1. General Questions
What is the digital accreditation symbol?
The digital accreditation symbol is the machine-readable equivalent of the existing “graphic” DAkkS accreditation symbol, with the added benefit of being technically verifiable regarding its integrity and authenticity.
It is an electronic seal, i.e. a kind of electronic company stamp. The digital accreditation symbol is machine-readable and can be technically verified worldwide and in real time.
It is based on a digital identity for the conformity assessment body (CAB), which contains accreditation-specific information. This information includes:
- A unique accreditation number for the respective accredited body in the machine-readable, internationally verifiable format AAAAAAA-CC-XX-YYYYY-ZZ-NN (e.g. DAkkS00-DE-PL-12345-01-00)
- A declaration that the body is a conformity assessment body accredited by the national accreditation authority
- The definition of ‘attestation’ in accordance with ISO/IEC 17000:2020
- The restriction to use of the electronic seal for the defined attestations only
Why was the digital accreditation symbol (for PDFs and machine-readable documents) introduced?
The digital accreditation symbol provided by DAkkS serves as the basic infrastructure for all accredited bodies to support the digital transformation of the economy.
The digital accreditation symbol serves the purpose of properly protecting trust in the accreditation statement and its value in the digital environment.
Its technical design offers accredited bodies an additional option to better protect themselves against manipulation or falsification of result reports and certificates in the digital environment, as only original versions feature the digital accreditation symbol, making them tamper-proof and forgery-proof.
It is therefore a tool for implementing a digital quality infrastructure with entirely digital chains of evidence.
Who can use the digital accreditation symbol and how is it used (eAttestation)?
Any accredited body can apply for the digital accreditation symbol.
Accredited CABs can use it to digitally sign their digital attestations (eAttestation) – including for example digital laboratory reports, medical laboratory reports, calibration certificates, inspection reports or certificates – and issue them to their respective clients in tamper-proof form.
What is an eAttestation?
An eAttestation is an attestation issued by an accredited body that has been signed with the digital accreditation symbol. This includes for example digital laboratory reports, medical laboratory reports, calibration certificates, inspection reports, certificates etc. signed with the digital accreditation symbol. This ensures that the attestation is technically secure and protected against unauthorised changes or alterations. Integrity and authenticity are guaranteed.
The eAttestation can be issued in various file formats (including PDF and XML) by an accredited body.
For a PDF-based eAttestation, the previous layout approved by DAkkS with the “traditional” graphic accreditation symbol can remain unchanged.
What is an electronic seal?
The electronic seal is kind of a digital company stamp. The electronic seal used by DAkkS is defined in Article 3(30) of Regulation (EU) No 910/2014 (eIDAS) and fulfils the requirements applicable under this Regulation. It therefore enables legally compliant and consistent use throughout Europe.
It provides technically secure proof of origin (authenticity of a legal entity) and integrity (protection against unauthorised changes or alteration) of the data and information signed by the legal entity. In case of the digital accreditation symbol, this is the information contained in the eAttestation.
How does an electronic seal guarantee proof of origin and integrity?
Proof of authenticity (origin) and integrity (protection against unauthorised changes or alteration) are established through the use of an encryption method – the so-called “public key” method. First, a digital identity is created for the accredited conformity assessment body (CAB). This identity is assigned a unique cryptographic pair of keys with a public and a private key (public key infrastructure: PKI). In use, this is referred to as an electronic seal.
A qualified trust service provider, as defined by eIDAS (Regulation (EU) No 910/2014), is responsible for the production and technical protection of such electronic seals.
The respective digital accreditation symbol is approved by DAkkS as the national accreditation authority prior to the production of the electronic seal.
What functions are offered by the digital accreditation symbol based on an electronic seal?
The accredited body can use this seal to digitally and machine-readably affix the accreditation symbol to its attestation, thereby protecting it (= eAttestation).
The electronic seal provides third parties verifying it with
1. information on the identity of the legal person (authenticity)
2. certainty of the integrity of the data and
3. confirmation of the validity of the accreditation for the specific accreditation activity (e.g. testing or calibration laboratory, inspection or certification body).
For more information on the verification of the digital accreditation symbol, please refer to the question: How can customers of a CAB carry out signature verification of eAttestations in PDF format?
Customers of the CAB can also integrate the digital attestation of conformity into their own automated process chain without media discontinuity. This leads to cost-reducing improvements of efficiency.
What benefits does the digital accreditation symbol posses in comparison with a standard qualified signature?
A qualified signature serves to verify the identity of the issuing natural person (authenticity) and to verify the integrity of the data.
The digital accreditation symbol is issued only to the accredited body, not to a natural person. Therefore, it also serves to verify the identity (of the legal person) and the integrity of the data, but also enables automated and machine-readable verification of the validity of the underlying accreditation for the conformity assessment activity in question.
The added value lies in the fact that, at the time of sealing with a valid seal certificate, the digital accreditation symbol and thus the accreditation were also valid. This can be automatically verified in real time using technical means.
