password attempts and this has been adjusted so that it doesn't become overly long. If there will be a delay when checking the entered password, the CSPid splash screen is displayed so that the user knows the software is still working.
Release 5.1.7

Enhancements and bug fixes:

  • #6840 Added a trigger that enables CSPid even when CSPID_INIT_EXIT/"Exit if not initialized" is set to yes. To use this feature, assign a value to the CSPID_INIT_FILENAME variable (in the .ini file) or apply the "Exit if not initialized unless this file exists" setting (using Bagala). The attribute value should be the complete pathname of the desired trigger file (%APPDATA%\CSPid\initthisuser.txt); the contents of the file are ignored. If the specified file exists upon startup, CSPid ignores the "exit if not initialized setting" and prompts the user to create a new password.
  • #6841 Added support for automatically blacklisting old sign-only certificates and keys. If CSPID_AUTO_HIDE_OLD_SIG_CERTS/"Auto blacklist old signature certificates" is set to yes, CSPid adds the new ALL_APPS tag to all but the most recently issued sign-only certificate when suitably triggered, as when a PKCS#12 file is imported or when a certificate is deleted. (Note that, once blacklisting is enabled, CSPid only performs that action when subsequently triggered to do so.)
  • #6842 (Windows only) Added support for the soon-to-be-available CSPid-PSI Proxy Server via the cspid_cli command ""--psi-retrieve"
  • #0000 (Linux only) Updated the Qt library to address various issues with cspid_ui when running or quitting
Release 5.1.5

Package Enhancements:

  • #6703 Adding '--no-warnings' to the cspid_cli will suppress warning messages issued by the command.
  • #6707 Starting the system tray application with the '--login' option now properly calls the startup event to sync with CAPI.
  • #6710 C_GetFunctionList now returns the supported PKCS#11 API version rather than the CSPid library version.
  • #6721 On Windows, the CSPid DLL refuses to load for processes running as the SYSTEM user. This can be disabled by setting a system wide Windows environment variable: CSPID_INT_ALLOW_SYSTEM_USER=1 and restarting.
  • #6722 On Windows, if permanent password caching is enabled and the system tray application cannot recover the password from the cache, the system tray application will prompt the user for their password and cache it.
  • #6723 On Windows, the cspid_cli '--initalize' command will now remove all CSPid-related objects from CAPI as part of the process.
  • #6725 When the feature is enabled on Windows, CSPid will push changes to CKA_LABEL values to the CAPI friendly name value. See #6728 for more information.
  • #6726 A log file is no longer created if logging is enabled but only critical items are being logged. Only 'info' level or above will trigger the generation of a separate log file.
  • #6727 In certain Windows environments it may be necessary to completely clear the user's personal CAPI store and re-add the CSPid objects each time the CSPid system tray starts. Set CSPID_INT_CLEAR_CAPI_ON_START=1 in the CSPid configuration file, or set "Remove and re-add CSPid objects to CAPI (Windows Only)" to yes, in the Bagala Editor's 'Internal Use' section.
  • #6728 On Windows, the ability to sync CKA_LABEL with the friendly name value in CAPI is now user configurable (if allowed by the installed CSPid configuration). A new tab appears in the Options dialog and includes a check box to enable/disable this feature. This option can be controlled globally for all users by setting CSPID_CAPI_SYNC_LABEL_FNAME=0 in the CSPid configuration file or by setting "Make Friendly Name match CKA_LABEL" to 'no' in the Bagala Editor's CAPI section. In the Bagala Editor the default is to allow the user to change the setting. To prevent the user from changing the value, change 'yes' in the "User Configurable" column to 'no'.
Release 5.1.4

Package Modifications:

  • #0000 On Windows, CSPid no longer writes its persistent random value to the INI file. This value is now written to the Windows registry. This reduces the number of updates to the INI file that require it to be copied to the local cache location.
  • #0000 On Windows, the system tray application no longer polls the PDU's last modified time to determine whether or not the PDU needs to be copied to the local cache location. Instead the PKCS#11 library will invoke the system tray application with the '--make-local' option when it stores the PDU.
  • #6663 The CSPid PDU file is no longer occasionally corrupted when the local cache copy of the PDU file is created. The expanded section of the PDU is now locked before writing when the PDU size increases.
Release 5.1.3

Package Modifications:

  • #0000 The CSPID_INT_PROTECTED_APPS value is actually used allowing applications other than those in the default list (Acrobat, Microsoft Edge, and the Cisco VPN client) to be placed on the list of protected applications that should use the local cache.
Release 5.1.2

