Electronic Seal Administrator Guide Published:December 27, 2017

Transcription

1 Electronic Seal Administrator Guide Published:December 27, 2017

2 Copyright Version Copyright DocuSign, Inc. All rights reserved. For information about DocuSign trademarks, copyrights and patents refer to the DocuSign Intellectual Property page ( on the DocuSign website. All other trademarks and registered trademarks are the property of their respective holders. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of DocuSign, Inc. Under the law, reproducing includes translating into another language or format. Every effort has been made to ensure that the information in this manual is accurate. DocuSign, Inc. is not responsible for printing or clerical errors. Information in this document is subject to change without notice.

3 Table of Contents Table of Contents Overview of Electronic Seal... 6 Presentation of Electronic Seal... 6 Set Up Electronic Seal in the Administration Interface... 7 Use Electronic Seal... 8 First Steps with the Administration Interface of Electronic Seal... 8 Prerequisites... 8 Access the Administration Interface... 8 Log Out... 9 Overview of the Administration Interface... 9 Administrator Management Definition of Administrator Super Administrator, Administrator and Auditor Scope Authentication Certificate Roles Set Up Administrators Add an Administrator Modify Roles Delete an Administrator Workspace Management Overview of Workspaces Logical Name and Description Associated Service Hash Function Cryptographic System Authenticated (yes/no) Status Set Up a Workspace in Electronic Seal Search and Select a Workspace Add a Workspace Modify a Workspace Activate a Workspace Deactivate a Workspace Delete a Workspace Document Signer Management Overview of a Document Signer

4 Table of Contents Logical Name and Description Quota Counter Status Validity date Eligible DS Add a DS Search for a DS Detailed Information About a DS Advanced Search DS Modify a DS Deactivate a DS Deactivate Expired DSs Activate a DS Block a DS Signature Configuration Management Presentation of the PDF Configuration Form Signature policy Signature parameters Information about signatory Time stamping service parameters Parameters for PAdES-BASIC signature Signature Add a Signature Configuration Modify a Signature Configuration Key Management How to Obtain a Certificate Signing Request Generate a Certificate Signing Request Download a Certificate Signing Request Delete a Certificate Signing Request User Management Description of a User Logical Name and Description Certificate Status Rights Add a User Search for Users Detailed User Information Advanced Search Modify User Information

5 Table of Contents Modify User Rights Deactivate a User Activate a User Block a User Audit Electronic Seal Events and Statistics Search for Audit Events Export Audit Events Download Statistics Report Management Reports Overview Set Up a New Report Modify Reports Configuration Delete Reports Configuration Publish Reports Download Reports Settings Management Overview of the Settings Page Filters Change Settings Customize Properties Sign Data with Electronic Seal Data Signature Process Signature Request Signature Response Appendix A. Signature Formats and PDF Configuration Configure a CMS Signature Configure an XML signature Configure a XMLDSIG Signature Configure a XAdES-BES Signature Configure a XAdES-EPES Signature Configure a XAdES-T Signature Configure a XAdES-XL Signature Configure a PAdES-BASIC Signature

6 Electronic Seal Administrator Guide 6 Overview of Electronic Seal This section includes the following subsections: Presentation of Electronic Seal on page 6. Set Up Electronic Seal in the Administration Interface on page 7. Use Electronic Seal on page 8. Presentation of Electronic Seal Electronic Seal is a module of the Protect & Sign Suite. It provides digital signature for documents. With Electronic Seal, any external application can authenticate and request a CMS, PAdES Basic (PDF) or XML-DSig / XAdES signature on a document. Electronic Seal contains two interfaces : an administration interface : to add and configure signature workspaces, to manage users and administrators, to specify the external applications that are allowed to access the signature interface. a signature interface: signature requests are transmitted through this interface. Before using this interface, ensure that your workspace is properly configured and that you are allowed to issue signature requests. Figure 1.1. General Architecture of Electronic Seal Client m achine 1. Signature request 2. Response (signed data) Signature interface Adm inistration interface Elect ronic Seal Signature server Electronic Seal can be used in combination with Signature Validation, that provides a signature verification service. Depending on the selected signature format (CMS, PDF or XML-DSig /

