The Universal KeyChain (UKC) is one of the core components of the SmartCMS ecosystem.
It is an advanced middleware layer designed by Bit4id to provide a unified interface for managing both local and remote digital identities, exposing cryptographic services to the operating system and to applications requiring signature or authentication capabilities.
UKC supports:
- Local PKI tokens and smart cards
- Remote virtual tokens stored in cloud or HSM infrastructures
- Unified certificate browsing
- Digital signature operations
- Authentication services (desktop, web, SSO)
- Interoperability with PKCS#11, CSP, CryptoTokenKit
UKC is a lightweight desktop client requiring no administrative privileges for installation or use and supports automatic updates.
The UKC architecture is structured as a layered system that exposes standardized cryptographic interfaces:
- PKCS#11
- Microsoft CSP/KSP
- Apple CryptoTokenKit
Below these layers lies the Bit4id Universal Middleware, which includes drivers, cryptographic engines, and plugin systems to support various smart cards and tokens.
UKC can also operate with third‑party middleware, making it vendor‑agnostic.
- Certificate Store Synchronizer
- PKCS#11 Engine
- CSP/KSP Provider
- GUI Certificate Browser
- Remote Token Connector
- Plugins for different authentication methods
- Secure Channel for remote signing
UKC can manage:
These include:
- Smart cards (contact/contactless)
- USB crypto tokens
- National ID cards (where supported)
- Corporate authentication tokens
These devices are typically inserted into:
- PC/SC‑compatible smart card readers
- USB token slots
UKC detects certificates stored on the device and exposes them through OS APIs.
Certificates from physical tokens are shown in the GUI with a token icon.
UKC also supports remote digital signature devices, hosted in:
- HSMs (Hardware Security Modules)
- Cloud‑based signature servers
- Remote corporate identity servers
After authentication via:
- Username/password
- OTP
- Smart card
- Biometrics
- SMS OTP
- Other pluggable factors
users gain access to remote private keys stored securely in backend cryptographic hardware.
Certificates on remote tokens are marked with a user + globe icon.
The UKC supports multi‑factor authentication and can combine several authentication layers through its plugin framework:
- Smart card authentication
- OTP hardware keys
- OTP software generators
- SMS OTP
- Biometrics
- Username/password
- Remote session tokens
Plugins can be added or removed depending on deployment requirements.
This makes UKC suitable for high‑security environments or qualified signature workflows.
The login flow to a remote signature server works as follows:
- The user selects the remote token from the UKC GUI.
- UKC prompts for authentication credentials (e.g., UserID and Password).
- UKC establishes a secure connection to the remote signature server.
- Certificates stored remotely are displayed in the certificate browser.
- The user can now sign or authenticate using remote keys.
Upon successful authentication, UKC behaves exactly as if the certificates were stored locally.
The UKC desktop GUI provides:
- A user‑friendly certificate browser
- Token information
- Access to PIN/PUK and security operations
- Smart card and token management tools
- A PIN change interface
- Detailed certificate information (issuer, validity, serial number, key usage, etc.)
Double‑clicking on a certificate opens a detailed view showing:
- Subject
- Issuer
- Validity period
- Serial number
- Key usage / extended key usage
- Certificate policies
- SHA‑1 and SHA‑256 fingerprints
One of UKC’s core functions is to provide digital signature capabilities to applications, both local and remote.
It is compatible with:
- Desktop signing applications
- Web‑based signature workflows
- PDF viewers (e.g., Adobe Acrobat Reader)
- Systems requiring PKCS#11 modules (e.g., Mozilla Firefox)
- CSP/KSP API users (e.g., Microsoft Office, Windows Logon)
When a user signs a document:
- The user selects a certificate from UKC’s list.
- UKC prompts for PIN (local token) or remote authentication.
- The signature is applied either locally or via remote signature server.
- The signed document is returned to the application.
UKC allows signing operations using keys stored in remote HSMs.
- A third‑party application initiates a signature request via PKCS#11 or CSP.
- UKC displays a signature authorization dialog to the user.
- The user provides the required credential (PIN, OTP, biometric).
- UKC sends a secure request to the remote signature server.
- The HSM performs the cryptographic signature.
- The result is returned to the client application.
This approach ensures:
- Full legal validity
- No private key ever leaves the HSM
- High‑security compliance (qualified electronic signatures, eIDAS)
UKC is built on top of the Bit4id Universal Middleware (UMW), which provides:
- Smart card drivers
- PKCS#11 engine
- CSP/KSP provider
- CryptoTokenKit integration (macOS)
- PC/SC smart card communication
- Plugin architecture for additional hardware support
- Certificate store synchronization on Windows devices
UMW supports major smart card manufacturers:
- Gemalto
- Giesecke & Devrient (G&D)
- Siemens
- Oberthur
- ST Incard
- And others
UKC is ideal for:
Smart card logon, qualified signatures, signing of legal and administrative documents.
Single sign‑on, VPN authentication, secure email signing.
Doctor authentication, prescription signing, patient data protection.
Secure transaction signing, strong customer authentication.
Cloud‑based identity access, remote signing platforms, HSM-backed signatures.
The Universal KeyChain (UKC) provides a unified and secure interface for:
- Managing local and remote digital identities
- Exposing cryptographic services to applications
- Supporting multiple token types and smart cards
- Enabling full remote signing capabilities
- Integrating seamlessly with SmartCMS lifecycle operations
- Supporting PKCS#11, CSP/KSP, CryptoTokenKit APIs
- Providing multi-factor authentication via pluggable plugins
This makes UKC a cornerstone of Bit4id’s digital identity ecosystem, enabling secure and user‑friendly PKI operations in both desktop and cloud environments.