Purchase of an e-signature

How to buy an e-signature? How long does it take? How quickly can it be activated? Do I need to make an appointment before?

The issuance of a qualified electronic certificate requires a meeting with the Registration Inspector, at one of our Registration Points. It is also possible to order a service with an inspector’s arrival at a place of your choice. Upon presentation of the identity document and signing the necessary documents, the inspector shall issue a card (or token) with an e-signature. The whole procedure typically takes about 15 minutes.

The received card must then be activated on your computer, using the activation file you received by email from CenCert.

Before visiting the chosen registration point, please confirm the possibility of service on a given date by phone. The exception is the Central Registration Point, where there is no need to make an appointment by phone (during working hours)


How much does it cost? Will there be any additional costs, e.g. for identity verification?

Prices are specified in the description of each product.

When shopping with us, you do not incur any additional costs such as “identity verification fee”, “document fee” etc. The only additional costs that may be incurred are related to additional services: travel to the address you specify, training, etc.

Does the certificate have to include my PESEL?

A qualified CenCert certificate must contain either a PESEL number or a NIP number (natural person, certificate user) or an identity document number.

Many administrative systems require the PESEL number to be included in the certificate.

The purchase of a certificate with a document number instead of a PESEL number should be considered when it will be used to sign documents that are subsequently available to the public or a wide audience (e.g. to sign legal acts or administrative decisions).

In case of certificates purchased in order to contact administration systems (e.g. settlements with a tax office, eKRS), it is safer to buy a certificate with PESEL number.

The choice of the format of the certificate (with or without PESEL number) is the responsibility of the user and cannot be the reason for any claims.

Activation, card blocking, signature creation tool

How to activate a card and a token?

The electronic card (or token) received from the Registration Inspector contains data to generate an electronic signature, but is inactive and secured with a special transport code. This code is sent by our system by e-mail, to the user’s address given during registration.

After receiving an e-mail (contains a file with the transport code) you can proceed to activate the card.

In order to activate it, you first need to install the PEM-HEART Signature program on your computer (it does not have to be the computer on which we will later affix signatures).


  • in Windows – double-click on a transport code file stored on the disk,
  •  in other systems – run the PEM-HEART Activation program (included in the PEM-HEART Signature package) and then indicate the transport code file in the program.

The PEM-HEART Activation program will carry out the card activation process. Once activated, the card will be ready to use.

When you activate your card, you will need to assign new PIN and PUK codes. We recommend that you save and store your PIN and PUK codes in a safe place (separately from your card!!!). CenCert does not have user-assigned PIN/PUK codes and is unable to help if the card is blocked.

What tools are needed to create an e-signature?

The signature toolkit depends on your specific needs – what you need to sign and where you need to sign.

In any case, the Encard libraries must be installed on the signature computer. The libraries can be installed together with the PEM-HEART Signature package or independently. Encard libraries allow you to access the card using standard commands, compliant with PKCS#11, CSP standards.

If you sign on to an electronic system (e.g., offices’ websites), it is sufficient to use the Encard libraries and software provided by that system or websites.

For signing files (e.g. PDF, DOC etc.) you can use the PEM-HEART Signature package.

How many computers can I use the card and the token on?

There are no license restrictions as to the number of computers on which the card and/or token can be used.

The Encard library must be installed on each computer, or the entire PEM-HEART Signature package must be installed (see – What tools are needed to create an e-signature?)

How do I change my PIN?

The card/token PIN can be changed using the PEM-HEART Signature software or the Encard Manager (Windows only, Encard software). You need to know the current PIN.

In the PEM-HEART Signature program choose the Card->Change PIN command.

In the program, the Encard ManagerPIN Management -> Card PIN -> Change PIN command.

How do I change my PUK?

PUK to card/token can be changed using the Encard Manager software (Windows only, Encard software). You need to know the current PUK.

In the Encard Manager program, select the Manage PINs -> Administrator PIN -> Change PIN command.

What if I forget my PIN and PUK?

If you forget your PIN code and know (or have somewhere stored) your PUK code, there is no problem.

