In order to onboard users, we have to identify them and they need to sign a contract (through our web application). The signed contract must be compliant with eIDAS AdES, so a PAdES.
The users are identified either through SPID or onfido (but it could be any other KYC service).
What do we need to do in order to produce a valid PAdES? Can we produce one on our own, without a third party?
For what I understood, we can't create a signed PDF because we don't have the private key of the user. If we create a self-signed certificate, the signature would not be valid and we would be able to prove nothing.
Document signing in KYC compliant process usually requires a qualified signature.
"Qualified signature" in all cases is created on QSCD device listed in the EU QSCD list.
I work for company that has a component that enables signing od PDF or XML files according the PADES and XADES signature standards using user x.509 certificate (stored on card, USB roken or in local certificate store on the OS) that enables web applications to get signed document or just CADES signature with few lines of code. Most important works on most modern browsers on both Windows and MacOS operating systems. If you are interested please check our PDF Signing Extension developer portal https://developers.nextsense.com for more details.
Related
We are generating document PDF's as part of our server application workflow. We need to be able to sign these documents to prove they are from us and have not been tampered with. We currently do this using a self-signed cert and using syncfusion's PDF module (excellent sw btw!). The problem is (of course) that the self-signed cert is not in the CA trust chain so although the document is secured, it doesnt automatically validate that its from us.
I have been researching where to purchase AATL certified certificates from and have found several vendors (Identrust being one of the more affordable options). However, they all share the same delivery method which is they ship it to you on a secure USB or similar token. What I dont understand then is how to use this token with our hosted VM. Does anyone have any experience in using these types of token ie. are we simply able to export the private key from the token onto the server?
Thanks
You cannot use the tokens in this scenario.
The certificate issuer should provide you with a web-based API that you integrate in your signing process. Usually you send the document hash and get back the signature, but the actual flow and ins/outs depends on the certificate provider.
Then the PDF library you use should let you embed in the PDF file the externally computed signature.
This is an existing question only. But i dont get exact clear details on this question.
We are using TCPDF to generate PDF with signatures. And for testing purpose we have generated self signed certificate to generate signature fields and make it work.
But we want to move it to live server. So we have to suggest our client to purchase trusted certificate for this purpose.
So my question is,
What type of certificate do our client had to purchase?
Whether we can use the SSL certificate for this purpose?
If not means, where can we purchase it and what are the details do we need to know before purchase?
Please anyone provide me detail explanation on the above
In layman's terms, this depends on the country you are in. There are Signature Issuing authorities, also call Certifying Authority (CA). CA may offer various types of signature after various types of authentication method for Individuals and Corporations or Institutions.
You may search for Certifying Authority (CA) in your country and follow their procedure to get legally (binding) valid Digital Signature.
Certificates for digital signatures are available from CAs (Certificate Authorities). Unfortunately, the CAs often charge a lot of money for such certificates.
"Code-signing" certificates won't work for digitally signing documents.
You can also get certificates for digital signatures from a couple of countries:
Estonia's e-residency program provides a digital signing certificate on a smart card to anyone after paying €100. The cert is good for 5 years. (You don't need to open a business in Estonia, that's just what they hope you do with the card.)
The card will be given to you at your local Estonia embassy or consulate after they verify your identity via your passport.
SuisseID -- from Switzerland, also available to anyone. Valid for 3 years, CHF 146.60 ($148)
I have my own webpage www.kasperikoski.fi that is, the way I see it, trusted, and I would like to have the ability to digitally sign PDF-documents by using some kind of sertificate that is put into my webpage so that people really know that it is me signing all these documents.
At first I thought that maybe I could share "public key" at the bottom of my webpage, but then I heard something about OpenSSL. Could that be used in my needs?
How would you carry out this one so that I could use the PDF's integrated "sign digitally"-option?
Assuming that I read your question right, you want to let your web site visitors a way to download some documents, which are created or maintained by your web site, and you want those documents to be digitally signed.
If the document is pre-created, it's possible to sign it during creation (either with the tool that generates them, or create a separate piece of code for signing). If the documents are generated on-the-fly, then your web site should include signing capabilities.
To perform signing you need a certificate with a private key. But not every certificate would work. The certificate you need should be suitable for data signing, rather than just for SSL/TLS. You can try to obtain the certificate for your site from some CA and then use it for signing the documents. Whether the users' software would accept such certificates depends on how Key Usage and Extended Key Usage properties (extensions) of the certificate are put by the CA. Another option would be to create a self-signed certificate.
In case of a self-signed certificate you would want to place the certificate itself (without a private key) to your web site for the users to download and install. This is needed for validation of the signature in your signed documents. No need to say, that you don't put the private key to download, neither you provide it to your users by any other means. It's kept only on the server (and preferably secured to make stealing it harder for the possible attacker).
The technologies / components / tools to use in these scenarios depend on which of the above options you need.
I have a hash of a certificate using the example at http://techblog.bozho.net/?p=37 and wish to use this to fill in a signature field in a pdf form with iTextSharp. Does anyone have any examples or know how? This is a web app and the only method I can find for capturing the signature from a smart card local to the client.
Ken
You can't use a hash of the certificate for signing. Signing is performed using the private key (and not its hash either).
For web application you have two options - either transfer the whole document to the client, or use some distributed signing mechanism which involves a client-side module (either a browser plugin / java applet or a standalone application).
Our company developed a distributed cryptography add-on to SecureBlackbox, which is described in details in this SO answer and which does what you need. The scheme in the answer explains how distributed signing would work.
Our website generates PDFs and signs them digitally with iTextSharp and BouncyCastle.
We've been told however that we cannot use the website's SSL certificate to sign the PDF, we need a special PDF signing certificate (because Adobe only trusts certain roots). And that the only way to get a certificate like that for use by a website (i.e. automated programmatic signature of generated documents) is to get a physical hardware device that gives access to the certificate's private key. Apparently this hardware device costs a lot of money.
Do we really need to spend thousands of dollars to sign a PDF to be trusted by Adobe?
From technical point of view you can use any X.509 certificate with the private key and properly set Key usage extensions to sign the document. However, the validating side (most often it's Adobe Reader) will trust only certain certificates. Adobe demands is that certificates, accepted by Adobe Reader, are issued in compliance with their requirements, one of which is that the private key is protected by putting it to hardware.
It is possible to tune up Adobe Reader to accept other certificates by telling Reader to validate certificates using Windows certificate storage, adding custom roots as trusted roots etc., but this requires extra actions on client (reader) side.
Also you have yet to find the certificate authority that will sell you a certificate suitable for data signing without requiring you to pay a fortune for hardware device. Why is it so? "Monopoly" is the answer. Adobe have created a kind of monopoly with PDF and reader and now lets partners (and itself) abuse it.
The cost of the USB token is about $50 (and much less when purchased in bulk) yet you have to pay 10 times more to the CA for delivering this token to you. And this cost is not for validating you but solely a monopolistic charge.
No, there is no need to have hardware to sign PDFs. Looks like someone is trying to wring you out for a little money :)
http://www.pdflib.com/products/plop-ds/ is an example of a commercial product you can use to sign PDFs with Software.
TCPDF (http://www.tcpdf.org/) which is a common library for PHP to write PDFs dynamically has PDF signing built in. It's open source =) There is example code there for how they sign PDFs.