Bug Fixes:

  • #6652 On Windows cspid_cli no longer crashes when '--password' is used with the file:filename parameter format and the file does not exist.
  • #6662 cspid_cli's '--gen-jks' command works properly again.
  • #6663 The CSPid PDU file is no longer occasionally corrupted when the local cache copy of the PDU file is created.
Release 5.1.1

Bug Fixes:

  • #LS977 cspid_cli's --get-new-pin and --get-pin no longer hang when the output file exists and --yes-to-all is absent from the command line. The output file is now always overwritten, if present.
  • #6599 cspid_cli's --post command now outputs a informative error message if the address in the URL doesn't match the server's certificate.
  • #6600 Users can again successfully import .p12 or .pfx files using the Windows context menu and 'Open With CSPid'.
  • #6601 When using DAS-enabled CSPid with the PKCS#11 CAPI library users, can successfully set the 'Use for Decryption' option.
  • #6614 Properly creates the local PDU cache folder on startup, if it doesn't already exist.
  • #6631 The CSPid-CAPI documentation now includes the PKCS#11 Slot Label for the virtual device: ISC CAPI
  • #6647 When importing a PKCS#12 file using the cspid_cli's '--import' command with the '--label' option, the provided label value is, once again, appended to the friendly name that is either found in the PKCS#12 file or created by CSPid.
Release 5.1.0


  • In order to support Microsoft Edge (and other low integrity processes), the CSPid Manager now creates a copy of the CSPid key store in a local location that can be access by such processes. The default location is "locallow\cspid". On startup CSPid creates a copy of cspid.pdu and cspid.ini in this location and on exit it deletes these files. While running it monitors the original locations for changes and if a change is detected the copies are updated. To disable this function set the Local key store path and Local INI file location to the same value as the Key store path and INI file location in the CSPid configuration.
  • The following options have been added to the CSPid template file used by Bagala in the Internal Use section: - Max PDU wait time(seconds)/CSPID_INT_PDU_WAIT_TIMEOUT -- This value defaults to 30 seconds and represents how long CSPid will wait for the PDU to become available. -- As noted above, the CSPid Manager creates a copy of the PDU and INI files for low integrity processes to use. If, on login, users are launching Microsoft Edge or Internet Explorer (when operating in "protected mode") it may be necessary to increase this value so that the CSPid Manager can load and complete the copy before the browsers give up. - Local application data path (Windows)/CSPID_INT_APPDATA_LOCAL -- This is the base location to store information for low integrity processes. - Local key store path (Windows)/CSPID_INT_LOCAL_P15URL -- This is the location and filename to use for the local copy of the PDU. - Local INI file location (Windows)/CSPID_INT_LOCAL_INIFILE -- This is the location and filename to use for the local copy of the INI file.
  • The CSPid Manager now indicates which certificates are selected for DAS operations.
  • The CSPid Manager now allows the user to control which certificates are used for DAS operations. Select the certificate, then Edit->DAS->Use for Authentication. To return to the automatically selected certificate(s), Edit->DAS->Auto Configure.
  • The CSPid Manager will now display certificates found in externally configured PKCS#11 devices (when CSPid is configured to use an external PKCS#11 device for DAS operations) so that users can see and select those certificates for DAS. These certificates appear in a folder called "External Device Certificates"
  • The cspid_cli, cspid_ui, and cspid_ln command line programs now accept plaintext and encrypted passwords input via files using the "file:path/filename" method as input to all password parameters.
  • Added --pem-to-p12 to the cspid_cli program to convert PEM certificate and private private key files into a single PKCS#12 file. cspid_cli --pem-to-p12 -f output.p12 --p12pin pin cert.pem prv.pem If the private key is encrypted the command will fail unless the --password parameter is supplied and is the correct password.
  • Added --get-pin, --get-new-pin to the cspid_cli program to display a graphical prompt for a password to the user and save the encrypted password into the file specified by the -f option.

