Frequently Asked Questions (FAQ)

Icon Plus Icon Minus
Icon Plus Icon Minus

If you have any questions about the ID Austria, you can contact the free BRZ service line directly on +43 50 233 770 (available from Monday to Friday, 8:00-16:00) or by email at

Icon Plus Icon Minus

Further information on ID Austria can be found at A detailed list of FAQ about ID Austria can be found here.

Icon Plus Icon Minus
Icon Plus Icon Minus

The parallel operation of Handy-Signatur and ID Austria ended on 05.12.2023. This means that from this date, an ID Austria will be required for the use of e-government services and business services. The qualified signature is still possible with your existing certificate (even without switching).

The certificate validity period of your existing certificate will be transferred when you switch to the ID Austria. You can view this at any time in your A-Trust Account .

Icon Plus Icon Minus

Your existing certificate can still be used in this form for the qualified electronic signature (e.g. in PDF Sign or the solutions of our partner companies). However, an ID Austria is required for eGovernment applications. Users will be redirected to a website the next time they try to log in in order to convert the Handy-Signatur into the ID Austria Basic in an uncomplicated process.

Icon Plus Icon Minus

Yes, you can still use the A-Trust signature app to trigger the second factor. This allows you to sign quickly, securely and conveniently using a device PIN, Face ID or fingerprint. All information about the app link can be found here.

Icon Plus Icon Minus

The ID Austria is the further development of the Handy-Signatur (mobile phone signature) and Bürgerkarte (citizen card). With the ID Austria, you can prove your identity to digital applications and services, just as you can with your Handy-Signatur.

The functionality remains the same in many respects: you can continue to register with all services that offer registration with a cell phone signature. You can also continue to sign documents electronically with a qualified signature. For example, you can continue to use A-Trust PDF Sign or your A-Trust Account for convenient signing.

In addition, ID Austria serves as a digital ID platform: With your ID Austria (with full function) you can also identify yourself in everyday life, e.g. with a digital driving license or digital proof of age. Further digital ID cards are to follow.

Icon Plus Icon Minus

There are two levels of ID Austria: Basic Function and Full Function.

ID Austria with basic function

The basic function of ID Austria contains all the functions of the cell phone signature. Signatures using SMS-TAN are also still possible.

The Handy-Signatur can be switched to the ID Austria with basic function at any time via an online process. The login data and the validity period of the cell phone signature must be transferred. Please note that the conversion to the ID Austria must be completed before the validity of the Handy-Signatur expires, otherwise a new registration is necessary.

ID Austria with full function

In addition to the functions of the cell phone signature, the full function of the ID Austria also opens up new application possibilities, such as the ID card function on the smartphone (initially only in Austria). Signatures using SMS-TAN are no longer supported in the full ID Austria function.

For security reasons, an official identity verification is required for the registration of the ID Austria with full function. If you already have an officially registered Handy-Signatur (e.g. issued by an authority such as FinanzOnline), this can be converted directly to the ID Austria with full function by switching to the "Digitales Amt" app. The login data and validity period of the Handy-Signatur must be transferred.

Icon Plus Icon Minus

In the "Digitales Amt" app, you are automatically offered the changeover processes available for your Handy-Signatur when you log in with a Handy-Signatur.

If you are already logged in to the app, open the "Profile" tab. There you will see one of the following buttons:

  • "Umstellen auf ID Austria" (Convert to ID Austria): Your Handy-Signatur has been officially registered (e.g. with a municipal authority or via FinanzOnline) and can be upgraded to the ID Austria with full function directly in the App.
  • "Umstellen auf ID Austria (Basisfunktion)“ (Convert to ID Austria basic function): Your Handy-Signatur has not been officially registered (e.g. via A1, post office or social insurance) and can only be upgraded online to the ID Austria with basic function.
Icon Plus Icon Minus

There are different ways to trigger the second authentication factor; the following two options do not require biometrics at all:

1. Device-PIN: On the one hand, there is the option of triggering the second factor via the device PIN in the A-Trust signature app.

2. FIDO-Token: On the other hand, the second factor can also be triggered via a so-called FIDO token, which can be plugged into a laptop or computer similar to a USB stick and is protected with a PIN chosen by the person signing. However, it must also be noted here that only certain certified tokens can be used to trigger the Handy-Signatur & ID Austria for security reasons. You can find an overview here.