How does the digital accreditation symbol relate to the established graphic accreditation symbol?
The digital accreditation symbol opens up an additional digital channel for accredited bodies. Its use is voluntary and can be approved by DAkkS upon application. Accredited bodies can add a digital accreditation symbol to digital files. The digital accreditation symbol can be read by machines automatically if a respective customer of a CAB wishes to do so.
The digital accreditation symbol is intended primarily for machines and enables automated verification of the accreditation status at the time of the sealing of an eAttestation. It is less intended for human verification.
If the digital accreditation symbol is used on digital documents that are not intended to be machine-readable (e.g. PDF instead of XML), the file must be protected with the digital accreditation symbol in addition to the established graphic accreditation symbol.
The graphic representation of the accreditation symbol and its approval by DAkkS remain unaffected.
What is a trust service provider?
In essence, a trust service provider acts as a notary for the Internet. The trust service provider verifies the identities of individuals, businesses or objects on the Internet. In this context, digital certificates serve as identity documents in the online world.
DAkkS cooperates with the trust service provider D-Trust GmbH. D-Trust GmbH is a wholly owned subsidiary of the Bundesdruckerei Group and a trusted and qualified trust service provider within the EU. D-Trust GmbH acts on the basis of the European eIDAS Regulation (Regulation (EU) No 910/2014) and in accordance with the German Trust Services Act (Vertrauensdienstgesetz, VDG).
What costs are incurred by a conformity assessment body for use of the digital accreditation symbol?
For each overall accreditation certificate issued (accreditation activity), the trust service provider (D-Trust) incurs annual expenses of EUR 469 plus VAT per electronic seal for the administration of the CAB’s digital identity. These costs are invoiced to the accredited body as an expense by DAkkS. A partial certificate (certificate annex) forms part of the overall certificate and therefore does not incur any further costs.
In addition, administrative costs are incurred for processing the application at DAkkS. The basis for calculating these additional fees is the German ordinance on fees for accreditation bodies (AkkStelleGebV).
The administrative costs depend on the individual case, particularly on whether the application was submitted correctly and in full, whether the authorisation document was error-free in the second stage of the application process, or whether DAkkS had to make additional requests. In general, however, the administrative costs incurred by DAkkS are manageable, currently averaging around 50 euros per application.
2. Questions about the application
Why is an additional application for the digital accreditation symbol necessary? When can the application be submitted?
An application for the digital accreditation symbol is necessary because a new digital identity has to be created and the accreditation information must be confirmed by DAkkS to the trust service provider.
The application can be filed at any time as an accredited body. Valid accreditation is a prerequisite for filing an application.
Can only one technical contact person be named per CAB?
For the authorisation document, we ask that you name one technical contact person, who will act as the initial point of contact only.
Within a CAB, several persons can be responsible for the application and the administration of the digital accreditation symbol. Therefore, we as DAkkS recommend that you include a functional mailbox address in the authorisation document and use it as the CSM access email address (see chapter 5).
What happens if there is a change of the authorised representatives or the responsible contact persons? Does this need to be reported and what are the implications?
The authorised representatives are relevant only for the second stage of the application process. Notification of a change in the authorised representative is only necessary if you are in the application process. If the authorised representatives change at a later date, no notification is required. This therefore has no effect on the use of the digital accreditation symbol.
If the responsible technical contact persons for the digital accreditation symbol changes, DAkkS must always be notified. All you need to do is send an informal email to your DAkkS contact person, stating that the change concerns the technical contact person for the digital accreditation symbol. DAkkS will then verify whether your CAB is registered within the CSM with a functional mailbox address or whether your newly named contact person requires individual access. In accordance with the Fee ordinance of the accreditation body (AkkStelleGebV), this verification will be added to your next DAkkS invoice as administration of the digital accreditation symbol. In general, these administrative costs are manageable and on average less than 50 euros per change.
Which documents are required for the application?
A CAB requires two documents:
- The application form for use of the digital accreditation symbol
LINK TO THE APPLICATION FORM (available in German) - The authorisation document
Please send the application form by email to DAkkS application service, email address a-nkb@dakks.de.
DAkkS sends the authorisation document (available in German) to the CAB by post. The document is required to create a digital identity for the CAB at the trust service provider D-Trust GmbH. This establishes the electronic seal containing the specific accreditation information. The authorisation document is therefore the basis for obtaining the digital accreditation symbol.
The authorisation document must be signed by an authorised signatory of the legal entity of the conformity assessment body and must be provided with a company stamp (or optionally with the company name in block letters). DAkkS will verify the signature. In individual cases, an identification procedure for the authorised signatory may be necessary.
More information can also be found in the “Information sheet on applying for the digital accreditation symbol” (M-17011 Annex 3) (available in German)
LINK TO THE INFORMATION SHEET
How does the application process work?
