To complete some commands, two authority signatures are required. For these commands there are two entries in the Role Access Control Points tree, one indicating issue authority and one indicating co-sign authority. If a role contains both permissions, both signatures are collected automatically when an authority with that role is used to execute the command. If an authority with a role containing only issue authority is used to execute the command, the command is held in a pending command buffer until a signature is collected from a second authority whose role contains the co-sign permission.
When working with a single crypto module, use the Co-Sign tab in the notebook to collect the second signature for the command. When working with a domain group, a window opens asking you to co-sign the command.