Keystores & Digital Signatures¶
Cryptographic keys and certificates are entities used in various security solutions. They consist of some secret and some public information. A key can be used for signing documents or data before it is sent. Certificates can hold meta data used both for signatures and validation of data integrity.
In the platform we provide a framework for storing and administering Keys and Certificates securely in the database. Each keystore is a PFX file stored in a table as a BLOB. It is encrypted with a long generated password to make it safe even if someone get their hands on the database or database files.
The administration of these keystores is handled from a form in Solution Manager. Here you can add keystores by importing various files like.pfx, .cer and.key.
A keystore is normally connected to a user. This allows for personal signing of documents, but you can also store keys used for signing on global/public level for instance when signing communication over web services or HTTPS.
For testing purposes you can generate a self signed certificate and store it in the keystore.
Keys can (for security reasons) only be stored, not exported. So please keep them safe, somewhere else, as well.
IFS has support for digitally signing PDF documents. This is available in the IFS Connect Framework Java API called "Document Signer". A java object of this class can sign your documents either as the currently authenticated user or with a keystore id.
When signing PDF files, you can optionally "certify" the PDF file, using a certain flag in the signature. This is technically more or less the same thing as adding a signature, with the difference that the file can no longer be modified, so no additional signatures can be added. On a high level, this means that first you add one or more user signatures to the PDF file and, as a last optional step, you certify it, to prevent further changes.
Multiple signatures can be added to the PDF file before it is certified. This means that multiple users can sign the content before it is certified. All signatures will be listed in the PDF file.
The signature functionality requires the keys to be stored in the keystores in the database and can be used either from a Java transformation or a BizApi. "Out of the box" solutions for PDF signatures are available in Document Management and via the Report Rule Engine when printing documents.
It is possible to add a visual representation of a digital signature, also known as a "signature appearance", to a PDF. The Document Signer API has a method for setting the visual signature properties. These include things like the page number and location (x,y in cm) where the signature appearance will be added.
A signature appearance is constucted using up to three components. An image or generated visual signature, a text containing details of the signature certificate and a watermark image in the background. It is by default quite large (21x7cm), so typically it is resized to about 30% before beeing added to the PDF.