Icon Plus Icon Minus

The handling of ID Austria for qualified electronic signatures remains as simple as ever: Upload the document to your A-Trust Account, A-Trust PDF Sign or your own signature tool, and log in using your user name or cell phone number and signature password via the usual A-Trust interface. Then approve the signature using a second factor (e.g. via the A-Trust Signature App, the "Digitales Amt" App or a linked FIDO Token).

Further and more detailed FAQ on ID Austria can be found hier.

Icon Plus Icon Minus

If you have any questions about the ID Austria, you can contact the free BRZ service line directly on +43 50 233 770 (available from Monday to Friday, 8:00-16:00) or by email at

Icon Plus Icon Minus
Icon Plus Icon Minus

If the password for the A-Trust QES has been lost or forgotten, there is unfortunately only one option: You must re-apply for the A-Trust QES. For security reasons, only the users themselves are allowed to know their password.

The following error message is displayed if the password was entered incorrectly:

Passwort falsch Fehlermeldung
You have a total of 10 attempts to enter the correct password. Time blocks are used between the attempts, which will continue to increase.

Icon Plus Icon Minus
Icon Plus Icon Minus

If the A-Trust Signature App or the app PIN no longer works, the application can be reset:

  1. Start app
  2. Settings
  3. Reset app
  4. Now reinitialize the app via a PC/tablet at:

If resetting the app fails or has no effect:

  1. Uninstall app
  2. Disable the backup function in the phone settings
  3. Reload app from store
  4. Re-initialize the APP via a PC/tablet at:
  5. When the app is connected, reactivate the backup function
Icon Plus Icon Minus

How to connect the app with your existing QES by A-Trust.

  • Open the page on the second end device (e.g. PC).
  • Download the app or - if you have already done so - go directly to step 2 and start the activation process (click on the "Start now" button).
  • Log in with your ID Austria or xIDENTITY by entering your telephone number (+43.) and the signature password you have chosen yourself and clicking on "Identify".
  • After entering your data, you will receive a TAN via SMS, which you can use to complete the login. Enter the TAN in the browser window to complete the process
  • As soon as you have successfully registered on the second end device, open the app on your smartphone. If no 10-digit activation code is displayed there, please click on "Start activation", agree to the key generation if necessary and enter the displayed activation code again in the browser window of your computer. After entering it, you will already receive confirmation that your ID Austria or xIDENTITY was successfully connected to the app.
  • To test the successful connection, you can then log in to your A-Trust account.
Icon Plus Icon Minus

The A-Trust Signature App always displays the latest TAN. If several TANs have been requested, simply enter the most recent TAN and press update. Please note that the comparison value displayed in the app must match the comparison value displayed in the web browser.

Icon Plus Icon Minus

Since there are many different Android phones, some things may behave differently on one phone than on another. If an error occurs, please contact support ( and help improve the app.

Icon Plus Icon Minus
Icon Plus Icon Minus

Your order must be checked and approved by a clerk before it is issued. The certificate is then sent to the specified address, which means that an order is usually processed within one working day.

If the order is urgent, please contact us immediately after sending the email.

Icon Plus Icon Minus

Since you chose the PIN yourself, the only solution in this case is to request a new certificate via the A-Trust website.

Icon Plus Icon Minus

A-Trust will inform you via e-mail about the expiry of your old certificate, including a new certificate already issued and sent.

Icon Plus Icon Minus

a.sign light is a software certificate that can be installed on a computer and is not tied to a card. Since no qualified certificate may be issued here, the a.sign light is not a signature card.

Icon Plus Icon Minus
Icon Plus Icon Minus

We will automatically renew your certificate 30 days before it expires and notify you by email.

After the extension has been completed, the user still needs to take a few steps to complete the extension - instructions can be found under this Link .

Icon Plus Icon Minus

This depends on several factors - as a rule, the card is available in the selected registration office for about a week after ordering.

In individual cases, however, there may also be a longer waiting time - e.g. due to public holidays.

Icon Plus Icon Minus
Icon Plus Icon Minus

Is the customer really who they claim to be?
When establishing an SSL connection, only the server authentication is usually checked (is the server really who it claims to be?).

However, it is also possible to check the customer registration with the same level of security, without the customer having to remember their own login/password for each page. This means that nobody can falsely pretend to be this person. E-banking solutions will also switch to this more convenient and secure solution in the future.

