Qualified Signature Creation Devices (QSCD) under eIDAS and Signature Activation Module (SAM)

Published: 16 November 2021

Reading time: 3 minutes

The significant increase in remote business is opening the way for digital signatures in lieu of wet-ink signatures: no more face-to-face required, no more “print, sign, scan and email”, shorter execution times and reduced operational costs. However, the implementation of a scalable and compliant signing service requires specific expertise and purpose-built engines.
For that reason, we present the product “Entrust Signature Activation Module”. SAM is a Qualified Remote Signature/Seal Creation Device (QSCD) to provide users with a remote signing or sealing functionality.

Entrust logo

A QSCD is a Secure Signature Generation Device that is certified and approved for being used to generate Qualified Electronic Signatures (QES).

It uses technical and procedural means to ensure:
• Signing keys are kept secret
• Signing keys are created using established cryptographic techniques
• Signing keys can only be used by the right owner
• Compliance to the stringent standards for QES.

eIDAS (electronic identification and trust services) requires a Qualified Signature (or Seal) Creation Devices (QSCD) for issuing and using qualified certificates for the generation of electronic signatures and seals.

To ensure the signer has sole control of his signing keys, the signature operation needs to be authorized. This is carried out by a Signature Activation Module (SAM), which can handle one endpoint of SAP, verify SAD and activate the signing key within a Cryptographic Module. Both the Cryptographic Module and the SAM are to be located within a tamper protected environment.

The Signature Activation Module ensures sole control of the signatory over the use of his electronic signature creation data and/or electronic seal creation data. The connected Hardware Security Module is used exclusively for generating signing or sealing keys and for generating qualified electronic signatures or qualified electronic seals.

Entrust Signature Activation Module (SAM) uses HSM devices as cryptographic modules for the generation and protection of the signature or seal creation data (SCD). Only the HSM device nShield Solo XC and nShield Connect XC can be used for the QSCD. HSMs are operated according to their Common Criteria EAL4+ certification in conjunction with the corresponding security target.

Furthermore, the QSCD uses a Signature Activation Module (SAM) as single component to
communicate with the HSM, in order to authorize and initiate the signature or seal creation process.
These two components, the HSM and the SAM, together form the QSCD, which is intended to be
operated by a qualified trust service provider in a secure operational environment as part of a remote electronic signature and seal service.


For the signing process, the customer needs to use his/her qualified certificate, which – if not yet available – can be created directly during the signing process within the same front-end interface. The customer then needs to perform two-factor authentication to proceed with the signing.

For organizations who want to offer their clients, employees, partners and users convenient Remote Signature services without compromising on their security, this is the leanest solution with the best price for acquisition and ownership.

Ask us for more details about SAM!

To make this website run properly and to improve your experience, we use cookies. For more detailed information, please check our Cookie Policy.

  • Necessary cookies enable core functionality. The website cannot function properly without these cookies, and can only be disabled by changing your browser preferences.