Certificates
When a signature is being processed, the captured data are encrypted and the document is signed after the signature has been inserted. The encryption requires a public-key certificate containing a public key. A complete key pair is required for the signing, that is, a public key certificate, its certificate chain and the private key matching the public key of the certificate.
A certificate can be used globally for all users, generated automatically per user or managed flexibly via the REST API. The certificates and keys must be made available to signoSign/Universal for the operations named above and saved by signoSign/Universal. However, signoSign/Universal cannot be used to manage certificates and keys as it only provides limited access to the saved data, if at all.
To encrypt biometric data, signoSign/Universal is supplied with a certificate as standard that is created and managed by a notary. This provides the greatest possible security when dealing with sensitive signature data without you having to deal with key management. In the case of a dispute, the notary can be instructed to decrypt the biometric data. If you would prefer to manage the certificates yourself, please remember to adjust the configuration accordingly before using the system productively. More information is available directly from the signotec sales team.
The document is digitally signed with a demo certificate as standard that needs to be replaced by a trusted certificate for productive use. See also the Global certificates section.
Java Cryptography Architecture
The certificates and keys are loaded via the Java Cryptography Architecture (JCA). All formats that can be loaded with the class java.security.KeyStore can also be processed by signoSign/Universal. Loading a certificate generally requires the following settings:
A keystore type that defines the format of the keystore
A keystore file matching the type
The name/alias of the certificate in the store
The passwords needed to load the store and its elements.
The required settings may vary depending on the keystore type. For example, a password is not required for loading the Microsoft Windows keystore (type WINDOWS_MY). By default, Java uses Java KeyStores (type JKS), which can be managed using the Java KeyTool.
Global certificates
To use an encryption certificate and a signature certificate for all users globally, the useCertificateDataProperties key must be enabled in the server settings and defined in the certificates’ sources.
Configuration example
The following settings load the encryptionCert and signingCert certificates from the Java KeyStore /var/ssu/global-store.jks. The password to open the keystore is storePassword, and the password to load the private signature key is keyPassword. See Configuration > Certificates for the list containing all configuration keys.
persistence.useCertificateDataProperties = true
persistence.keystoreSigning = /var/ssu/global-store.jks
persistence.signingAlias = signingCert
persistence.signingKeyStoreType = JKS
persistence.signingKeyStorePassword = storePassword
persistence.signingprivatekeypassword = keyPassword
persistence.keystoreBiometric = /var/ssu/global-store.jks
persistence.biometricAlias = encryptionCert
persistence.biometricKeyStoreType = JKS
persistence.biometricKeyStorePassword = storePasswordStandard certificates
The global keystores signoSign/Universal uses by default are located next to the Properties file for the server settings. The keystores contain a key pair and a self-signed demo certificate for the digital signature and a certificate for encrypting the biometric data that is created and managed by a notary. See also the section Certificates.
The biometricalias certificate from the keystoreBiometric.jks keystore is used for encryption. The signingalias key pair from the keystoreSigning.jks store is used for the signing. The password for both keystores is password.
The demo certificate and its keys are only pre-set for evaluation by signoSign/Universal and must be replaced by trusted data for live use!
[WEB-APP-ROOT]/WEB-INF/classes/keystoreBiometric.jks
[WEB-APP-ROOT]/WEB-INF/classes/keystoreSigning.jks
[WEB-APP-ROOT]/ssu_web-x.x.x.x.war/WEB-INF/classes/keystoreBiometric.jks
[WEB-APP-ROOT]/ssu_web-x.x.x.x.war/WEB-INF/classes/keystoreSigning.jks
User-specific certificates
If neither global certificates nor certificates configured via the REST API are used, signoSign/Universal will generate a keystore with encryption and signature certificates for each user.
Keystore attributes
Keystore type | The default Java type JKS or the type defined with the keystore.type system property |
Is the keystore password protected? | yes |
Does it contain a key pair? | Yes, password protected |
Alias for key pair and certificate |
Configuration
User-specific certificates are generated automatically if the useCertificateDataProperties key is disabled in the server settings and no valid keys have been added to the database for the respective user. See also here.
Hardware security module
A JCA/JCE provider from the manufacturer is required to use a hardware security module (HSM). The provider is normally located in a JAR library, and signoSign/Universal must be given access to it. signoSign/Universal automatically uses the functionality of the provider if the name specified by the provider is used as the keystore type.
Configuration example
An example for the server settings if
the manufacturer specifies the keystore type ""custom.store"
the keystore file is stored in /var/ssu/customStore
the name/alias of the encryption certificate is "encryptionCert"
the name/alias of the signature certificate is "signingCert"
a password is not required
persistence.useCertificateDataProperties = true
persistence.keystoreSigning = /var/ssu/customStore
persistence.signingAlias = signingCert
persistence.signingKeyStoreType = custom.store
persistence.signingKeyStorePassword =
persistence.keystoreBiometric = /var/ssu/customStore
persistence.biometricAlias = encryptionCert
persistence.biometricKeyStoreType = custom.store
persistence.biometricKeyStorePassword =