Digital Signatures

Overview

A digital signature is a way to indicate that a document is authentic, has been signed by a particular person, and has not been modified since the signature was applied.

Note: The digital signatures feature will only be available if your Laserfiche Server is licensed for it.

How they work

When a document is digitally signed, a hash of the signed content (image pages, the electronic file, and other signature information) is created. The signing certificate is then used to sign the hash, and the result is stored in the database. This hash is used to verify the contents of the document during signing validation. This allows you to sign the document without modifying the document contents themselves. The signing certificate also uses a certificate chain to connect the user certificate to a certificate authority. The certificate authority is the end of the certificate chain: if the chain is intact and valid, and the certificate authority is trustworthy, then the certificate can be trusted--and, by extension, the signature can be trusted and the document's contents can be verified as consistent with the state it was in when it was signed.

In order for users to be able to sign documents, they must have personal certificates in their Windows certificate store that connect them to a valid certificate authority. You can choose whether to use a third-party certificate authority or to manage your own internal public key infrastructure as your certificate authority.

Once you have decided on a certificate authority, you will need to push out your certificates to the users who will need to sign documents. You can do this using Windows' certificate management tools.

Note: A digital signature in Laserfiche signs the document's electronic document content, page images, signature comments, and signing images. It does not sign page text, metadata, or annotations. Page text, metadata and annotations can be modified without invalidating the signature; electronic document contents, page images, and signature details cannot.

Usage examples

Digital signatures can be used in a variety of ways. For instance, a manager might use a digital signature to indicate that they have approved a document; validating the digital signature would verify that it is indeed that person who approved the document, and that the document has not been further modified since its approval. Alternately, a user might sign documents after importing them, in order to indicate that the import process is complete and all relevant information has been included, and that signature could be validated to see whether changes have been made to the document since its import. In addition, users can sign an entire briefcase during the briefcase export operation, allowing another user to validate its contents before importing it.

Managing Digital Signature Certificates

The Digital Signature Certificate Store

The Digital Signature Certificate Store contains the signing certificates used to sign documents in the repository. In the certificate store, you can review the certificates that have been used, manually add new certificates, or remove invalid certificates.

It is not necessary to manually add certificates to the store before they can be used.  The contents of the Digital Signature Certificate Store reflect the contents of Windows Certificates on the Laserfiche Server computer. When a user uses a valid signing certificate to sign a document, the certificate will automatically be copied to the repository's certificate store. For the most part, you will only need to work in the certificate store if you need to find information about a particular certificate or for troubleshooting purposes.

Note: The certificate store will only be present in your repository if your Laserfiche Server is licensed for digital signatures.

The certificate store will display the following information for each certificate:

  • Issued To: The user or organization to whom the certificate was issued.
  • Issued By: The certificate authority that issued the certificate.
  • Valid From: The start date and time for the certificate's validity.
  • Valid To: The end date and time for the certificate's validity.
  • Algorithm: The algorithm used to produce signatures with this certificate.  This will be either RSA or DSA.
  • Key Size: The size in bits of the RSA or DSA key.
  • Thumbprint: The thumbprint used by this signing certificate.

Adding a certificate

You can manually add a certificate to the certificate store. While this is not generally necessary (the Laserfiche Server will automatically copy certificates users sign documents with), you may choose to do so for advanced certificate management or troubleshooting reasons.

To add a certificate to the Digital Signatures Certificate Store

  1. Start the Laserfiche Administration Console.  
  2. In the console tree, expand the desired Laserfiche Server item.
  3. Select the desired Laserfiche repository.
  4. If security has been enabled on that repository, log in as any user who has been granted the Manage Certificates privilege for the specified repository.
  5. Expand the Metadata Management node.
  6. Select the Digital Signature Certificate Store node.

  7. From the Action menu, select New Certificate, or right-click and select New Certificate.
  8. Select your certificate in one of the following ways:
    • Select Retrieve certificate from this machine's certificate store, then click the Browse button (...) to select your certificate from the list.
    • Select Import file, then click the Browse button (...) to browse to the Certificate (.cer) file containing the certificate you want to add.
  9. Click OK to import your certificate.

Removing a certificate

If necessary for troubleshooting purposes, a user with the Manage Certificates privilege can remove certificates from the certificate store.

To remove a certificate

  1. Start the Laserfiche Administration Console.  
  2. In the console tree, expand the desired Laserfiche Server item.
  3. Select the desired Laserfiche repository.
  4. If security has been enabled on that repository, log in as any user who has been granted the Manage Certificates privilege for the specified repository.
  5. Expand the Metadata Management node.
  6. Select the Digital Signature Certificate Store node.
  7. Select the certificate to delete.
  8. From the Action menu, select Delete, or press the DELETE key.
  9. Confirm the deletion of the selected certificate.