For example, within the A-Trust member area you can register with a login and password. However, you could have been watched when entering the data, so that your data could be misused. If you are the owner of an A-Trust certificate, you can also use it to register in the A-Trust member area.

With the help of SSL client authentication, you will be prompted to use your certificate instead of a login/password when registering. Here, A-Trust takes responsibility that the data in your certificate is correct according to the terms and conditions. After you have selected the link, a dialog will appear in your browser that displays all of the user certificates that you have installed on your computer that are accepted by this server. You select the one you want to log in with and the information from your certificate will be used for the login process.

Icon Plus Icon Minus
Icon Plus Icon Minus

The term "company signature" is to be distinguished from the concept of a (mere) "legally binding signature": The signature is a “company signature” if it is made jointly by the required number of people authorized to sign (usually managing directors and authorized signatories), according to the entries in the company register. A “company signature” is therefore always legally binding. A legally binding signature, on the other hand, can also be made individually by legally authorized people.

The addition of company stamps or name suffixes is not a prerequisite for legal validity, neither for “company signatures” nor for (mere) legally binding signatures. However, it should be clear from the context that those responsible for the signatures sign in the name of their company and not for themselves personally (usually by stating the official company name and the exact company address on the letterhead or under the signature field).

Both the “company signature” and the legally binding signature can be carried out with a qualified electronic signature (QES) by A-Trust (e.g. ID Austria or xIDENTITY) without any restrictions. In the case of a “company signature”, it is necessary for the joint legal representatives to sign the respective document electronically with their QES (e.g. ID Austria). In the case of a legally binding signature, it is sufficient if one or more people authorized to enter into a legal transaction sign in a qualified electronic manner.

The most secure way to get a company signature?

The integrity and correctness of the indication of origin of the signed document can also be shown by its qualified electronic seal. Qualified electronic seals are issued by A-Trust GmbH for companies that have particularly high requirements for the authentication of documents and are legally valid throughout Europe due to their eIDAS conformity.

The combination of the qualified electronic signature (e.g. via ID Austria or xIDENTITY) and the sealing of the signed document guarantees the highest possible security from both a technical and legal point of view.

A-Trust offers an extensive portfolio of company certificates, which is tailored to your individual needs:

Icon Plus Icon Minus

An electronic company seal is a certificate that is issued for a legal entity and, depending on the type, enables the advanced or qualified sealing of documents.

  • The electronic company seal a.sign Seal advanced allows you an advanced signature as a legal entity. As a user of the signature server, you create digital seals yourself with this advanced certificate.
  • The electronic company seal a.sign Seal qualified enables you to have a qualified seal as a legal entity. Unlike an advanced certificate, you seal qualified with a.sign seal qualified - this strengthens trust in your company. As a trust service provider, A-Trust offers you the highest possible level of security: the sealing is triggered via a web interface (Application Programming Interface/API), and only the hash value to be signed is sent to the high-security center A-Trust.
  • Clear authentication and the encryption and decryption of data records is particularly important for authorities, which is why A-Trust has developed its own authority signature for organizations with authority status.
  • a.sign Seal EPREL is specially designed to be used to verify your company in the EU database EPREL, in which all products with an energy label must be entered.

The electronic company seal can also be easily integrated into electronic signature platforms such as XiTrust MOXIS!

Icon Plus Icon Minus

A qualified certificate is issued for natural persons and a qualified seal is issued for legal entities.

Both the electronic signature and the electronic seal have many other Use Cases. Using ID Austria (a qualified electronic signature) not only documents can be signed, but also numerous services from e-government and business can be used. The qualified electronic company seal is for example required for entry in the European product database EPREL.

Icon Plus Icon Minus

Both the digital signature and the digital company seal are available as "advanced" and "qualified" versions, with qualified signatures or seals being more legally binding or of higher quality. Due to their eIDAS conformity, both types are legally valid throughout Europe.

Find out more about the advanced or the qualified company seal.

Icon Plus Icon Minus

For this you need an application that takes over the LDAP communication. For example, mail clients such as Outlook (Express) or specialized LDAP clients are suitable. Access is made to the server on port 389 via anonymous LDAP bind.

Outlook (Express)

In order to be able to access the directory service, a directory-type account must be created. Under Server enter, as Searchbase o=a-trust, c=AT. You can now use the address book to search for the recipient in the directory of A-Trust after pressing the "Search for people" button and transfer them together with their certificate to your personal address book.