A detailed description of the application process can be found at the following link:
DIGITAL ACCREDITATION SYMBOL APPLICATION PROCESS STEP BY STEP (available in German)
More information can also be found in the “Information sheet on applying for the digital accreditation symbol” (M-17011 Annex 3) (available in German)
Can the authorisation document be signed with a qualified electronic signature?
Yes, the authorisation document can be signed with a qualified electronic signature (QES) of the authorised representative or authorised signatory entered in the commercial register or another official register.
Important: This qualified electronic signature (QES) does not replace the obligatory company stamp.
Why and how must the authorised signatory of the legal entity be identified through a separate identification procedure?
DAkkS is obliged to identify the persons authorised to represent or sign for their conformity assessment bodies. In general, these persons are identified by checking the existing registers (e.g. commercial register).
If no register entries or confirmations from authorities are available, DAkkS determines the identity of the authorised representative or authorised signatory through a separate identification procedure.
What type of e-mail address must be provided in the authorisation document by the contact person?
The address of a shared mailbox can be entered in the authorisation document. This is the address to which the registration for the “Certificate Service Manager” (CSM) administration portal will be sent. DAkkS recommends that the address entered in the authorisation document is a shared mailbox and not a personal e-mail address.
The accredited body must ensure that only authorised persons have access to this shared mailbox.
Where can I find the PKI regulations, which have to be approved before signing the authorisation document?
To sign the authorisation document, you must accept the rules of the PKI. The rules can be found here:
CERTIFICATE POLICY (CP) OF D-TRUST GMBH
D-TRUST SERVICE PRACTICE STATEMENT (TSPS)
CERTIFICATION PRACTICE STATEMENT (CPS) OF THE D-TRUST CSM PKI
DAKKS TRUST SERVICE PRACTICE STATEMENT (TSPS) (TSPS DAKKS)
TERMS AND CONDITIONS OF D-TRUST GMBH
PRIVACY POLICY OF D-TRUST GMBH
The current versions of all D-Trust documents can be found here:
3. Questions about the electronic seal
What equipment is required to use the electronic seal?
DAkkS has no special requirements regarding the technical equipment needed in order to use an electronic seal as a digital accreditation symbol.
Die KBS benötigt eine handelsübliche Software zur Anwendung von digitalen Signaturen. Der Funktionsbereich (Signierung nur auf PDF möglich oder auch auf maschinenlesbaren Formaten wie XML) unterscheidet sich bei den Softwareanbietern.
A CAB can use any customary software for the use of digital signatures. The range of functions (signing only possible on PDF or on machine-readable formats such as XML) differs among software providers:
- DigiSeal
- SecSigner
- SignLive
- Adobe Acrobat Reader
- Foxit
What are the requirements for using the electronic seal?
DAkkS does not impose any additional requirements that go beyond the respective accreditation standard (‘level 3 standard’).
By using a software-based electronic seal, its use is hardware-independent and the seal and its key material can be stored in any secure IT environment of the CAB’s choice – on a server or in a cloud.
DAkkS recommends technically secure embedding in the accredited body’s IT environment with access control to both elements needed for the signing process: the key material and PIN. In this way, only authorised employees can seal attestations (result reports).
Note: The sealing process can be implemented in a variety of ways. This is possible by
- Integrating the key material into a PDF reader that has a signature function,
- Using a script written by the user (stand-alone or as part of an existing program) or
- Using a standard seal/signature creation and verification device (such as SecSigner, DigiSeal, SignLive, etc.)
Does DAkkS provide support with implementation of the electronic seal?
DAkkS supports the CAB with the application for and provision of the electronic seal.
The following topics are not within DAkkS’ area of responsibility:
- Answering questions on software implementation at the CAB or clients of the CAB for use of the DAkkS accreditation symbol (signature software and verification software) or the software-based creation of machine-readable result reports (e.g. a DCC digital calibration certificate)
- DAkkS does not provide support with the introduction of processes or with software development or technical implementation at a CAB (consultancy ban).
- DAkkS also does not provide support with the introduction of internal CAB processes relating to use of the accreditation symbol.
How is the electronic seal used for signing?
To sign with the electronic seal, the CAB requires the key material (.p12 file) and the PIN. The key material is sent by e-mail to the e-mail address entered in the Certificate Service Manager (CSM) (shared mailbox address entered in the authorisation document). The PIN is sent to the specified SMS-capable number.
The seal certificate for the electronic seal associated with the key material can be downloaded from the CSM if there is a need to store the certificate manually in the IT environment. However, there is no download option in the CSM for the key material (.p12 file) or the PIN.
How does the key material differ if a CAB applied for several electronic seals and wants to use them as digital accreditation symbols in different conformity assessment activities?
The file name of the key material (.p12 file) starts with the name of the legal entity and also contains the unique accreditation number provided for the specific activity. The way this is displayed depends on the e-mail program. Changes by DAkkS or D-Trust are not possible.
The CAB receives one e-mail from D-Trust for each key material. It is important to note that each e-mail is specific. The key material contained is strictly assigned to one accreditation activity and accreditation number clearly recorded in the e-mail text.
