I have my own webpage www.kasperikoski.fi that is, the way I see it, trusted, and I would like to have the ability to digitally sign PDF-documents by using some kind of sertificate that is put into my webpage so that people really know that it is me signing all these documents.
At first I thought that maybe I could share "public key" at the bottom of my webpage, but then I heard something about OpenSSL. Could that be used in my needs?
How would you carry out this one so that I could use the PDF's integrated "sign digitally"-option?
Assuming that I read your question right, you want to let your web site visitors a way to download some documents, which are created or maintained by your web site, and you want those documents to be digitally signed.
If the document is pre-created, it's possible to sign it during creation (either with the tool that generates them, or create a separate piece of code for signing). If the documents are generated on-the-fly, then your web site should include signing capabilities.
To perform signing you need a certificate with a private key. But not every certificate would work. The certificate you need should be suitable for data signing, rather than just for SSL/TLS. You can try to obtain the certificate for your site from some CA and then use it for signing the documents. Whether the users' software would accept such certificates depends on how Key Usage and Extended Key Usage properties (extensions) of the certificate are put by the CA. Another option would be to create a self-signed certificate.
In case of a self-signed certificate you would want to place the certificate itself (without a private key) to your web site for the users to download and install. This is needed for validation of the signature in your signed documents. No need to say, that you don't put the private key to download, neither you provide it to your users by any other means. It's kept only on the server (and preferably secured to make stealing it harder for the possible attacker).
The technologies / components / tools to use in these scenarios depend on which of the above options you need.
Related
For my IT Security class I have to create a vulnerable web application.
When logging in the user should upload a certificate (e.g. a PFX file, I chose a use case where this makes sense). However I want to make it so an attacker can recreate the certificate with some basic information.
I did some research and it seems like I need to generate a reproducable SSL key and CSR if I want to use PFX. Can I do this on my own? If so, how? If not, what other options do I have?
Within Apple's certificates page, if I select a payment processing certificate and then download the .cer file, can this .cer file be safely distributed to third parties without any security concerns? I am unsure of the specific purpose of this certificate file - but if this .cer file is all the information a third party has, can they do anything malicious with it?
The certificate is effectively a signed public key. It's used validate signatures from your private key, the fact the certificate is also signed by Apple attests to your status within their ecosystem.
You can distribute it without concern, in fact, it will be distributed to anyone wishing to verify you in this context.
.cer files can contain private key material, but shouldn't in this example.
We are generating document PDF's as part of our server application workflow. We need to be able to sign these documents to prove they are from us and have not been tampered with. We currently do this using a self-signed cert and using syncfusion's PDF module (excellent sw btw!). The problem is (of course) that the self-signed cert is not in the CA trust chain so although the document is secured, it doesnt automatically validate that its from us.
I have been researching where to purchase AATL certified certificates from and have found several vendors (Identrust being one of the more affordable options). However, they all share the same delivery method which is they ship it to you on a secure USB or similar token. What I dont understand then is how to use this token with our hosted VM. Does anyone have any experience in using these types of token ie. are we simply able to export the private key from the token onto the server?
Thanks
You cannot use the tokens in this scenario.
The certificate issuer should provide you with a web-based API that you integrate in your signing process. Usually you send the document hash and get back the signature, but the actual flow and ins/outs depends on the certificate provider.
Then the PDF library you use should let you embed in the PDF file the externally computed signature.
Our website generates PDFs and signs them digitally with iTextSharp and BouncyCastle.
We've been told however that we cannot use the website's SSL certificate to sign the PDF, we need a special PDF signing certificate (because Adobe only trusts certain roots). And that the only way to get a certificate like that for use by a website (i.e. automated programmatic signature of generated documents) is to get a physical hardware device that gives access to the certificate's private key. Apparently this hardware device costs a lot of money.
Do we really need to spend thousands of dollars to sign a PDF to be trusted by Adobe?
From technical point of view you can use any X.509 certificate with the private key and properly set Key usage extensions to sign the document. However, the validating side (most often it's Adobe Reader) will trust only certain certificates. Adobe demands is that certificates, accepted by Adobe Reader, are issued in compliance with their requirements, one of which is that the private key is protected by putting it to hardware.
It is possible to tune up Adobe Reader to accept other certificates by telling Reader to validate certificates using Windows certificate storage, adding custom roots as trusted roots etc., but this requires extra actions on client (reader) side.
Also you have yet to find the certificate authority that will sell you a certificate suitable for data signing without requiring you to pay a fortune for hardware device. Why is it so? "Monopoly" is the answer. Adobe have created a kind of monopoly with PDF and reader and now lets partners (and itself) abuse it.
The cost of the USB token is about $50 (and much less when purchased in bulk) yet you have to pay 10 times more to the CA for delivering this token to you. And this cost is not for validating you but solely a monopolistic charge.
No, there is no need to have hardware to sign PDFs. Looks like someone is trying to wring you out for a little money :)
http://www.pdflib.com/products/plop-ds/ is an example of a commercial product you can use to sign PDFs with Software.
TCPDF (http://www.tcpdf.org/) which is a common library for PHP to write PDFs dynamically has PDF signing built in. It's open source =) There is example code there for how they sign PDFs.
I am developing an html application where an user has to first login using his digital certificate. After login he has to perform encryption and decryption of data using his digital certificate.
Now in case when the certificate is available in the form of .pfx file then we can just install it and the certificate appears in the container and we can use it during login and during encryption and decryption.
This works fine in case if we have .pfx for our digital certificate.
But now i want to enhance it for etoken's(security token). I dont know much about etoken's. The problem is that how can i use the digital certificate stored in it while login?
Also how should i use the private key stored in it while decryption?
Can anyone please tell me about any tutorials (if any) which will explain the usage of etoken and the CryptoAPI's.
As I mentioned in the answer to your previous question, Windows CSPs map the certificate from hardware to Windows certificate storage, so this is transparent to you. If you can access the certificate via Windows certificate storage API, then you don't need to care where the certificate is actually located.
Note that you can't transfer a private key to the server, i.e. you would have to use a client-side module (either ActiveX or Java applet) that will perform operations locally. This is not specific to certificates on hardware, but also to certificates which have non-exportable private keys.