| | Electronic signature, digital signature, public-key signature, they all refer to authenticating digitally stored data. It's like your hand written signature on a letter or cheque. We trust the signed document (or cheque) to be authentic. A copy of the document should not be considered authentic, or would you cash a copy of a cheque? For the same reason, a fax of a signed document may or may not be an authentic representation of the original. We can however make copies of the original document and have the copies certified as true representations of the original. In this case, we have a 3rd party that confirms the copy.
In a digital world, a hand written signature has no meaning. That's where the electronic signature comes into play. One system is supported by about all manufacturers, the public key infrastructure (PKI) using an x.509 certificate, this is the digital certificate. The x.509 certificate is supported by all manufacturer, but they have their own implementation. This makes the setup a challenge at times. Before we review the implementation, a few basics about electronic signature and digital certificates.
Electronic signatures are used for:
Authenticity
The senders (originators) key is used to add a signature to the data. This signature uniquely authenticates the sender. The recipient can be confident that the data was composed by the sender.
Integrity
The electronic signature is unique to the data. An alteration invalidates the signature. Both parties can be sure that the information is unchanged.
Non-repudiation
Once singed, I can not revoke the validity or claim that I didn't sign the data.
The x.509 digital certificate contains:
Private key
The private key is a digital crypto key which has to be protected at all times. Anyone having access to your Private Key could claim your identity.
Public key
This is the counterpart to the private key. Data that is protected with the private key, must be validated with the public key and vice versa. The public key can be freely distributed.
Certificate Authority
These are the guys that issue the private/public keys and sign them with their own certificate. These are usually well established institutions such as Entrust, Verisign, Thawte. You can purchase certificates from these institutions. The Certificate Authority can be anyone, even your own organization. There is no technical reason why you need to purchase the certificates.
With these explanations out of the way, we have to first get our own certificate. Lets get a free certificate from Thawte. Go to http://www.thawte.com and select > Products > Free personal E-Mail Certificates. Then follow the prompts.
Note: When you see these options or checkboxes, select them.
> Allow private key export
> Include all certificates |
Feel free to get your certificate from any other Certificate Authority. I'm using the Thawte Free-Email certificate since August 2004. It makes no difference if you pay $10,000 or nothing at all. It is important that you take care of your certificate and protect the information with a good password, keep the private key secure and commit to use this certificate for the assigned duration.
By now we have a certificate in the Microsoft Certificate Store. I mentioned at the beginning that we have to load this certificate separately for different products. We will go through the following steps:
- Export the certificate to a file
- Import the certificate into Adobe Acrobat
- Import the certificate into Lotus Notes
There are no additional steps when you use Outlook or Internet Explorer. Both products use the Microsoft Certificate Store.
1. Export the certificate to a file
To review all your certificates, you need to configure the Microsoft Management Console. Launch the console from the Start Menu (  bottom left), then select Run. Type mmc and press OK. First you need to configure the console. Click > File > Add/Remove Snap-in, then click Add. Select Certificates, click Add and select My user account. Close the window and OK the Add/Remove Snap-in window.
You should see something like above. Highlight your personal certificate (Thawte Freemail Member in my case), right-click and select Export. Follow the prompts and select Yes, export the private key and also check Include all certificates in the certification path if possible. Enter a strong password, the file that is being created is your identity.
 | Now we have a Personal Information Exchange file.
This file contains the private and public key.
Save a copy of this file in a secure location. |
2. Import the certificate into Adobe Acrobat
I'm using Adobe Acrobat 6 in my examples. Select > Advanced > Manage Digital IDs > My Digital ID...
 | Select the Digital ID and click Add...
Note: This option reads the Microsoft Certificate Store. You could also use the file from before.
Click on Settings... |
| select Always use this Digital ID and Use this Digital ID for: Signing documents.
Don't use the Encryption option.
Click OK and you will notice a pen on the ID. This indicates that this certificate will be used for signing. |
All we have to do is signing documents we create with Adobe Acrobat. Click on > Sign > Sign this document and follow the prompts. You have several options to add valuable information to the signature.
 | Review my sample document here and verify the signature.
There is an option to hide the signature. |
3. Import the certificate into Lotus Notes
Lotus Notes stores all certificates in the ID file. Since the first release of Lotus Notes, security was based on private and public key pair. While the implementation is proprietary, the Lotus Notes authentication works the same way as the x.509 authentication. In Notes, we have to distinguish between the Notes certificates and the Internet certificates. To import our Internet certificate, click on > File > Security > User Security ...
Navigate to the Your Certificate, click on Get Certificates and select Import Internet Certificates... Then follow the prompts.
Then highlight the imported certificate (under Internet Certificates) and click on Advanced. Select the certificate as the default signing certificate.
 | Don't forget to check the Sign mail that you send in the User preferences. The default is now set that all mail is being signed. |
If you send mail within your own domain (Notes to Notes mail), the message will be signed using the Notes Certificate. When you send mail outside the domain to an Internet recipient, the mail will be signed with the Internet Certificate. You don't need to worry about any of these issues, the system takes care of the details.
First published on March 13, 2006 |