SecureBlackbox 16: How do I provide a password to a USB-based token to retrieve a certificate?

Note: This article applies only to SecureBlackbox Legacy. For future development please consider using the latest version.

HSM-based certificates can be accessed in two different ways - either through a Windows CSP (a "proxy" module installed by the token driver into the operating system) or through a native PKCS#11 driver. Depending on the way you choose, you should use different methods to provide the PIN.

Follow the steps below to perform CSP-based access with the TElWinCertStorage component:

  1. Find the appropriate certificate in the "MY" (the "Personal") system certificate store, where the certificate is mapped by the token CSP.
  2. Once you've located the certificate in the TElWinCertStorage.Certificates[] list, set its PIN via the TElX509Certificate.KeyMaterial.KeyExchangePIN and SignaturePIN properties (assign the PIN to both properties).

This should eliminate the PIN windows shown by the token driver.

Note that the workability of this method depends on the implementation of the token's CSP by the vendor. In some cases, setting the KeyExchangePIN and SignaturePIN properties does not work and you are forced to use a different method to provide the PIN.

An alternative way to provide the PIN programmatically is to access the token via a lower-level PKCS#11 interface, which is provided by the TElPKCS11CertStorage component. When using the PKCS#11 storage, you pass the PIN to the session object's Login() method.

The SecureBlackbox distribution contains two samples which illustrate both approaches. TinySigner illustrates the use of the TElWinCertStorage object, while TinySignerPKCS11 shows how to access the HSM-based certificates via the PKCS#11 interface. You need to modify the code of the first sample to set the KeyExchangePIN and SignaturePIN properties for the chosen certificate. The second (TinySignerPKCS11) sample supports PIN provision out of the box.

The TElWinCertStorage class is available in all packages. The TElPKCS11CertStorage class requires a license for the PKIBlackbox package or for one of the packages that include PKIBlackbox.

We appreciate your feedback.  If you have any questions, comments, or suggestions about this article please contact our support team at