0

I'm building a web application that builds a XML document based on the user input. After the doc is created, it needs to follow an approval path, e.g. a workflow, where several users "sign" the document. The signature from the user point of view is just checking a field and clickin "accept", but what I need is for the document to be digitally signed in each step, to finally store it signed in a database.

What kind of devices/tools do I need to use? X.509 certificates on the client browser? Public/Private keys generated by the app? Any link to documentation will be appreciated.

dariopy
  • 568
  • 1
  • 7
  • 18
  • In modern parlance, where Browsers are no more supporting Java Applets and ActiveX, using Browser Extensions would be more appropriate. [This](https://signer.digital/SignerDigitalBrowserExtensions) page has few links to Stacks Overflow answers for achieving various signing from browsers. – Bharat Vasant Jun 01 '19 at 00:32

1 Answers1

1

Certificates are not normally generated by the application (since PKI is about trust, which is hierarchical in case of certificates). Users acquire certificates with private keys (let's say so for simplicity) and store them in the safe place or on hardware devices (smartcards, USB tokens).

Then those certificates are used to sign information. In case of web application you can either transfer the data itself to the client or send a hash of the data there, but in any case signing takes place on the client side (except rare cases where certificates are stored on central server and access to them is authorized by the client each time the certificate is used).

We offer components for distributed signing of data. This answer contains detailed description of how such signing works. You can use our solution or create your own, that will do the same.

Community
  • 1
  • 1
Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • Yeah this would be kind of what I need. I need the CLIENT to sign the document, so some kind of component (Applet maybe) should access the certificate (or PK? that part is not clear to me) and sign the document with it. For simplicity, I still plan to generate the keys/certificate by the server side application on user sign-up, but just to know, what would the alternative be? – dariopy Sep 11 '12 at 15:19
  • Yes, Java applet would access the certificate *with* a private key on the client side and use it to sign the document or document's hash. Certificates are useless if they are not trusted. If you generate them on the server, then only your server would trust them. This can be ok for you, but can be not - it depends on where those documents go then. Also you'll need to implement certificate management - revocation, storing expired certificates etc. . This is a sophisticated topic. – Eugene Mayevski 'Callback Sep 12 '12 at 06:00