7 Electronic Seal Administrator Guide 7 XAdES), you may also use OCSP Responder to verify whether a certificate has been revoked, and Timestamping to obtain a time-stamp token. Set Up Electronic Seal in the Administration Interface To set up Electronic Seal in the administration interface: 1. Access the administration interface. To access the administration interface, you need to present a valid certificate (see also Access the Administration Interface on page 8). 2. Add administrators in charge of performing administration tasks. If you have sufficient rights, you can delegate workspace management, Document Signer management and user management to other administrators (see also Administrator Management on page 11). 3. Add auditors. You need to have sufficient rights to add auditors in Electronic Seal (see also Administrator Management on page 11). 4. Add a DOC signature workspace. Each signature operation is performed within a specific workspace. The configuration of this workspace determines the signature format. It also determines if external applications can log on anonymously on the signature interface, or if they need to authenticate. If authentication is required, authorized users and applications need to be registered in the workspace. For more information, please refer to Workspace Management on page Add one or more Document Signers in your workspace. In Electronic Seal, the Document Signer signs documents. If you do not have the certificate required to add a Document Signer, you can use the administration interface to generate a CSR (see Key Management on page 37) and transmit it to an external registration authority. 6. Configure the signature format that will be used in your workspace. To configure your workspace, fill in the PDF form that was provided with the product. For instance, to configure a XAdES-T signature, use the PDF form to indicate the parameters of the time-stamping service. Once the form is duly completed, upload it on the administration interface. For more information, please refer to Signature Configuration Management on page Add the users and applications that are allowed to submit signature requests in this workspace.

8 Electronic Seal Administrator Guide 8 If your workspace requires authentication, then only registered users and applications can access the signature interface. For more information, please refer to User Management on page If necessary, you can add another workspace. To do so, go back to Step 4. You may need to add another workspace if you want to use a different authentication mode, for instance. Use Electronic Seal To sign data with Electronic Seal, users need to send a request to the signature interface. When the request is received, the interface checks the validity of the request. If the request is valid, Electronic Seal sends back the signed data. For more information, please refer to Sign Data with Electronic Seal on page 55. First Steps with the Administration Interface of Electronic Seal To access the administration interface, you need a web browser and an authentication certificate. For more information, contact your administrator. Prerequisites Before using the administration interface, ensure that the following recommendations are followed. Firewall If you use a personal firewall, deactivate the web filter. Access the Administration Interface The administration interface is accessible through a web server that uses the HTTPS protocol. To access the interface: 1. Enter the following URL in the address bar of your web browser: where WebServerHost is the host name given to the web server during network configuration (see Installation Guide). 2. If your browser requires it, select your administrator certificate to authenticate on the administration interface. Once authenticated, you are redirected to the first available workspace. The name of the workspace is indicated in the workspace frame (see also Figure 1.2, Administration interface on page 9). If you have access to other workspaces, you can select another one from the workspace list (see Search and Select a Workspace on page 17). You can also perform the audit or administration operations that are available. ^

9 Electronic Seal Administrator Guide 9 Note: : If you are the first person to access the administration interface, you are redirected to the Administrator management menu. As no administrator has been created yet, you are invited to add a super administrator. This super administrator can then create other administrators and set up the administration interface of Electronic Seal. For more information, please refer to Administrator Management on page 11. Note: : If you fail to access the administration interface, contact your administrator. Log Out To end your session on the administration interface, click the log out link (see Figure 1.2, Administration interface on page 9). Overview of the Administration Interface The administration interface contains the following elements: Actor identification frame: contains your identification information (common name, role). Workspace frame: contains information on the current workspace. Administration menus: displays the administration menus to which you have access. Figure 1.2. Administration interface Actor identification fram e Workspace fram e Log out icon Language selection icons Adm inistration m enus The administration menus to which you have access depend on your role. You may have access to the following menus: Administrator management to add administrators and modify their rights.

