Digital Signature Settings

Digital signature is a document property that contains information encrypted by means of public-key cryptography. It authenticates the signer and verifies that the document has not been altered since the moment it was signed. A digital signature, authenticating the signatory, can be used instead of a handwritten signature in cases recognized by law.

You can sign document versions in ELMA, only if you have the ECM+ application activated, and settings configured.

The following settings are required for using digital signatures in ELMA:

To configure digital signature settings, go to Administration – System – System Settings, Digital Signature Settings unit. This unit contains two sub-units: General Settings and Encryption Provider Settings (fig. 1).

Fig. 1. Administration – System – System Settings. Digital Signature Settings

General Settings unit

To edit these settings, click

. In the opened dialog box (fig. 2) make the necessary changes and click Save.

Fig. 2. Dialog box for editing settings

Default Encryption Provider – select an encryption provider, which will be set by default in the user profile, and used for signing document versions. If you select internal encryption provider you need to set up a certification authority, and obtain user certificates.

Digital signature type – select a digital signature type from the drop-down list. The list of types depends on the selected encryption provider:

Internal encryption provider:
Default CMS;
CSP CryptoPro encryption provider:
CAdES-X Long Type 1;
CAdES-BES;
CAdES-T.

Require a digital signature when approving:
Yes – the Sign attributes with digital signature box will be checked in the dialog box for approving a document..
No – the Sign attributes with digital signature box will be unchecked in the dialog box for approving a document. You can check it and use digital signature, if necessary.

Require a digital signature when getting acquainted:
Yes – the Sign attributes with digital signature box will be checked in the dialog box for getting acquainted with a document.
No – the Sign attributes with digital signature box will be unchecked in the dialog box for getting acquainted with a document. You can check it and use digital signature, if necessary.

Require a digital signature when signing:
Yes – the Sign attributes with digital signature box will be checked in the dialog box for signing a document.
No – the Sign attributes with digital signature box will be unchecked in the dialog box for signing a document. You can check it and use digital signature, if necessary.

Forbid requiring Digital Signature in approval subtasks:

Yes – the Require Digital Signature option will not be displayed in the dialog box for creating an approval subtask.
No – the Require Digital Signature option will be displayed in the dialog box for creating an approval subtask.

Forbid requiring Digital Signature in acquaintance subtasks:

Yes – the Require Digital Signature option will not be displayed in the dialog box for creating an acquaintance subtask.
No – the Require Digital Signature option will be displayed in the dialog box for creating an acquaintance subtask.

Select a certificate when approving multiple documents:

Select a certificate once when signing – this option is similar to the Select a certificate when signing multiple documents option. However, if you set Select a certificate once when signing, you will be able to sign the task decision.

A task decision contains the document signature text (including attributes and decisions on all the documents). To view the decision, click Task Decision in the Create Digital Signature dialog box (fig. 4); the Task Decision dialog box will open (fig. 3).

Fig. 3. Task Decision dialog box

After approving or reviewing a document package the task decision will be displayed in the Signature Information dialog box, Signed Text field.

Note, that signing a decision is available only when approving or reviewing a document package. If you use an internal encryption provider, you can sign only document attributes; if you use an external encryption provider you can sign document attributes and file versions.

Let's take a look at signing a document package while using different encryption providers.

1. Signing a document package using an internal encryption provider (fig. 4).

In the dialog box (fig. 4) select a certificate in the Certificate* field, check the Task Decision box and click Sign. If you uncheck the Task Decision box, the document attributes will not be signed and a digital signature will not be generated.

Fig. 4. Create Digital Signature dialog box

2. Signing a document package using CryptoPro CSP (fig. 5).

In the dialog box (fig. 5) select a certificate in the Certificate* field, check the boxes of the required files and if necessary, check the Task Decision box. Next, click Sign.

Fig. 5. Create Digital Signature dialog box

If you select this encryption provider, the user will be able to sign version files without a task decision, and sign a task decision without file versions.

Select a certificate every time when signing – this option is similar to Select a certificate when signing multiple documents.