Bug Fixes:

  • #6091 The standard Windows password prompt is now used to obtain the CSPid password in most applications. This enables CSPid to prompt for the password in the Microsoft Edge browser.
  • #6242, #6490 At startup the CSPid Manager no longer deletes all the CSPid managed credentials from the CAPI personal store and re-adds them. Instead it updates the private key property entry to make sure the linkage between CAPI and CSPid is correct.
  • #6405 No longer uses GetModuleHandleEx to obtain a handle the library for logging or other purposes. It uses VirtualQuery instead. VirtualQuery is supported in Windows Store Applications and Microsoft Edge Browser.
  • #6418 Now uses the CDK's implementation of AES key wrapping.
  • #6420 Now checks the file extension before attempting to import a file as a PKCS#12 formatted file.
  • #6436 CSPid UI exits properly from the system tray on Linux systems.
  • #6450 cspid_cli --digest no longer prompts for a password if the password is provided in the password command line switch.
  • #6466 EC Diffie-Hellman results are now properly padded with zeroes to the size of the key.
  • #6473 Supports TLS 1.1
  • #6489 Corrected the description of OCSP Servers item in the template used by the Bagala Editor.
  • #6501 On Windows, when using Windows certificate validation, the CSPid Manager now displays the Windows validation error message rather than "expired" for untrusted self-signed certificates.
  • #6517 The CSPid Manager now adjusts its screen position so that it will be visible in cases where the cspid.ini file is corrupt or the user has added or removed monitors.
  • #6519 Supports TLS 1.2
  • #6547 The TLS implementation now includes the client server name extension value when negotiating a connection.
  • #6553 CSPid no longer supports RSA key sizes less than 2048 or ECC key sizes less than 233-bits to comply with the latest NIST/FIPS requirements.
Release 5.0.0

Package Enhancements:

  • client-side key generation is supported for use with CCMS 4 and above
  • support has been added for windows 10, Fiddler, and other .Net-based applications
  • added support for managed CRLs; on Windows, managed CRLs are installed into the Windows store
  • performance with Windows services using impersonation has been improved (requires password caching to be enabled and the password to be cached)
  • OCSP server configuration adds an option that causes CSPid to regard as "revoked" any certificate not explicitly validated by the server (e.g., with this option an "unknown" response is regarded as a validation failure)
  • additional key derivation options are now available when deriving symmetric keys from the user's PDU password
  • a fourth audit trail level, filtered debug, is now available that attempts to scrub sensitive information from the debug level
  • descriptions of the blacklist and whitelist options and functionality in both the administrator's guide and the Bagala Editor have been improved
  • the Balaga Editor text for the CCMS URL now supplies an example
  • keyboard shortcuts for common tasks have been added
  • the executables and MSI package are now signed using SHA-256
  • the type 2 Firefox add-on included with CSPid 5.0 has been digitally signed by Mozilla as required by Firefox version 43 and above
  • an RPM installation package is now available
  • due to customer demand, the combined CMU/CSPid package is again available
  • RSA 3072 and 4096 are now supported in the cspid_cli '--gen-p10-type' option
  • cspid_cli now supports per-session password caching on systems that do not include a system tray; use the CLI option '--cache' to cache the password and '--cache-quit' to clear the password and terminate caching
Operational Changes:
  • deleting a certificate in Advanced view no longer deletes the public and private keys associated with it
  • if CSPid Manager is configured to hide its system tray icon on startup, it offers a 'Hide' option rather than 'Exit'; to exit, the user must run 'cspid_ui --exit'
  • Renew now checks the validity of the user's certificates, including revocation checking, so that it can perform the renew operation if the user's certificate has been revoked
  • OCSP support has been renamed 'Windows Validation Client' and now supports revocation checking options of none, CRL, or OCSP on a per-host or per-issuer basis
  • The 'Renew my certificate' system tray option is now enabled if CCMS renewal is enabled
  • Register with applications (which is run whenever the CSPid Manager is started) now deletes all CSPid credentials from CAPI and then recreates them
  • most configuration strings are now trimmed of whitespace when CSPid reads them from the CSPid.xml file
  • CSPid falls into read only mode if the caling process is running at a low integrity level; applications that should run in read only mode may now be named explicitly in the configuration settings
  • when per-session password caching is enabled the CSPid library now attempts to eliminate unnecessary password prompts before CSPid Manager is started
  • 'cspid_cli --list' now outputs additional certificate information
  • improved handling of friendly name values in Microsoft CAPI: friendly names in PKCS#12 files are used as CKA_LABEL values during import, and CKA_LABEL values are used when exporting PKCS#12 files
  • on Windows, the program path in java_pkcs11.cfg has been changed to the System folder
  • on Linux, when installed in the default /opt/cspid location cspid_cli and spid_ui no longer require LD_LIBRARY_PATH to be set; the rpath value in the executables has been updated to include /opt/cspid
New Admin Features:
  • a new option is available to lock the user's PDU to a subset of the configuration options so that the PDU is only useable if the same or stronger settings are present at run time
  • the "Allow impersonation (Windows Only)' option in Bagala->General CSPid->Internal Use can be used to prevent services and other processes from impersonating the user and accessing their CSPid key store
  • the "Suppress CKR_USER_ALREADY_LOGGED_IN" option in Bagala->General CSPid->CSP can be used to specify applications for which CSPid should return CKR_OK instead of CKR_USER_ALREADY_LOGGED_IN
  • the "Assert CKF_PROTECTED_AUTHENTICATION_PATH" option in Bagala->General CSPid->CSP can be used to specify those applications for which CSPid should set the CKF_PROTECTED_AUTHENTICATION_PATH flag when C_GetTokenInfo is called and either per-session or permanent password caching is enabled
Bug Fixes:
  • corrected an issue where applications would stop working once the configured password timeout had expired.
  • the internal path validation module properly supports hierarchical PKIs with more than two levels
  • CSPid Manager no longer crashes when the CLI initializes the PDU
  • 'cspid_cli --cfg-update' now works when the current configuration is malformed
  • 'cspid_cli --ccms-retrieve' with '--debug' no longer returns a spurious invalid session handle error.
  • Internet Explorer and other applications should no longer crash when the Windows Validation Client is enabled
  • the JAWS screen reader now speaks the correct window titles for password prompts and CSPid Manager
  • Qt console output is now suppressed
Release 4.0.0