The locked card can be unlocked using PEM-HEART Signature software or the Encard Manager (Windows only, Encard software). You need to know the PUK code.

In the PEM-HEART Signature program, select the Card->Unlock Card command.

In the Encard Manager program – Operations -> Log in to the token command. The operation will not be successful due to the blocked PIN, and the program will offer to unblock and change the PIN, based on the PUK code.


If you don’t know the PIN or PUK, unfortunately it is not possible to unlock the card. No one but the user knows these codes, and without them the card is useless.

In this case, you can only purchase a new certificate at the renewal price.

How to disable the signature creation tool?

If someone wants to make sure that their signature-creation tool cannot be used by anyone – the simplest way is to physically destroy the card, e.g. by cutting at the point where the chip is located (at the point of golden contacts). It is similar for a USB token – you have to open the token (by undermining the flap), remove the SIM card from inside and destroy the card. The reader itself (token) does not contain any elements related to the certificate and can be reused (e.g. by another person).

If someone has such a need (e.g. does not want or cannot take the card out of the token reader), the card (token) can also be logically blocked. For this purpose, PIN and PUK codes must be blocked.
In order to block the PIN, call any operation requiring entering the PIN (e.g. signing operation) – and enter the incorrect PIN so many times until the message Card blocked appears.
In order to block the PUK code, call up an operation requiring entering the PIN (e.g. change the PUK code) – and enter an incorrect PUK so many times until a PUK code blocked or administrator PIN blocked message appears..

After the card is blocked (PIN and PUK codes), there is no possibility to use the signing key stored on the card.

Data contained in the certificate

What to do if our personal information changes, e.g. Name, address, other?

If the identification data contained in the certificate changes, i.e. name, you must cancel the certificate and purchase a new one at the renewal price on a new card.
Due to the change of data recorded in the certificate, this exchange of the certificate cannot be done on-line, we invite you to one of our registration points.

If the number of the identity document recorded in the certificate is changed (e.g. due to the expiry of the document), if the number of the identity document is recorded in the certificate, nothing needs to be done. The Serial number certificate field, in which the PESEL, NIP or ID document number are recorded, is used for additional identification of the user, in order to unambiguously indicate which person has signed it (e.g. which “John Smith”), especially in case of disputes, court cases etc. The identity document number, even if outdated, still fulfills this role, so there is no need to replace the certificate for this reason.

If you change your e-mail address, please call our support line to update your address.

If you change other data (address, telephone, etc.), you do not have to do anything.


What files can be signed with an electronic signature?

Any files can be signed with an electronic signature. There are no restrictions either on the format or structure of the files, or on their size.

However, not all signature formats can be used in every case. The PadES format is designed for PDF files only, XAdES enveloped – for XML files only and for a single signature only. Other formats (i.e. other XAdES forms, CAdES signatures) have no limitations on the format of the file to be signed.
In the case of detached signatures (when the signature is saved in a separate file), remember that the data set consists of two files – the signed file and the file with the signature. With this form of signature, the signature cannot be verified without the signed file.

What do the signed files in different formats look like?

In case of PAdES signature format, the result is always a PDF file (*.pdf). The signature is in the middle of the file, in PDF format. The document (PDF) can be read without verification of the signature (e.g. in Acrobat Reader DC).

In the case of the XAdES enveloped format, the result is an XML (*.xml) compliant file, the document (XML) can be read without a signature verification program.

In the case of the XAdES format, the result is an XML file containing the signature and the encoded source file. It is not possible to read the document without a signature verification program. PEM-HEART Signature gives the *.xades extension.

In the case of the XAdES format in a separate file, the result is an additional XML file, containing the signature (usually *.xades). The signed (source) file remains unchanged and can be read independently of signature verification.

In the case of CAdES format, the result is a PKCS#7 or SMIME file, containing the signature and coded source file. It is not possible to read the document without a signature verification program. PEM-HEART Signature gives the *.sig extension.

In the case of ASiC format, the result is a compressed file containing a signature and an encoded source file. It is not possible to read the document without a signature verification program. PEM-HEART Signature gives the *.asisc extension.

