Create Signatures
This tutorial explains how to create Qualified Electronic Signatures and Seals (QES) with an SKA key stored in a Primus HSM. Smart Key Attributes (SKA) act as the Signature Activation Module (SAM), authorizing the use of the SKA key for signing.
Prerequisites
This tutorial assumes that:
- You have configured your HSM and partition for eIDAS and SAM.
- You have created one or more approvers and have created an SKA key.
Make a Signing Request
Making a signing request for a QES is the same as making a signing request for a normal SKA key:
- A user requests to sign with an SKA key.
- Human approvers review and approve the request.
- Wait for all approvals to be given, and send the complete request to the HSM.
- Fetch the requested signature made by the SKA key.
For a QES of a single user, steps 1., 2., 3. can happen synchronously on the user's device within a custom application. For organization seals with an m-of-n SKA policy the asynchronous wait time is common.
For doing these steps with the TSB's REST API, see this tutorial.
The only difference between a QES and a normal SKA signature is that this executes in SAM mode. In SAM mode, the HSM partition enforces that the approver certificates in the SKA policy have a valid signature from the configured CAs. This ensures that the humans using the signing keys are identified.