10 Electronic Seal Administrator Guide 10 Workspace management to add, view or modify workspaces. DS management to add, activate, deactivate, modify or block signing entities. Document signature management to upload the signature configuration form. Key management to generate key pairs on a cryptographic device and collect the corresponding CSRs. User management to create, view, activate or deactivate users that are allowed to use Electronic Seal. Audit to view the operations performed in a workspace and download production statistics. Settings to display and edit the properties specific to the Protect & Sign Suite and to the Electronic Seal module. Note: : If some of these menus do not appear on your interface, this means that you do not have the corresponding roles. For more information, contact your administrator.

11 Electronic Seal Administrator Guide 11 Administrator Management The Administrator management menu is used to create, modify and delete administrators. It is also used to manage their roles. The following operations can be performed: Add an Administrator on page 13. Modify Roles on page 13. Delete an Administrator on page 14. For more information on administrators, please refer to Definition of Administrator on page 11. Note: : you need to have the Administrator management role to access the Administrator management menu. Definition of Administrator An administrator is a user of the administration interface. Administrators have one or more roles that determine the menus to which they have access on the administration interface. These menus allow them to perform specific operations. For instance, one administrator can be in charge of auditing operations, a second administrator can be in charge of managing workspaces and a third administrator can be in charge of both operations (audit and workspace management). Administrators are created with the Administrator management menu. Important: : people chosen to be administrators should be trustworthy, working full-time and have at least one year of experience within the company. Super Administrator, Administrator and Auditor There are three types of administrators: Super administrators: they have the Administrator management role. Only super administrators have access to the Administrator management menu to add, modify or delete administrators, super administrator or auditors. The first user that accesses the administration interface after its installation is automatically registered as super administrator. This first super administrator is then in charge of adding administrators, super administrators and auditors. Administrators: they can perform specific administration operations (key management, workspace management,etc.). They have one or more of the following roles: Workspace management, Key management, DS management, User management. Auditors: they have the Audit management role and have access to the Audit menu. Auditors are in charge of analyzing the events in one or more workspaces. In some cases, they also have access to statistics. Note: : for more information on roles, please refer to Table 2.1, Roles on page 12

12 Electronic Seal Administrator Guide 12 Scope Roles apply on all workspaces and all modules of the Protect & Sign Suite. Authentication Certificate Administrators use their certificates to authenticate to the administration interface. The certificate must be valid and the issuing CA must be declared as trusted on the web server. Only the distinguished name (DN) and the common name (CN) of the certificate are stored in the database. When a certificate is renewed, if the new certificate has the same DN as the old certificate, then the new certificate does not need to be uploaded on the Protect & Sign Suite. Roles Roles define the menus that each administrator can access and the operations they may perform. Administrators may be granted one or several roles. These roles can be modified by a super administrator at any moment. Table 2.1. Roles Administrator management Workspace management Role Menu(s) that can be accessed Operations that can be performed Administrator management Workspace management Create, modify and delete administrators, super administrators and auditors (see also Super Administrator, Administrator and Auditor on page 11). Create, modify and delete workspaces (see also Workspace Management on page 15). Key management Key management. Generate key pairs on the cryptographic device and collect the associated CSRs in PKCS#10 format (see also Key Management on page 37). DS management DS management Document signature management Register, modify and delete signing entities in the Protect & Sign Suite (see also Document Signer Management on page 21). The DS management role also grants access to the Document signature management menu to configure signature parameters. User management User management Register, modify and delete users that are allowed to issue requests (see also ). Audit management Audit Monitor audit events and download statistics (see Audit Electronic Seal on page 48). Set Up Administrators Before adding administrators, it may be useful to make a list of people that should be administrators and to define the roles of each administrator (see Table 2.1,