How long is an electronic seal technically valid?
For legal reasons, a seal based on a technical qualified certificate with a soft token can only be issued for a maximum of two years. After that, a subsequent certificate must be applied for.
The CAB is notified about the expiry of the seal certificate automatically by the D-Trust GmbH CSM system 90 days and again 14 days before the expiry date. The notification is sent to the specified contact e-mail address (shared mailbox).
A subsequent certificate can be requested no earlier than 30 days before the seal certificate expires in the web portal.
It is essential to apply for the subsequent certificate every two years in order to maintain the chain of trust. This does not constitute a full new application for use of the digital accreditation symbol, the request is submitted only within the CSM system.
How to receive information on the expiry of the electronic seal certificate?
The CSM portal (see chapter 5) sends an email to the email address stored in the CSM (DAkkS recommends using a functional mailbox address) 90 days and 14 days before the expiry of the currently valid seal certificate to inform you about the expiry.
A follow-up certificate (please refer to the answer to the question on follow-up certificates) can be requested directly in the CSM 30 days before the seal certificate expires.
What happens (with sealed (PDF)-files) after the expiry of the seal certificate? Which meaning has a follow-up certificate?
From a technical standpoint, a seal certificate by D-Trust expires automatically after two years. Therefore, a new seal certificate must be applied for within the CSM (see chapter 5). No further application to DAkkS is required for this; requesting it in the CSM suffices. You can either obtain a new seal certificate via the CSM or a follow-up certificate (30 days before the expiry of the old seal certificate).
The advantage of a follow-up certificate is that all information in the CSM from the previous seal certificate is transferred to the follow-up certificate and the remaining validity period of your previous seal certificate is credited to the new seal certificate.
Some signature/seal creation software allows signing/sealing with an expired signature/seal certificate. However, such signatures/seals will be displayed as invalid during verification due to the expiry. Therefore, it is necessary to always use the follow-up or new seal certificate for sealing.
All documents sealed with a seal certificate valid at the time of sealing remain valid.
What happens after expiry of an electronic seal?
If no subsequent certificate for the electronic seal is requested by the CAB, the CAB will not receive a new seal certificate. Signatures (eAttestations) that are generated after the previous seal certificate has expired may be displayed as invalid or may indicate that the electronic seal certificate expired.
Can problems arise if, in addition to the electronic seal, qualified signatures originating from a trust service provider other than D-Trust are used?
Different signatures and seals do not interfere with each other.
Is it possible to integrate a digital signature and/or a qualified time stamp on the attestation in addition to the electronic seal?
It is technically possible to add a digital signature and/or a qualified time stamp to the electronic seal. Adding them is at the discretion of the accredited body.
The additional digital signature of a CAB should be applied before the electronic seal (the digital accreditation symbol).
4. Questions about the digital accreditation symbol
Is the digital accreditation symbol a qualified electronic signature?
The digital accreditation symbol is designed according to Regulation (EU) No. 910/2014 (eIDAS Regulation), and is therefore an advanced electronic seal with a qualified seal certificate.
Are CABs obliged to use the digital accreditation symbol in the form of an electronic seal?
DAkkS provides the digital accreditation symbol upon request as a tool to ensure the protection of integrity and authenticity for digital result reports produced by CABs. In principle, integrity protection can be implemented with other technical solutions, but the correct reference to the accreditation cannot then be realised in machine-readable form. The use of the digital accreditation symbol is therefore practical and efficient.
Why doesn’t the document contain a direct reference to the digital accreditation symbol?
DAkkS poses no requirements regarding the display of the digital accreditation symbol on attestations of accredited bodies. The client’s requirements are primary here.
The digital accreditation symbol is designed primarily to fulfil a technical protective function and to be machine-readable. A visible reference to the symbol is therefore not necessary.
How does the digital accreditation symbol become visible if it is not displayed as an element in the document?
When a third party checks an eAttestation with any PDF reader, the digital accreditation symbol with the reference to the signatures it contains becomes “visible” and the eAttestation can be verified using the reader (if the signature is valid, the accreditation status is valid).
Note: Browsers do not support signatures and seals, at least not currently.
An advantage for the CAB with respect to its clients is that the CAB can prove the correctness of its identity (the issuer) and the integrity of the document (integrity of the data).
Why is the digital accreditation symbol issued exclusively to the legal entity and why does it not also refer to the name of the CAB?
The legal entity accredited by DAkkS always includes the conformity assessment body. A legal entity as a conformity assessment body can conduct several accreditation procedures. A legal entity as a conformity assessment body can also have several locations.
The digital accreditation symbol identifies the legal entity. The distinction of activities in terms of accreditation procedures or other technical designations (e.g. Institute for …) are not mentioned separately. It is derived from the unique accreditation number within the digital accreditation symbol which refers to the overall certificate. There is also no differentiation by location in the digital accreditation symbol.