LDAP Client

As an example of an LDAP client, we recommend the freeware software "LDAP Administrator", which is available at . Enter as the host again, as port 389, as LDAP version 3. Base DN is o=a-trust, c=AT and checkbox Anonymous Bind must be selected.

To prevent trivial searches and improper use, the LDAP server is operated with a size and time limit. Please note that if a query takes longer than 300 seconds or the number of hits exceeds 200, a corresponding error message will appear.

Icon Plus Icon Minus

You can check the validity of individual certificates manually via our website.


You can check the validity of individual certificates manually via our website.
A DNS query resolves the name as follows:
Depending on their workload, the Ldap servers are used via this URL to answer customer inquiries.

In order to prevent trivial searches and improper use, the LDAP server is operated with a time limit and size limit. Please note that if a query lasts longer than 300 seconds or the number of hits exceeds 200, a corresponding error message will be returned.


The A-Trust OCSP service is accessed via the DNS name TCP/IP port 80:


Alternatively, some certificates can also contain a different URL in the form Some standard applications can automatically perform an OCSP query on the port 82. With manual configuration, however, the use of port 80 is recommended.

The responses from the OCSP server are digitally signed. The verification of the signature is possible with the following certificate:

From 11/28/2008 3:00 p.m. this certificate must be used to verify the OCSP requests.
Icon Plus Icon Minus

openSSL is a free, open toolkit that covers many aspects of the PKI. More information can be found at .

A Win32 port can be obtained from OpenSSL for Windows.

Convert certificates from DER encoded .cer format to PEM. Certificates are handled by A-Trust in .cer format, but sometimes it is necessary to convert them to PEM format:

openssl x509 -in MyCert.cer -inform DER -out MyCert.pem -outform PEM

This command line converts MyCert.cer to MyCert.pem.

PEM to p12

If you have the private key in PEM format and want to convert it and the associated certificate into a PKCS #12 file (p12):

openssl pkcs12 -export -inkey newkey.pem -out pkcs12.p12 -in MyCert.pem

This command line converts the private key newkey.pem together with the associated certificate MyCert.pem into the PKCS#12 file pkcs12.p12.

It may be necessary to convert the .cer certificate sent by A-Trust to the .pem format.

Icon Plus Icon Minus

If someone is no longer authorized to use their certificate, or if the key falls into the wrong hands, this certificate is withdrawn by A-Trust and included in a list of blocked certificates CRL (Certificate Revocation List).

It is therefore important to check the validity of a third-party certificate before each use (e.g. checking the signature) by comparing the certificate serial number against the list in the currently most up-to-date CRL. The list of withdrawn certificates can be found in the A-Trust directory service (ldap://

There is a reference to this list in every certificate issued by A-Trust. Nevertheless, some configuration steps are required to get standard applications to use this list.
MS Outlook Express: Tools menu | Options | Security button extended; Here you have the possibility to select the option that certificates are compared against the CRL.

All blacklists issued under A-Trust-(n)Qual have the following validity:

  • A new CRL is generated every two hours
  • Each CRL is valid for a maximum of six hours
  • In the event of revocation, a new CRL is published immediately, with the same end time of the validity period as the regular CRL
    E.g.: the last CRL was valid until 4:30 p.m., at 2:00 p.m. a certificate is revoked, then a new CRL with validity from 2:00 p.m. to 4:30 p.m. is generated (shorter than six hours).
Icon Plus Icon Minus
Icon Plus Icon Minus

Tip reader

How to integrate the chip into your card reader:

  • You can see the relevant opening point here
  • Lever technique: Start here and open the lid
  • Break the chip out of the card
  • Insert chip
  • • Integration into the reader – complete
Icon Plus Icon Minus

RK Online is no longer supported - it is necessary to switch to RK HSM Basic/Advanced. We recommend the “RK online carefree package” for this:

What does the RK Online carefree package include?

Icon Plus Icon Minus

This is also possible of course.

You can upgrade your existing RK online certificate in the partner area of the web shop, provided it has a remaining term of at least one year. The 4 EUR for the certificate will be credited to you afterwards. You don't have to change anything and you don't have to re-register the certificate with FON.

FurtherFurther information

Icon Plus Icon Minus

You can easily redeem existing credits at any time.

Icon Plus Icon Minus

Please return the components free of charge addressed to "RKSV service center".

Defective reported cards or components are checked for quality control.

Of course, the component will be replaced in the event of a manufacturer error.

