CSPid: A Virtual Smartcard Module with Infinite Possibilities



CSPid is a virtual smartcard that maintains a central repository for X.509 certificates and private keys. It provides a secure environment for cryptographic operations that nearly all security-enabled applications can access via Java, PKCS#11, or Microsoft CAPI. It is available for, and compatible between, all 32- and 64-bit desktop versions of Windows, Linux, and Solaris/SPARC.


  • provides a portable, operating system independent credential store that may be shared by all security-enabled applications
  • simplifies enterprise-wide credential management; users need not replicate keys among applications, and may effortlessly migrate credentials between workstations
  • provides administrative controls over user credentials; allows PKI enrollment, key rollover, credential backup, and other key management tasks to be automated in a user-transparent manner
  • provides superior protection for private keys and overcomes password change/reset issues with Internet Explorer and Mozilla
  • reduces help desk costs and PKI training requirements

Add-on DAS support allows CSPid to provide to all applications (including Outlook and Thunderbird S/MIME) high-assurance “role-based” signing and decryption operations that rely on remote private keys, possibly stored on an HSM (requires DAS 1.8 or above).


  • Eliminates private key duplication
  • Simplifies trust chain management
  • Enforces strict password quality requirements
  • Audits all private key operations
  • May be easily deployed and managed
  • Appropriate for organizations of any size, scaling up to millions of users
  • Uses NIST CMVP-validated FIPS 140-2 cryptography and today’s proven standards, including ANSI X.509 and IETF PKIX, TLS, and S/MIME

Technical Specifications

  • Complies with NIST FIPS 140-2 Level 1 requirements
  • Exports a PKCS#11 version 2.20 compliant API
  • Includes a Cryptographic Service Provider and Key Storage Provider for Microsoft Windows
  • Imports and exports PKCS#12, PKCS#7, and ASN.1 DER- encoded X.509 certificates
  • Generates up to 8192-bit RSA and up to 571-bit ECDSA PKCS#10 requests
  • Supports SHA-256, SHA-384, and SHA-512
  • Employs password-protected PKCS#15 PDUs for key storage on local, removable, or network-attached drives, using AES-256 for confidentiality and HMAC-SHA-512 for integrity checking

System Requirements

  • Windows Server 2012 R2 or above
  • Windows 7, 8, 8.1, 10, or above
  • CentOS 6.7 (Linux Kernel 2.6) or above (x64)