13 Electronic Seal Administrator Guide 13 Roles on page 12). You should also ensure that each administrator has the appropriate certificate to access the administration interface. 1. Make a list of the people that will be administrators and define the roles of each administrator. Roles are described in Table 2.1, Roles on page If necessary, generate the certificates associated with your administrators. These certificates are required to save the administrators in the database. 3. Log on the administration interface and add your administrators (see Add an Administrator on page 13). If you are accessing the administration interface for the first time, you are redirected to the Administrator creation page. The first administrator to be added in the database must be a super administrator with the Administrator management role. 4. Once you have registered your administrators, you may proceed to the creation of workspaces (see Workspace Management on page 15). Add an Administrator To add an : 1. Click Administrator management Administrator creation to display the Administrator creation page. 2. Click Browse and select the certificate of the. 3. Specify the roles that will be granted to this. Roles apply on all workspaces and all modules of the Protect & Sign Suite. 4. Click Create. The following message is displayed: Do you really want to create the administrator? 5. Click OK. The Administrator creation page is displayed with the following message: The administrator was inserted successfully. Modify Roles To modify the roles of an administrator: 1. Click Administrator management Administrator list. 2. Select the administrator from the list. The Administrator edition page displays information about the selected administrator.

14 Electronic Seal Administrator Guide Modify the roles (see also Table 2.1, Roles on page 12). There must be at least one super administrator on the Protect & Sign Suite. This means that, if there is only one super administrator remaining, you cannot remove their Administrator management role. 4. Click Edit. A confirmation message is displayed: Do you really want to modify this administrator? 5. Click OK. The following message is displayed on the information page of the administrator: The administrator has been modified successfully. Delete an Administrator Important: : there must be at least one super administrator on the Protect & Sign Suite. This means that, if there is only one super administrator remaining, you cannot delete him. To delete an administrator: 1. Click Administrator management Administrator list. 2. Select the administrator from the list and click. The following message is displayed: Do you really want to delete the administrator? 3. Click OK. The administrator has been deleted. The following message is displayed on top of the Administrator list page: The administrator has been deleted sucessfully.

15 Electronic Seal Administrator Guide 15 Workspace Management When you log on Electronic Seal, you are redirected to the workspace list of the Workspace management menu. This menu allows you to: Add a Workspace on page 17. Modify a Workspace on page 19. Activate a Workspace on page 19. Deactivate a Workspace on page 20. Delete a Workspace on page 20. For more information on workspace properties, please refer to Overview of Workspaces on page 15. Note: : you need to have the Workspace management role to access the Workspace management menu. Overview of Workspaces A workspace is a logical domain where signature requests can be separated by authentication mode (or by URL) and by signature policy. A signature policy defines a set of rules that must be followed when generating a signature. This policy is configured with a PDF file that must be uploaded on Electronic Seal in the Configuration submenu of Document signature management. Each workspace has the following properties: a logical name and a description; an associated service; a hash function; a cryptographic system; a URL address; a status. Logical Name and Description The logical name is the name of the workspace that is displayed in the administration interface. To set a logical name, you can use up to 64 alphanumeric lowercase/uppercase characters ([a-z] [A-Z] [0-9]) including - * or =. Accented characters are forbidden. A workspace can also have a description. The description of a workspace can be used to give additional information on the workspace. The description is displayed in the workspace list. This field can contain a maximum of 1,024 characters.

16 Electronic Seal Administrator Guide 16 Associated Service The service associated to a workspace determines the features that are available in this workspace. Electronic Seal uses the DOC signature service. Hash Function When you create a workspace, you need to select a hash function for signatures. By default, the selected hash function is SHA-1. Cryptographic System The cryptographic system of a workspace determines the encryption method used for signatures. By default, the selected cryptographic system is RSA Authenticated (yes/no) Each workspace has an URL address. This property indicates if the URL of the workspace is accessed in secure mode (HTTPS, authenticated) or not (HTTP). In an authenticated workspace, users must be declared on the User management page. In an unauthenticated workspace, any user can use the module. Status When you create a workspace, you can decide if it is immediately operational (active) or if it is first inactive. Set Up a Workspace in Electronic Seal To set up a workspace in Electronic Seal: 1. Add a DOC signature workspace (see also Add a Workspace on page 17). Each signature operation is performed within a specific workspace. The configuration of this workspace determines the signature format. It also determines if external applications can log on anonymously on the signature interface, or if they need to authenticate. 2. Add one or more Document Signers in the workspace (see also Document Signer Management on page 21). In Electronic Seal, the Document Signer signs documents. If you do not have the certificate required to add a Document Signer, you can use the administration interface to generate a CSR (see Key Management on page 37) and transmit it to an external registration authority. 3. Configure the signature format of the workspace. The signature format and parameters are configured with a PDF form. For instance, to configure a XAdES-T signature, use the PDF form to indicate the parameters

