TL and QES Applications

The application QES.zip v.1.0.0.106 (32-bit, SHA-256, zip, 3.9 MB) / QES64.zip v.1.0.0.90 (64-bit, SHA-512, zip, 4.9 MB) has been developed by NSA officer to be used by supervisory body for supervisory tasks. This application is provided free of charge for anybody, especially for public sector bodies which must fulfil obligations of Articles 27(3) and 37(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.

The application QES.zip can be used for timestamping and for signature or seal creation in accordance with Commission Implementing Decision (EU) 2015/1505 and Commission Implementing Decision (EU) 2015/1506 (PDF documents, EXE – applications or any type of documents especially in ASiC – ZIP container, which can be also nested)

  • by qualified electronic signature,
  • by qualified electronic seal,
  • by qualified electronic time-stamp, as well as
  • for browsing with the possibility to export and view authorized documents from ASiC and PDF containers.
  • This application can be used directly without installation. After saving the application into directory with writing access permission it is possible to launch the application directly or to create a shortcut stored at desktop and launch the application through this shortcut.
  • To use a smart card (e.g. eID card) it is necessary to insert the smart card into the smart-card-reader and to click the button “Reconnect keys”, select smart card driver and enter the PIN. Then click the button “Save settings” to store selected options.
  • If the list of documents contains more than one file, all files will be signed separately or if check box “ASiC-E” is checked then files will be stored in ZIP file where they will be signed with one signature (ASiC).
  • If the list of documents contains ASiC (zip) container, by double-click on this container the signature container browser is open where any other documents can be inserted or the order of the documents can be changed and additional signature of all documents in ASiC container can be created.
  • If the list of documents contains PDF file (PDF container), by double-click on this container the signature container browser is open where the signed or timestamped PDF documents can be seen – the last signature or timestamp of PDF document is used for PDF document identification (DSId). Each signature or timestamp protects all previous changes in PDF (e.g. changed fields of PDF form) and previous signatures or timestamps of PDF document.
  • If the list of documents contains documents signed separately, e.g. in the list is the file “figure.png” and the signature is stored in the file “figure.png.p7s” (signature file is not included in the list), then
    • by signing (click on the button “Add signature”) a new signature is stored in a new file if “figure.png.p7s” does not exist, otherwise it will add the signature as a parallel signature into the file “figure.png.p7s” and
    • by timestamping (click on the button “Add timestamp”) only one timestamp is included as signature timestamp in the file “figure.png.p7s” and if the file “figure.png.p7s” does not exist (document is not signed), the timestamp is included in the file “figure.png.tst” which will be included later in the new signature as content timestamp in the file “figure.png.p7s” or in ASiC-S container.
  • If within the application a container of the ZEPf (.ZEP) format, containing the signature, is opened, saving in ASiC-S will be automatically offered. If an (.eml) signed document is opened, signed in (.ZEP), saving the enveloped document from (.eml) will be offered.
  • In browsing the signature container ASiC or PDF the application counts all the signatures and time-stamps and displays their number. After entering the signature number or time-stamp number the application will mark the signed or time-stamped documents. User can subsequently export them from the container for further usage. After clicking the DSId button the identifier of the marked signature or time-stamp will be saved into the (*.PDF.DSId) file or (*.ASiCE.DSId) file of the browsed container. It is possible to send the identifier in the (*.DSId) file together with the container file to a relying party for working only with the documents which had been secured by this signature or time-stamp. Example of signature identifier usage for viewing the secured documents of the container in the command line:

“QES.exe /p doc.pdf /DSId doc.pdf.DSId“ or

„QES.exe /a doc.asice /DSId doc.asice.DSId“.

Validation has not yet been implemented.

Requires: Windows

Mac OS X, Unix – Linux; FreeBSD, Ubuntu, Debian, Red Hat, SUSE, Mandriva, Slackwar, PC-BSD,  OpenSolaris and Solaris through e.g. Wine – Free implementation of Windows on Unix https://www.winehq.org/  or VirtualBox  https://www.virtualbox.org/ .

The application LockIt.zip (zip, 3.2 MB) has been developed by the NSA officer for signing a trusted list (TL – Trusted List) in accordance with Commission Decision 2009/767/EC. The application is also in compliance with Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance).

The application has been completed with the support for creating the qualified electronic signature or seal (QES) and is in compliance with Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies pursuant to Articles 27(5) and 37(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance).

LockIt can be used to create PDF, CMS or XML qualified electronic signature or the qualified electronic seal, to open the file with the “*.ZEP” extension and to verify the signature integrity. Verification of the certificate validity is not currently automated but requires manual verification of the certificate validity. An automated mode for the certificate validity verification (also according to Trusted List) through CRL or OCSP is under preparation.

It is not necessary to install the LockIt application. After unwrapping the ZIP, LockIt.exe file shall be launched directly.

In case there is not an application in the computer for opening the file with the“*.ZEP” extension, it is possible to set the file opening in the LockIt application and subsequently to verify and store the documents being verified (electronic original).

Guidelines on file opening with the ZEP extension (pdf, 164 kB)

The qualified electronic signature (QES) is defined in EU legislation, particularly in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing the Directive 1999/93/EC.

The ZEP extension of the file name is a renamed ZIP containing the electronic document and its signature or seal in the signature format defined by the NSA standard. The signature format defined for CMS advanced electronic signature in the NSA standard, stored in ZEP container, is in compliance with the Annex of Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 but for further use it is recommended to convert the file with ZEP extension and the structures of ZIP file into ASiC format which also includes the structure of ZIP file.

National extensions for qualified certificates are defined by national legislation and their mapping to technical procedures is defined in the supervision scheme of qualified trust services by supervisory body – NSA.

Date of the first publication , Last update