How can legal entities with multiple accreditation procedures be visibly distinguished from one another in the signature process?
The accredited legal entity itself can use its signature creation software to also specify the name of the entity that performs the conformity assessment activity (CAB), and if applicable a different location, e.g. by indicating the “Reason for signature”. For example:
- Legal entity = Sample GmbH
- Unit = CAB = e.g. Institute for Microbiology
- If applicable, also add the address: Sample Street 1, 10500 Sample Town
When and how can the digital accreditation symbol be used? What is its scope of application?
The digital accreditation symbol can be used by any accredited conformity assessment body that has successfully applied for such a symbol.
Use of the digital accreditation symbol is limited to the issuing of attestations in accordance with ISO/IEC 17000:2020, 7.3. These include for example test reports, calibration certificates, inspection reports or various certificates for products, management systems or persons.
The file format of these attestations is not relevant for use of the digital accreditation format. All known file formats are supported, such as PDF and machine-readable XML files, e.g. the use of digital calibration certificates (DCC).
DAkkS does not impose any requirements on the way how the digital signature (here: the digital accreditation symbol) should be linked to the attestation of conformity. From a technical standpoint, both “embedded” and “detached” signatures are possible. However, it is recommended to opt for an “embedded” signature.
What does an applying CAB receive from DAkkS as the digital accreditation symbol?
The digital accreditation symbol corresponds to the electronic seal (as a special kind of digital signature) in its technical setup. This means that after approval by DAkkS in the CSM, you will receive the seal certificate (.p12 file) via email from D-Trust (within 30 minutes of approval by DAkkS) and the PIN for the seal certificate by SMS to the number you indicated within the application process in the CSM for your seal certificate.
Does the digital accreditation symbol replace other digital signatures on conformity attestations?
As an advanced electronic seal with a qualified seal certificate, the digital accreditation symbol meets requirements on data integrity and the protection of the authenticity of a document, as provided by other digital signatures as well.
When using the digital accreditation symbol, the normative requirements regarding the content of the respective attestation remain unchanged.
When should the digital accreditation symbol be attached when filing a conformity attestation?
The digital accreditation symbol should be embedded in the process of final approval and issuance of a statement of conformity.
How can my customers learn about the digital accreditation symbol and its associated benefits?
DAkkS actively pursues to promote the digital accreditation symbol through general information materials and presentations on conferences. DAkkS provides explanatory videos and information on its website and on YouTube to be used by all interested parties.
Nevertheless, we rely on you – the conformity assessment bodies – to disseminate this information. If you use the digital accreditation symbol, please inform your customers about it.
If several signatures are used on an attestation, in which order should they be applied?
The digital accreditation symbol should be applied last, after all other signatures, as the final seal of the document.
What happens with the digital accreditation symbol if the seal certificate expires?
The expiry of the seal certificate has no effect on the validity of the signature of existing and issued documents (eAttestations; see Chapter 9 DAkkS_TSPS). This means that at the time of sealing with a valid seal certificate, the digital accreditation symbol (and thus the accreditation) was also valid.
How does the use of the digital accreditation symbol (dAS) work, when there are several persons authorised to finally approve and issue attestations in a CAB?
In principle, it is within the discretion of the CAB to determine the persons that are authorised to sign attestations with the digital accreditation symbol. DAkkS does not impose any requirements regarding the number of persons who may have access to the digital accreditation symbol. This must be defined and regulated in the CAB itself.
All eligible persons will receive the same access, as there is only one seal certificate and one PIN (the digital accreditation symbol).
When applying for the digital accreditation symbol (dAS), the technical contact person named in the application will once receive the necessary key material (.p12 file) by email (recommended to have a functional mailbox address), along with the respective PIN by SMS.
Thus, exactly one seal is issued to your accredited body, and not to one or more individuals.
The internal distribution and technical implementation are the responsibility of the accredited body. There are various ways in which usage can be regulated, e.g.:
- manual use of the same PIN and .p12 file by authorised persons,
- integration via software with role-based access (e.g., via embedding in a LIMS system),
- centralized signature services with on-server sealing, removing the need for individual direct access to the PIN and certificate.
The individual technical implementation depends on the available IT infrastructure, internal security requirements, and risk assessment within a CAB. DAkkS does not provide direct advice or technical support for implementation within conformity assessment bodies.
Can the digital accreditation symbol also be used as part of an automated attestation creation and dispatch process, or must each document be sealed manually?
After successful application of the digital accreditation symbol (dAS), the symbol can be integrated into document dispatch as part of automated processes. For that, it is necessary to make sure that the electronic seal is used only on standard conformant attestations (such as (test) reports or (calibration) certificates) that lie within the scope of the valid accreditation and for which the digital accreditation symbol has been applied for.
DAkkS does not impose any requirements on how CABs should use the digital accreditation symbol (manually or automatically). The CAB is responsible for the technical implementation.
DAkkS does not provide direct advice or technical support for implementation within conformity assessment bodies.