How to check if the file is signed?

The surest way to find out if a file is signed, and possibly how many signatures it contains, is to try to verify the signature. You can use PEM-HEART Signature for this.

For PDF files you can also open the document in Acrobat Reader DC and open the Signature Panel.

Signature verification

Can you verify an e-signature without your token?

Yes. To verify the signature you only need software that can recognize and verify the appropriate signature format, such as PEM-HEART Signature. Token is not needed

Is it possible to verify an e-signature without software installed?

To verify the signature you need software that can recognize and verify the appropriate signature format, e.g. PEM-HEART Signature.

A special case is the PAdES signature format (PDF files), as Acrobat Reader DC is sufficient to verify these signatures. For PDF signatures, there is no need to install additional signature software. In addition, the current versions of Acrobat Reader DC use the European TSL and therefore correctly recognize the certificates of European qualified trust service providers, which means that there is no need to perform any configuration work to verify signatures submitted with CenCert certificates.

Do you need to have access to the Internet to verify the signature?

When verifying the signature, the program must have up-to-date information about certificate revocations and the current certificate of the trust service provider that issued the certificate used for the signature. The program downloads this information automatically via the Internet by contacting the relevant OCSP server or by downloading the current CRL or TSL.

If there is no Internet connection, the PEM-HEART Signature program still allows verification of signatures, but then the necessary CRLs and/or TSLs must be downloaded from the Internet manually (e.g. at another workstation) and then loaded into the program (Settings, then Data Import tab).

Signing by many people

Can several people sign a document? How do you do that?

Yes, the document can be signed by several people. In the PEM-HEART Signature this can be done as follows: Advanced features -> Add signature.

What is a countersignature? When is it used? How to affix a countersignature?

A countersignature means a signature affixed under a signature.
When a “normal” signature is added to a document, in most formats, the signatures are saved independently of each other. Each signature confirms the content of the document, but does not include other signatures. Therefore, it is technically possible to remove, for example, one of the signatures of a document (even if it has been previously submitted), and the remaining signatures will still be correct.

Since a signature made as a “countersignature” also includes a signature made earlier, it is not possible to remove the earlier signature from the document and at the same time keep the “countersignature” valid.

The need to create signatures in the “countersignature” mode may arise from the advanced needs of electronic signature users. The PAdES format forces the addition of subsequent signatures in countersignature mode for technical reasons – each subsequent signature must include all previous signatures for reasons of this PAdES standard design.

At PEM-HEART Signature, a countersignature can be affixed as follows: Advanced features -> Countersignature.
When verifying a document in the PEM-HEART Signature, the countersignature is visible in the signature tree as a “branch” below the signature it is attached to.

Time stamping

What is time stamping? What does it do?

Timestamping consists in adding a “time stamp” to a signature, which guarantees that a specific signature (and thus a signed document) existed at a given moment.

Qualified time stamps issued by a qualified trust service provider (like CenCert) are of particular importance. Such stamps have the effect of the so-called “certified date”, and are legally equivalent to official confirmation of the date.

The use of time stamps can be varied – wherever there is a need for proof of the existence of a particular document at a particular time. In this way it is possible to date formal documents such as minutes of company management or shareholder meetings.

A separate, and very important, field of application is to ensure the validity of the electronic signature in the long term.

If we have an electronic document and the certificate used for the signature is still valid and has not been invalidated, the situation is simple. We can verify the electronic signature without additional structures like time stamps.
The situation becomes more complicated when the certificate is revoked (e.g. the owner of the certificate loses the card or changes job) or is already out of validity. In this case, the verification of the signature is no longer so simple. The electronic signature remains valid (despite the expiry of the certificate), if it was submitted earlier – during the certificate validity period. And the best and surest proof of the existence of this signature at any given time (when the certificate is still valid) is a qualified time stamp.

How to check if a document has been time-stamped?

In PEM-HEART Signature, after verification of signatures under the document, information about possible time stamps is displayed.

For PDF documents, you can also check this with Acrobat Reader DC. After opening the signed document, in the Signature Panel, there is a note “Signature contains an embedded timestamp”