The following enhancements are included:

  • added support for centralized administration (with Bagala)
  • added ability to cache DAS responses and support for the new DAS Proxy API
  • improved FireFox integration
  • Windows port now uses CSP/KSP and no longer relies on any Microsoft smart card components (i.e., the smart card minidriver shim in the diagram below has been eliminated)
  • integrated certificate manager now sorts installed certificates into categories


Release 3.0.2 to Release 3.1.0


  • CSPid Manager now provides an 'Export all' menu item that allows you to export your certificates as individual .der/.p12 files
  • the configuration file supports two new options to provide control over private key export attempts from Firefox and to optionally display a system tray popup message when that is not allowed (see CSPID_INT_PRIVATE_ATTRIBUTE_EXPORT and CSPID_INT_PRIVATE_ATTRIBUTE_ACCESS_MESSAGE in the .cfg file)
  • CSPid will now attempt to remove the CAPI private key link file in 'AppData\Roaming\Microsoft\SystemCertificates\My\Keys' when deleting credentials

Release 2.1 to Release 2.2.5

Improvements in cspid_cli:

  • '--import' command now supports a '--replace' option
  • added '--graphical-prompt' option: when necessary, user is prompted for additional input (and program no longer hangs with an invisible window when used with REGAPPSCM)
  • '--export' command (with '--exp-pin-cspid' and password caching enabled) no longer prompts for a password and exports the user's keys without error

Improvements in CSPid Manager:

  • the CKA_LABEL field is now editable
  • command line now supports '--exp-pin-cspid' and properly logs in when a command is executed but the user is not yet logged in (say for 'Register with Applications')

Other improvements:

  • double clicking system tray icon makes active the resulting dialog (main UI or password prompt)
  • new PWCACHE=1 option caches password for entire session (requires system tray app to be running): on first use CSPid prompts for password and then behaves as for PWCACHE=2 until user logs off or quits system tray app, at which point the cached password is cleared
Release 2.0 to Release 2.1


  • #4489: added password timeout option to require password reentry after a period of inactivity
  • #4490: protects sensitive key and other material kept in memory; see CSPid User's Guide for details
  • #4511: added GUI command line option '--start-hidden' for use on operating systems that do not have a system tray

Corrected Defects:

  • #4443: '--export-all-keys' option now properly errors when unable save a file
  • #4467: password prompt for PKCS#12 import now includes the name of the file the user is trying to import
  • #4476: '--showsuccess' message no longer appears after each succesful PKCS#12 file is imported when using the '--import' GUI command line option
  • #4481: password creation dialog now informs the user when the entered passwords do not agree
Use of CSPid with certain versions of SA5CLI (#3333)
There appears to be compatibility issues between CSPid and SA5CLI versions 5.9.4 and 5.9.1 that we believe are due to bugs in those SecretAgent builds. If you encounter this problem, please request a SA5CLI update.
Clicking on "ISC CSPid" in the Firefox 2/Linux Security Devices dialog causes Firefox to crash with the error:
*** glibc detected *** free(): invalid pointer: 0x0a346c30 ***
This didn't happen with Firefox 1.5 and hasn't been noted on other platforms, so it is most likely a Firefox bug.
Current release:
  • {version}
CSPid Information