How to automate the sealing of documents with the digital accreditation symbol?
This depends on the internal processes of a CAB. If a CAB is using a specific service to create its documents, the CAB should consult its IT service provider.
A CAB can provide the IT service with the following information:
- D-Trust GmbH provides CABs with a .p12 file by email and a password by SMS.
- The .p12-file contains the certificate issued by D-Trust to the CAB (which includes the digital accreditation symbol) and the respective private key.
- The file is encrypted with the password sent by SMS.
- Only the .p12 file and the password are required to create a digital signature.
DAkkS can provide you or your IT service provider with a basic example of an “invisible” digital signature applied to a PDF in Python upon request at d-AS@dakks.de.
The .p12 file can easily be converted into other file formats e.g. by using openssl, or the private key and the certificate can be extracted, depending on what is necessary for the integration into your systems.
Is it necessary to enter the PIN each time when signing a document with the digital accreditation symbol?
This depends on the setting and the context of application by the CAB. With an established automatic signing process (such as an integration into existing software/workflows in LIMS), the PIN doesn’t have to be entered for every signature.
When sealing manually with a sealing software, “stacked signatures” are possible. Otherwise, depending on the software used, manually signing may require entering the PIN each time.
Is it possible to receive a sample document (eAttestation) with an attached digital accreditation symbol?
Yes, you can access it at the following link provided by the German Federal Institute for Materials Research and Testing (BAM), our partner in the QI-Digital initiative. This is a sample attestation of conformity explicitly issued for demonstration purposes, approved by DKD (German Calibration Service), as an eAttestation.
It can be accessed here: https://netzwerke.bam.de/Netzwerke/Content/ DE/Standardartikel/Netzwerke/QI-Digital/dcc.html
The exemplary document also includes a guideline on the application of the eAttestation with a machine-readable certificate (here: DCC) and with a PDF.
Can the digital accreditation symbol continue to be used if the legal person changes (e.g. due to a change in the company register)?
If information in the company register changes because there is a change in the legal person of the conformity assessment body, the previous digital accreditation symbol must be locked. A new digital accreditation symbol must then be applied for in accordance with the application process, for the new legal person. This is necessary because the electronic seal represents the digital identity of the legal person of a CAB.
Can the digital accreditation symbol be used on your own homepage?
The digital accreditation symbol is restricted solely to use in digital attestations of conformity (e.g. test/inspection reports or (calibration) certificates). Its use on a website is not permitted.
Can the digital accreditation symbol be used on shortened attestations of conformity (such as short test reports in form of tables) which don’t meet all standard requirements?
The digital accreditation symbol may only be used on standard conformant conformity statements (attestations).
This includes the use of the symbol on simplified, yet standard conformant reports.
A client of the CAB wants to check the digital accreditation symbol, but reports that there are problems with the signature or it requires validation. What are possible solutions?
Problems with verification of the electronic seal as a digital accreditation symbol are usually caused by a misconfiguration of the software used (e.g. PDF reader or signature verification device) on the user’s PC.
Possible solutions for a signed document include:
For PDF files:
- It may be necessary to update the European Union Trusted Lists (EUTL) in the PDF reader used by the client (in the settings). Alternatively, a PDF can also be verified using a seal signature creation and verification device.
- It may be necessary to manually classify the certificate as trustworthy in accordance with section 6 of the DAkkS TSPS. The verification should then run smoothly.
- Important: It is not possible to verify the electronic seal with a browser, as browsers do not support the verification process.
Possible solutions for a signed DCC:
- Is an update of the seal signature creation and verification device needed? As with the PDF reader, the EUTL may require an update. Does the software used by the CAB display the validity of the seal correctly? If this is the case, it is recommended that the client of the CAB contacts the support team for its own seal signature creation and verification device. Here again, the certificate may also need to be manually classified as trustworthy in accordance with section 6 of the DAkkS TSPS.
5. Questions about D-Trust-Portal „Certificate Service Manager“ (CSM)
Which browser should be used to access the CSM?
Any modern browser can be used. DAkkS is not aware of any restrictions.
What should be done if the e-mail with the confirmation of registration does not arrive in the CSM?
First, check whether the e-mail from D-Trust (sender: csm.noReply@d-Trust.net) ended up in IT quarantine or in the spam folder.
If the e-mails cannot be found there, contact your DAkkS contact person for further information on the procedure. Notify the DAkkS contact person of your preferred e-mail address. DAkkS will check the internal system to ensure that the correct e-mail address has been entered for registration.
What does “Error 403 – You have no authorisation for the action” mean in the CSM?
If the browser window (in any browser) with the opened CSM portal displays error code 403, a server timeout has occurred due to inactivity.
As with online banking transactions, the system automatically logs you out for security reasons after five minutes of inactivity. All processes must then be restarted from the beginning.
Which address must be entered when registering?
The address is only used to contact the person and is not part of the data encrypted in the electronic seal. The address of the CAB can therefore be entered here if it differs from that of the legal entity.
