Skip to main content

Windows signature

This cryptographic provider uses Windows infrastructure (such as Microsoft Windows certificate store) to access certificates and to supply cryptographic algorithms.

Supported signature standards

Windows cryptographic provider offers options to configure various digital signature types:

  • PADES-B-B: Basic digital signature type that requires no time-stamp authority (TSA) nor revocation information (CRL, OCSP).
  • PADES-B-T: Digital signature with a timestamp token.
  • PADES-B-LT/LTA: Digital signature with a timestamp token and signature validation data.
info

Note that the signing certificate must be available to the user, under which the service runs, and also in its session.

Configure Windows signature

The following sections introduce Configuration examples and detailed descriptions of each configuration option in the Identity settings section.

Configuration examples

This section includes screenshots from the Conversion Service Configurator with configuration details of each signature type provided by the Windows cryptographic provider.

  • PaDES-B-B: Basic digital signature type that requires no time-stamp authority (TSA) nor revocation information (CRL, OCSP).

    Windows signature configuration of PADES-B-B

  • PaDES-B-T: Digital signature with a timestamp token.

    Windows signature configuration of PADES-B-T

  • PaDES-B-LT/LTA: Digital signature with a timestamp token and signature validation data.

    Windows signature configuration of PADES-B-LT/LTA

Identity settings

The following sections describe specific configuration options in the identity section of the digital signature configuration.

Common Name

The name of the signing certificate. This is the common name of the certificate subject with limited support for placeholders.

Thumbprint

The SHA-1 thumbprint (also called fingerprint) of the signing certificate, with limited support for placeholders, is required for certificate selection.

note

If this value is incorrect, the error message in the service log is:

"Certificate not found in store.".

The thumbprint value must be a string of hexadecimal digits and its characters must be in the ranges 0-9, a-f, A-F, and spaces. You can directly use the Thumbprint value displayed in the Windows certificate dialog.

Examples:

  • 005572a2d0242a0121c8dee341463a63ae9cabdf
  • 00 55 72 A2 D0 24 2A 01 21 C8 DE E3 41 46 3A 63 AE 9C AB DF

Supported placeholders:

  • [custom:<OPTION-NAME>] - A custom placeholder.

TSA

The URL of the trusted TSA from which you acquire a timestamp.

note

Applying a time stamp requires an online connection to the time server and you must configure firewall accordingly.

If a web proxy is used, ensure the following MIME types are supported:

  • application/timestamp-query
  • application/timestamp-reply

Add Revocation Information

Whether to add recovation information (OCSP, CRL) to the document time-stamp signature. For example, to make a signature with enabled Long Term Validation (LTV).

Signature-level

The signature level is a general setting for every signature provider. Review Signature level for more information.