17 Electronic Seal Administrator Guide 17 of the time stamping service. Once the form is duly completed, upload it on the administration interface. For more information, please refer to Signature Configuration Management on page Add the users that are allowed to issue signature requests in this workspace. If your workspace requires authentication, then only registered users can access the signature interface (see also User Management on page 40). 5. If necessary, you can add another workspace. To do so, go back to Step 1. Search and Select a Workspace To select a workspace: 1. Click Workspace management Workspace list. 2. On the Workspace list page, select the workspace you want to use. You can also search a workspace depending on: its logic name; its associated service; its associated customer. The selected workspace displays in the Actual Workspace frame, it appears next to the Service label. 3. Click Back or any other menu to leave the Workspace edition page and continue in this workspace. Add a Workspace To add a workspace: 1. Click Workspace management Workspace creation to display the Workspace creation page. 2. Fill in the properties of your workspace. Table 3.1. Workspace properties Logic name Property Description The logical name is the name of the workspace that is displayed in the administration interface. To set a logical name, you can use up to 64 alphanumeric lowercase/uppercase characters

18 Electronic Seal Administrator Guide 18 Description Service name Property Hash to use for signatures Cryptographic system to use for signatures Authenticated (yes/no) Status Description ([a-z] [A-Z] [0-9]) including - * or =. Accented characters are forbidden. The description of a workspace can be used to give additional information on the workspace. The description is displayed in the workspace list. This field can contain a maximum of 1,024 characters. The service associated to a workspace determines the features that are available in this workspace. When you create a workspace, you need to select a hash function for signatures. By default, the selected hash function is SHA-1. The cryptographic system of a workspace determines the encryption method used for signatures. By default, the selected cryptographic system is RSA Each workspace has an URL address. This property indicates if the URL of the workspace is accessed in secure mode (HTTPS, authenticated) or not (HTTP). When you create a workspace, you can decide if it is immediately operational (active) or if it is first inactive. Company name (mandatory) Name of the organization. Cannot exceed 128 characters. Registration Number Company Identifier (mandatory) Registration number of the organization (SIREN or SIRET French number for example). Organization identifier. It is used to name the record that contains the signature operations (see also Developer Guide). Billing Address Contact person's last name Contact person's first name Contact person's title Contact person's Contact person's phone number Contact person's address Organization identifiers support alphanumeric characters, hyphens, underscores and periods. They cannot exceed 24 characters. Accented characters are not supported.. Address to which the invoices are sent Last name of the contact person in the organization. Cannot exceed 64 characters First name of the contact person in the organization. Cannot exceed 64 characters Role of the contact person in the organization. Cannot exceed 64 characters address of the contact person Phone number of the contact person Address of the contact person

19 Electronic Seal Administrator Guide Click Create. The following message is displayed: Do you really want to create the workspace? 4. Click OK. Your workspace has been created. The following message is displayed on top of the Workspace edition page: The client space was inserted successfully. Modify a Workspace To modify a workspace: 1. Click Workspace management Workspace list. 2. Select the workspace you want to modify. 3. On the Workspace edition page, modify the information of your workspace (see Table 3.1, Workspace properties ). 4. Click Edit. The following message is displayed: Do you really want to modify this workspace? 5. Click OK. Your workspace has been updated. The following message is displayed on top of the Workspace edition page: The workspace has been modified successfully. Activate a Workspace To activate a workspace: 1. Click Workspace management Workspace list. 2. Select the workspace you want to activate. 3. On the Workspace edition page, click Activate. The following message is displayed: Do you really want to enable this workspace? 4. Click OK. Your workspace has been activated. The following message is displayed on top of the Workspace edition page: The workspace has been enabled successfully.

