Tips & tricks

How to unlock (set) Gemalto Safenet eToken digital signature PIN?

It may happen that you manage to block the Digital Signature PIN for access to qualified certificates stored on a USB token or smart card. In the factory settings, the number of input attempts is limited to 3. We can check the status of the token or smart card again using the "Advanced view". On the right side of the screen, we go all the way down and look for a line with the description "Digital Signature PIN retries remaining".

If there is 0 in this line, the token was blocked through 3x incorrect DSPIN entry. The token can be unlocked again by selecting the token on the left side of the screen. Right-click on the token name and select "Set Digital Signature PIN".

You will then be asked to enter a DSPUK to verify and set up a new DSPIN. The principle is analogous to changing the password for a token.

If you need any help, feel free to contact us -

How to unlock (set) Gemalto Safenet eToken 5110CC (940) password?

The token password is used, for example, to log in to the token or to create an electronic signature that is not qualified.

If you have entered the wrong token password 5 times, the token automatically locks for security reasons. You can check the status of the token by using the Advanced view in the Safenet Authentication Client. You can access it using the gear icon on the top right.

  1. You will be redirected to a screen that contains information about the token and the components of the token.

  2. The window on the right contains information about the version, device name, device type and last but not least, information about the number of attempts to log into the token (Token Password). If the line "Token password retries remaining" is 0, then we entered the wrong password for the token 5 times and the token is locked.

  3. The token can be unlocked by Right-clicking on the token name on the left part of the screen and choosing the "Set token password" option.

  4. You will be asked to enter the Admin password
  5. And then set a new Token Password.

If you need any help, feel free to contact us -

How to setup Gemalto Safenet eToken 5110CC in Acrobat Reader on Apple (Mac OS)?

There is an instruction below on how to connect the module with the Gemalto Safenet eToken 5110CC (940) USB token and set it in Adobe Acrobat Reader DC on Mac OS (Apple): 

  1. Open Preferences in Acrobat Reader DC (dropdown menu under Acrobat Reader menu)
  2. Click on Signatures
  3. Identities & trusted certificates - click on More..  button
  4. Click on the PKCS11 Modules and Tokens
  5. Click on Attach module 
  6. Copy /usr/local/lib/libeTPkcs11.dylib here
  7. Click on the SafeNet eToken PKCS#11
  8. Click Sign In
  9. Enter your token password
  10. Click on your Token under SafeNet eToken PKCS#11
  11. Select the master certificate which will be used for signing
  12. Close the window
  13. Open Terminal 
  14. Copy Sudo nano /etc/etoken.conf 
  15. Click on Enter
  16. Write your password to your Mac (it won't show up) and press Enter
  17. Write in the window (this will enable SAC PIN popup to show):
    1. [GENERAL]
    2. EnablePrompt=1
  18. CTRL+O and press Enter
  19. CTRL+X 
  20. Close the window

If you need any help, feel free to contact us -

How to uninstall IDGo 800 minidriver and install Safenet Authentication Client on Mac OS?

Gemalto customers migrating from IDGo 800 must uninstall their version of IDGo 800 and install SafeNet Authentication Client.

If you have the original version of the IDGo 800 driver installed on your Mac, Safenet Authentication will not install (installation will be denied). Follow the procedure below to uninstall the old IDGo 800 minidriver installation. It will then be possible to install the Safenet Authentication Client.

First save the following code in the main Documents folder as file You can save it in a text editor or Notepad. 


# script shell for uninstallation/removing of IDGo 800 PKCS#11 package

set -x

set -e

echo Deleting /usr/local/lib/pkcs11

rm -rf /usr/local/lib/pkcs11

echo Deleting /usr/local/lib/libidprimepkcs11.0.dylib

rm -rf /usr/local/lib/libidprimepkcs11.0.dylib

echo Deleting /Library/Frameworks/GemaltoIDGo800PKCS11.framework

rm -rf /Library/Frameworks/GemaltoIDGo800PKCS11.framework

echo Deleting /Library/Security/tokend/PKCS11.tokend

rm -rf /Library/Security/tokend/PKCS11.tokend

echo Deleting /usr/local/lib/IDPrimePKCS11

rm -rf /usr/local/lib/IDPrimePKCS11

echo Deleting /Applications/Gemalto

rm -rf /Applications/Gemalto

echo Deleting /Library/LaunchAgents/pinGuiForTokend

rm -rf /Library/LaunchAgents/pinGuiForTokend

echo Deleting /etc/IDGo800/

rm -rf /etc/IDGo800

echo Done. IDGo 800 PKCS11 was successfully removed

  1. Open Terminal.
  2. Copy “cd Documents” (without quotation marks) and press Enter 
  3. Copy "chmod 755 ./" (without quotation marks) and press Enter 
  4. Copy "sudo ~ / Documents /" (without quotation marks) and press Enter

Everything should be uninstalled and it should be possible to install Safenet Authentication Client.

What is the difference between 5110+ and 5110CC (940) Gemalto Safenet eToken?

In terms of usage, the main difference is that the eToken 5110+ has one set of passwords for PKI (password and admin password). The token can hold up to 20 key pairs (certificates). SafeNet eToken 5110CC (940) tokens have 2 separate partitions: Section 1 - the classic PKI partition for working with certificates has its own PIN - password and administrator password for unblocking; Section 2 is for an certificate used for creating a qualified electronic signature / qualified electronic seal and also has its PIN and PUK. The capacity of the token is 16 key pairs for the PKI and 2 for the qualified part.

If the customer does not want to use the qualified part, he can simply leave the default passwords for future opportunities and use only the PKI for both tokens the same. From a price point of view, the eToken 5110CC is a clear choice.

From a technical point of view, this is what we call part of the java card applet and the eToken 5110+ contains one, the eToken 5110CC two. The hardware platform is different. The eToken 5110CC is newer, so it also supports, for example, the generation of 4096 bit RSA or more elliptic curves and is faster, so the eToken 5110CC wins again.

The SafeNet eToken 5110+ has an advantage where native access via PKCS#11 is required. These are mostly applications that do not need common operating systems. For example preboot authentication, embedded systems, OpenSC.

We believe that in common situations the eToken 5110CC (940) might be a cheaper and better option. Just be cautious, you need to have SAC 10.6 and higher installed on the stations, ideally 10.8 R2 which we supply as standard.

If you need any help, feel free to contact us -