Is it possible to use the same revocation password for several electronic seals?
The CAB is responsible for setting up the revocation passwords. Even though it is technically possible to use the same revocation password for several electronic seals, it is not recommended for security reasons.
What happens if I lose my PIN or the key material?
If you lose your PIN and/or key material, you have the option of receiving a substitute certificate. The term of duration for the substitute certificate is adjusted to the previous term of the certificate.
For example: you used your certificate for four months before losing your PIN. This means that the substitute certificate is still valid for one year and eight months (remaining term of the total two-year term). There are no costs associated with the issue of the replacement certificate by D-Trust.
In this case, make sure that the electronic seal wasn’t corrupted after the loss of the PIN and/or key material. If you suspect that unauthorised persons gained access to the PIN and/or key material, please deactivate the old electronic seal and apply for a new electronic seal within the CSM.
The revocation process can also be triggered through DAkkS. In this case, please contact your DAkkS contact person for further information on the procedure.
Note: If you did not receive the PIN via the SMS-capable number provided when the certificate was first issued or if there were problems with the delivery of the key material, you can have your seal certificate revoked by D-Trust GmbH within the first 30 days after the seal certificate was first issued at no additional cost and also apply for a new certificate within the CSM.
The seal certificate file for the electronic seal (.cer file) cannot be opened from the e-mail inbox. What are other options to open the file?
You can download the seal certificate under “Certificates” in the CSM.
Alternatively, you can try the following procedure:
- If your e-mail program blocks the .cer file when opening it, save it as a (.txt) first.
- After saving the file to the local storage, you can give it the filename extension .cer.
The key material (.p12 file) from the e-mail and entry of the PIN are required for the sealing process.
The file containing the key material (.p12 file) cannot be downloaded from the e-mail inbox. What are the options to save the file?
It is not possible to download the key material in the CSM, as the key material with the .p12 file is only sent by e-mail for security reasons. Additionally, there must be a separation of channels for sending the relevant files.
Two possible solutions can work in this case:
Option 1:
First, try to download the certificate (.cer file) from the CSM and label it as trusted in your certificate storage. Your e-mail inbox may then recognise the key and the .p12 file from the e-mail can be saved and used without further problems.
Option 2:
Try to work around the problem to save from your e-mail inbox (illustrated using the example of Outlook):
- Save the file as .txt
- Rename the file to .p12 at the storage location
- Embed and use the file
Note:
There are several possible solutions. Neither DAkkS nor D-Trust have any influence on the e-mail configurations of the e-mail providers, which is why the possible solutions may vary depending on the program used.
What should be done if the e-mail with the key material from D-Trust does not arrive?
Your options:
- First, please check whether the e-mail from D-Trust (sender: csm.noReply@d-Trust.net) has ended up in IT quarantine or in the spam folder.
- You can check whether a seal certificate is stored with the label “Valid” in the CSM under “Certificates” in the CSM (see the certificate management tab).
- If necessary, report your problem to DAkkS via the DAkkS contact person responsible for the procedure.
Note: After approval by DAkkS, the key material and the PIN will be sent to you automatically within 30 minutes. - Within the first 30 days after the initial issue of an electronic seal, the revocation of electronic seals and reissue by D-Trust is free of charge.
Note:
Within the first 30 days after the initial issue of an electronic seal, the revocation of electronic seals and reissue by D-Trust is free of charge.
Is it possible to register a personal mobile phone number instead of a company mobile phone number to receive the PIN?
The choice of mobile phone number is the responsibility of the CAB and must be taken within the framework of the applicable company regulations. DAkkS recommends the use of company-owned devices for receiving the PIN.
Is it mandatory to provide a mobile phone number? Is it possible to receive the PIN on several phone numbers?
When applying for the seal certificate in the CSM (see step 5 of the application process), you must provide one mobile phone number to which the PIN (i.e. the password) for your seal certificate will be sent by SMS. The trust service provider, D-Trust, cannot transmit the PIN in any other way.
It is currently not possible to add additional mobile phone numbers in the CSM. You can check whether automatic forwarding is an option for you.
What should be done if the SMS with the PIN does not arrive?
Please check whether you have entered the correct mobile phone number in the application for the electronic seal certificate within the CSM. If the entries are correct and the SMS still does not arrive, you will need to apply for a substitute certificate or revoke the electronic seal and apply for a new one.
Note:
Within the first 30 days after initial issue of the electronic seal, the revocation of electronic seals and reissue is free of charge.
How can I apply for a follow-up certificate?
A follow-up certificate can only be created 30 days before the expiry of the previously valid seal certificate. You will automatically receive an email from CSM (90 days and again 14 days before expiry of the current seal certificate).
How to proceed in the CSM: Log in to the CSM portal and go to the “Certificate Management” section, then select “Certificates”. Use the search box to find your currently valid seal certificate. Click on the seal certificate (field with “blue” text) and scroll to the end of the information. There you will find a button “Create a follow-up certificate”. Click on it and follow the instructions in the CSM.
