The Digital Signature addon introduces PDF signing capabilities to the Nuxeo Platform. This addon also provides generation of user certificates, which are required for document signing.
The Nuxeo Platform Digital Signature addon allows you to:
- download the PDF for previewing,
- download the root certificate to install inside your PDF viewer for verifying any future certificates,
- navigate to certificate generation,
- sign the PDF,
- view existing certificates without opening the signed PDF.
Digital Signature Concepts
Principles
- Documents are signed to protect them from modification, especially at critical stages in their life cycle.
- Document- and user-certification in the Nuxeo Platform follow principles of asymmetric cryptography, PKI & the X.509 standards.
- To sign a document, a user needs a personal certificate.
- Each user can create her own certificate.
- Certificates are issued by Certificate Authorities (CAs).
What Is a Digital Signature?
... or why sign your documents digitally?
Digital signatures uniquely identify the document signer. They provide a similar functionality to handwritten signatures on paper, and are a convenient alternative to signing and scanning documents when a digital version of a document is required. Digital signatures are meant to assure authenticity and integrity of documents, that is to verify that the document originator - or signer - is who they claim to be, and to ascertain that a document has not been tampered with between the moment of signing and the subsequent viewing.
What Is a Digital Certificate?
Before you sign a document you need a digital certificate. Certificates are attached to documents to verify the identity of the signer, that is to check that the person signing the message is who they claim to be. Certificates are issued by Certificate Authorities (CA, also known as Issuer). To verify that a certificate has not been tampered with, it has to be validated against the CA's public key. If this verification is passed it means that the CA certifies the authenticity of the signer. Digital certificates are formatted using PKI standards, the most common of them is X.509, which is also used in this addon.
Local and Root Certificate Authorities
Root Certificate Authority
The highest level certificates are created by root Certificate Authorities (CA) which are supposed to be trusted publicly. No higher authority can certify the root certificates: those are the top-level certificates. You can see examples of those in your browser, under the certificate authorities / CA section.
Here are some of the more popular ones:
- Equifax Secure CA,
- VeriSign Class 3 Public Primary Certification Authority,
- Visa eCommerce Root,
- Deutsche Telekom Root CA 2.
Local Certificate Authority
Your Local Certificate Authority (CA) will be used to sign user certificates. The local CA certificate can either be signed by a higher-level certificate authority, or be self-signed. The local CA certificate will be created inside the system hosting your Nuxeo Platform instance.
The default Local CA that comes with our plugin is just an example certificate to be used for initial setup testing, and it should not be used for signing production documents.
Certification Chains
Now let's consider the following relationships:
- The document signature includes => the signer's certificate (user certificate).
- The user certificate was signed with => your local CA certificate.
- Your local CA certificate was signed by => a higher level CA certificate.
- The higher level CA certificate was signed by => a still higher CA certificate (… and so on… …and then, finally).
- A very high level CA certificate was signed by => the root CA certificate.
The root CA certificate closes the chain that leads down to the user's certificate.
Now, instead of verifying all the intermediary certificates, it is enough for your PDF viewer to have the root Certificate Authority verify it for you, via the sequence of intermediary CAs.
Root certificates are usually already present in popular PDF viewers and browsers, and if not, they can be updated automatically provided your software has been set up properly.
CA-Signing vs Self-Signing
… as applied to your local CA certificate.
If your local CA certificate was signed by a certificate authority, the users usually don't have to install your company's certificate in their browsers to verify the signed documents.
On the other hand, if your local CA was self-signed, the CA certificate has to be manually installed in the PDF viewer prior to verifying signatures. This has to be done only once per PDF viewing program and an example of certificate installation in a PDF viewer has been presented in our documentation.
Using the Digital Signature Addon
When the Digital Signature addon is installed on your Nuxeo Platform, you get some new tabs in your Nuxeo interface:
- Users have a new Certificates tab in their Home, from which they can generate their certificate to be able to sign documents.
- Files documents have a new Signature tab, from which they can either see the signatures or sign the document if they have the permission to.
Top-Level View
From a high-level functional point of view, here is what users need to be able to do using the digital signature addon:
- User A creates a certificate.
- User A signs a document.
- User B installs the root certificate in a PDF viewer.
- User B opens a document, previews the document with a visible signature and can check its authenticity against the root certificate.
Generating a Certificate
To be able to sign documents, users need to have a certificate. Every user of the application can have a certificate. However, this not automatic: users have to generate it. When users generate their certificate, they are asked to choose a password, that will be required to sign the document.
Make sure you remember your password (or store it secured) as there is currently no mechanism for resetting lost passwords.
The certificate generation relies on two sets of information:
- User's information: user's first name, last name and email address. The email address is used to check the user's unicity.
- Global company information entries configured by the system administrator.
To generate your certificate:
- Click on the Home main tab.
Click on the Certificates tab, where you can generate your certificate.
If you have no certificate yet, a link to the Certificates tab is displayed directly from the documents Signature tab.
A form to generate your certificate is displayed. If you already generated your certificate, it is displayed instead of the generation form.
Type and confirm the password that you will be asked when you sign documents.
- Click on the Generate Certificate button.
You certificate is generated and displayed.
Signing a Document
Only users with "Edit" permission can sign documents.
To sign a document:
Click on the Signature tab of the document. The signing form is displayed.
If you haven't generated your certificate yet, you are displayed a link to the certificate management instead of the signing form.
Type a comment in the "Signing Reason" text area.
- Type your password in the "Certificate Password" field.
- Click on the Sign now button.
Your signature is displayed on the Signature tab instead of the signing form. It is composed of your certificate, your organization's certificate, and the expiration date of your certificate.
Verifying the Signature of the PDF File
To verify the signature of the PDF, you need to:
- Install the public root certificate available from the Root Certificate section of the Signature tab:
- Click on the Download the public root certificate for your PDF viewer link to download the certificate.
- Follow your operating system's usual certificate installation steps.
- Download the signed PDF file by clicking on the file name from the Summary tab or the Signature tab, and open it.
References
- http://download.oracle.com/javase/1.5.0/docs/guide/security/cert3.html
- http://en.wikipedia.org/wiki/Digital_signature
- http://www.nuxeo.com/blog/digital-signatures-within-nuxeo-document-management/