Icon Plus Icon Minus

Visit the A-Trust Webshop and purchase the a.sign RK CHIP. After the purchase, a new registration on FinanzOnline is required.
If you use your card via a.sign CLIENT, please download the latest version from the partner area for operation. If you address your card directly ADPU, please also visit the partner area, the updated commands will be published there.

Icon Plus Icon Minus

Visit the A-Trust webshop and select the online version you need (a.sign HSM Basic, Advanced or Premium). You can also issue a new certificate directly via the API. After purchase, a new registration on FinanzOnline is required. Please use this opportunity to change the target URL of the API to (previously um.
Alternatively, you can also select the online version you need (a.sign HSM Basic, Advanced or Premium) in the A-Trust web shop or issue a new certificate directly via the API. Attention: After purchase, a new registration on FinanzOnline is required. Please use this opportunity to change the target URL of the API to (previously

What does the RK Online carefree package include?

Icon Plus Icon Minus

If you acquire a new certificate, you must re-register with FinanzOnline. If you opt for our RK Online carefree package, the existing certificate can continue to be used and you do not have to re-register.

What does the RK Online carefree package include?

Icon Plus Icon Minus

HSM customers will be informed personally by our sales team and will then receive a new offer on request.

Didn't receive an email? Write to us at

Icon Plus Icon Minus

If you want to prepare for the next 5 years of RKSV in good time, we recommend purchasing our RK offline carefree package, which is available in our web shop. Here you not only get a new offline certificate, it also includes a very special service: If the card certificate is about to expire, we will let you know and will send you a card of the new generation free of charge. If there should be a technical defect, this package includes a free replacement.

Icon Plus Icon Minus

According to the BMF, certificates must be valid at the time the signature creation unit (SEE) is registered via FinanzOnline. A (new) registration is therefore not possible with an expired certificate. However, it is not forbidden to use expired certificates during operation. The old card generation (CardOS) is currently certified until next year and can therefore be used.

It is currently not foreseeable how long the CardOS certificate will be valid - this is the responsibility of the responsible supervisory authority. We therefore recommend that you test your cash register for compatibility with the new cards in advance, because you are guaranteed to be on the safe side with the latest generation of cards.

In our web shop you will therefore only receive cards of the current generation, which meet the latest cryptographic requirements and are technologically more durable. Support for expired offline certificates has been discontinued.

Icon Plus Icon Minus

The test cards for the new generation of cards are already available in the web shop.

Icon Plus Icon Minus

Please send sales inquiries to

Icon Plus Icon Minus

Yes. You can find a free update of your middleware in the partner area.

Icon Plus Icon Minus

No, because our online certificates are only contractually valid for 5 years and only work in connection with the signature service, which is also valid for 5 years. Our new, faster signature service can only be operated with valid certificates.
Here we recommend the RK Online Carefree Package, which allows you to continue using the existing certificate with the same username/password and without re-registering with Finanzonline.

What does the RK Online carefree package include?

Icon Plus Icon Minus

You can see the period of validity of your online certificates in your partner area. Please visit our Webshop.

For offline certificates please click here

Would you like us to offline certificates including their validity ? Send us your request, including the email address under which the certificates are issued, using our ticket tool. We will then send you an Excel sheet.

Icon Plus Icon Minus
  • In order to make the switch as easy as possible, we offer an RK Online carefree package, which enables the old certificate to continue to be used. This means that you do not need to register again via FinanzOnline and you can continue to use your password and username.
  • The issue of a new certificate is also optionally included. This is necessary because FinanzOnline requires a valid certificate.
Icon Plus Icon Minus

The costs of the RK online carefree package are identical to the prices of the required RK HSM Basic/Advanced/Premium package.

Icon Plus Icon Minus

Please ask your questions (as agreed on in the partner contract) via our ticket tool!

Icon Plus Icon Minus

With the online carefree package, you extend your RK signature service (of your online certificates) to another 5 years.

Icon Plus Icon Minus
  • RK Online (Caution: Only available for already purchased credits - no new ones will be sold)
  • HSM Basic
  • HSM Advanced
  • HSM Premium
Icon Plus Icon Minus

The package can be booked through the partner area. However, the online carefree package can only be purchased if your certificate expires within the next month.

Icon Plus Icon Minus
  • You no longer need to register with FinanzOnline (a new registration is only necessary if a new certificate is issued)
  • If necessary, you can also issue new certificates during the 5-year term