6. Questions about the suspension of accreditation/blocking of the electronic seal
For which reasons can the electronic seal as a digital accreditation symbol be revoked?
There are various reasons why the electronic seal as a digital accreditation symbol might be revoked.
As a CAB, you have the option of revoking the digital accreditation symbol yourself using a revocation password if
- You suspect that there has been unauthorised access to the PIN and/or key material
- You suspect that the chain of trust has been broken or
- The accreditation has been returned
DAkkS has the option of revoking the digital accreditation symbol if
- The accreditation for the activity of the CAB has been withdrawn by a definitive decision (and a revocation is otherwise only performed when the entry for the client regarding the negative decision has been entered in the database of accredited bodies)
- There is suspicion that the digital accreditation symbol is being misused by a CAB
- The CAB requests DAkkS to revoke it or
- The trust service provider requests DAkkS to revoke it
The trust service provider has the option of revoking the digital accreditation symbol if
- There is suspicion that the chain of trust has been interrupted
- There is suspicion that the encryption algorithm has become insecure or
- The applicable guidelines for participation in the public key infrastructure (PKI) have not been adhered to.
What happens if the electronic seal as a digital accreditation symbol is revoked??
You will be notified if your digital accreditation symbol has been revoked.
If the electronic seal has been revoked in the CSM, it can no longer be used. Some signature or seal creation devices will refuse sealing with a revoked seal. Other software applications might still allow you to seal, but the seal check will be displayed as “Invalid” as the seal has been revoked.
All documents signed before the seal was revoked keep their valid verification result. Only an indication that the seal has been revoked will be displayed during the verification process.
What happens if the accreditation is restricted?
The restriction has no effect on the digital accreditation symbol. The digital accreditation symbol continues to identify the legal entity of the CAB which remains accredited for the specified activity. The actual scope of the accreditation is determined by the database of accredited bodies and not by the digital accreditation symbol (displaying only the accredited activity not the scope).
Does the introduction of the digital accreditation symbol pose any risks for the assessment activity?
There is a transition period (grace period) for use of the digital accreditation symbol and the issuing of eAttestations (including DCC) until the end of 2025.
This means that nonconformities that may arise from the initial introduction and use of these technologies at a CAB (particularly process or documentation deficiencies) which do not have any direct effect on the validity of the conformity statement may be identified in a DAkkS assessment. However, they must not lead to any critical assessment, in order to enable a protected introduction and experimentation phase for the CAB and to support the goal of the digital transformation in the quality infrastructure.
8. Questions about the machine-readable attestations (DCC)
What requirements apply at DAkkS for implementing the digital calibration certificate (DCC) or other machine-readable reports?
For the DCC, the PTB scheme must comply with the normative requirements of ISO/IEC 17025:2018. This means that the same technical requirements apply to a DCC as to any other calibration certificate or traceability certificate. This also applies to other machine-readable reports and compliance with their respective normative requirements. DAkkS does not impose any specific requirements regarding digitisation on the content.
To ensure that the normative requirements are met when issuing DCCs or other machine-readable attestations by a CAB, these digitally issued attestations must be adequately protected. The necessary integrity protection is ensured by the digital DAkkS accreditation symbol.
Is there an example of a machine-readable attestation issued as an eAttestation?
There are various forms and versions of machine-readable attestations of conformity. In principle, such attestations can be affixed with a digital signature (in the form of the digital accreditation symbol). The only requirement is the use of the correct signature standard (e.g. the XAdES standard for XML-based files).
As part of our pilot phase, together with our partner in the QI-Digital initiative, the German Federal Institute for Materials Research and Testing (BAM), we developed an example of an eAttestation in the form of a Digital Calibration Certificate (DCC). This is a specifically issued eAttestation for demonstration purposes, approved by DKD (German Calibration Service).
The BAM example also includes instructions for applying the eAttestation with a machine-readable certificate (in this case, a DCC) as well as with a PDF. It can be accessed under the following link: https://netzwerke.bam.de/Netzwerke/Content/EN/Standard-Articles/Networks/QI-Digital/dcc.html
Are there any implications for the assessment activity from machine-readable reports?
DAkkS does not object in principle to the use of machine-readable result reports, such as those based on XML. However, it is a basic requirement that standardised semantic structures are used, for example issued by professional associations, and that DAkkS has assessed these structures for conformity. Development of the necessary processes for this is pending. A CAB must notify DAkkS of initiatives of this kind.
Does the digital accreditation symbol for calibration certificates have to be reapplied for after each re-accreditation, or is the initial application by reference number sufficient for future accreditations?
The digital accreditation symbol remains valid as long as the accreditation is not fully suspended or withdrawn after re-accreditation. A new application is not required as long as your accreditation procedure retains the same reference number that is linked to the digital accreditation symbol.
DAkkS-Support
Digital accreditation symbol
Do you still have questions? Please contact our support team by e-mail only.