Select a certificate when reviewing multiple documents – this option is similar to Select a certificate when approving multiple documents.

Select a certificate when signing multiple documents:

Select a certificate once when signing – if you select this option, you will need to select a certificate once in the the Signature Certificate field and click Sign when signing a document package (fig. 6).

Fig. 6. Create Digital Signature dialog box

If you use an internal encryption provider, the documents will be signed with a digital signature.

If you use an external encryption provider, a dialog box will open (fig. 7), where you need to enter a password for the container that stores the certificate. This password is set when obtaining the certificate from the Certification Authority.

Fig. 7. CryptoPro CSP dialog box

You can check the Remember Password box, so that it was automatically filled in when signing documents in the future.

Select a certificate every time when signing – if you select this option, you will need to sign each document in a document package separately, by selecting a certificate. This option is similar to signing a document package without digital signature. The only difference is the additional dialog box for selecting a certificate (fig. 8).

Fig. 8. Create Digital Signature dialog box

If you click Sign (fig. 8) the documents will be signed according to the encryption provider settings (see above).

Forbid users to edit signature settings in their profiles:

Yes – forbid users to work with the Signature block and the Trusted certificates for signing unit in the user profile.
No – allow users to work with the Signature block and the Trusted certificates for signing unit in the user profile.

Allow signing only with the default certificate:

Yes – selecting a default certificate for signing documents will be available in the user profile. To learn more, see the respective Help page.
No – default certificate settings will be unavailable.

Encryption Providers Settings unit

In this unit, you can set up encryption providers for signing documents with Digital Signature. By default, you can configure the following units: Internal and CSP CryptoPro. Note that these units have different settings.

To edit the settings, click

next to the required encryption provider.

Internal Encryption Provider Settings unit

In the opened dialog box (fig. 9), specify the required parameters and click Save.

Fig. 9. Configuring internal encryption provider

Check signature algorithm compatibility:

Yes – take into account the certificate generation algorithm when checking it, and compare the selected encryption provider with the encryption provider of the current certificate.
No – do not check the certificate generation algorithm and do not compare the selected encryption provider with the encryption provider of the current certificate.

Do not check certificate for existing signatures:

Yes – each time a document page is opened, the validity of digital signature certificate is checked. If the certificate is not valid, for example, is has been revoked, the window with information about the digital signature will feature a warning (fig. 10).

Fig. 10. Information about digital signature

No – when a document page is opened, the validity of digital signature certificate is not checked.

Certification authority root certificates:

To add a root certificate thumbprint, click Add. A dialog box will open (fig. 11).

Fig. 11. Dialog box for adding a new certificate

Thumbprint* (Authority Key Identifier, SHA-1 hash of a DER-encoded open key) is used for validating user certificates. If the Server Address is specified correctly and available, you can get the Thumbprint automatically, by clicking Get from Certification Center.

The certification authority issues and validates open key certificates, provided by the system users. An open key certificate can be used to sign in to ELMA with a certificate and to sign documents with a digital signature.

Attention!

If you select a certification authority that checks the open key, then only the certificates verified by this center are considered correct. If you intend to use commercial certificates, then root certificates of third-party certification authorities must be added to the trusted certificates container of the specified certification authority.

If a certification authority is not selected, the user certificate is checked in chain order until the certification authority root certificate, added to the trusted certificates container on the user's computer. The user certificate is verified, if the root certificate of the certification authority that issued the user certificate is added to the trusted certificates container on the user's computer.

first part - name or IP address of the computer on which the certification authority is installed (fig. 11: "127.0.0.1");
second part - certification authority name (fig. 11: "CertAuth2003").

To edit existing thumbprints of the root certificate, click

, to delete –

CryptoPro Settings unit

In the opened dialog box (fig. 12), configure the required parameters and click Save.

Fig. 12. CryptoPro settings

Time Stamp Service Address – the address of the time stamp service, used for adding a time stamp to the signed document, which will be used to validate the signature integrity.