20 Electronic Seal Administrator Guide 20 Deactivate a Workspace To deactivate a workspace: 1. Click Workspace management Workspace list. 2. Select the workspace you want to deactivate. 3. On the Workspace edition page, click Deactivate. The following message is displayed: Do you really want to disable this workspace? 4. Click OK. Your workspace has been deactivated. The following message is displayed on top of the Workspace edition page: The workspace has been disabled successfully. Delete a Workspace Important: : when you delete a workspace, all the elements created in this workspace (users, keys, etc.) are deleted. To delete a workspace: 1. Click Workspace management Workspace list. 2. In the workspace list, locate the workspace you want to delete and click on. 3. On the Workspace deletion page, click Delete. The following message is displayed : Do you really want to delete the workspace? 4. Click OK. Your workspace has been deleted. The following message is displayed on top of the Workspace list page: The workspace has been deleted sucessfully.

21 Electronic Seal Administrator Guide 21 Document Signer Management Electronic Seal uses Document Signers to sign data. The DS management menu allows you to: Add a DS on page 23. Search for a DS on page 24. Modify a DS on page 26. Deactivate a DS on page 27. Deactivate Expired DSs on page 28. Activate a DS on page 28. Block a DS on page 29. For more information on DSs, refer to Overview of a Document Signer on page 21. Note: : you need to have the DS management role to access the DS management menu. Overview of a Document Signer A DS (Document Signer) is associated to a certificate. It signs documents. A DS has the following properties: a logical name and a description; a quota ; a counter ; a status ; a period of validity. To be functional, a DS must be eligible. The selected eligible DS corresponds to DSs whose remaining validity period is the biggest. For more information on eligibility, refer to Eligible DS on page 23. Logical Name and Description The logical name of a DS is the name that appears in the user interface. To set a logical name, you can use up to 64 alphanumeric lowercase/uppercase characters ([a-z] [A-Z] [0-9]) including - * or =. Accented characters are forbidden. When you add a new DS, you can give additional information on the DS in the Description field. This field can contain a maximum of 1,024 characters.

22 Electronic Seal Administrator Guide 22 Quota The Quota field determines the maximum number of signatures the DS is allowed to produce. Every newly created DS has a fixed quota of To modify your quota, you must edit your DS. Counter The counter of a DS counts the number of signatures produced by the DS. Status The status of a DS is determined by a pair of values: the status of the certificate and the functional status of the DS. It appears as: [DS certificate status]; [functional status of theds] For instance, the status valid; activated indicates that the DS certificate is valid and that the DS is functional. Note: : in the document signing process, the revocation status of certificates is not verified. Therefore, a certificate indicated as valid is valid in time (not expired) but it may have been revoked. Table 4.1. DS certificate status valid expired Status Description Indicates that the DS certificate is valid. Indicates that the DS certificate is expired. Table 4.2. Functional status of a DS activated deactivated blocked Status Description When a DS is activated, it is fully functional and can produce signatures. When a DS is deactivated, it cannot produce any signature but it can be reactivated at any time (see Activate a DS on page 28). When a DS is blocked, it can no longer be used. A blocked DS is permanently deactivated. Blocking a DS does not revoke the associated certificate but prevents the DS from signing documents. Validity date Each DS is associated with a certificate that has a specific period of validity.

23 Electronic Seal Administrator Guide 23 Eligible DS A DS is eligible if: its functional status is activated; its quota has not been exceeded; its certificate status is valid. If at least one of those conditions is not met, the DS is not eligible and cannot produce any signature. If a DS becomes ineligible while in use, the application switches automatically to the next eligible DS. Add a DS Important: : To add a new DS in your workspace, you need to upload its certificate. You also need to ensure that the key pair of the certificate is on the cryptographic device (see also Key Management on page 37). To add a DS: 1. Click DS management Manual upload to display the Register DS page. 2. Click Browse and select the certificate associated with the DS. The certificate must comply with the X.509 standard and must be a binary or Base64 file.. 3. Click Next. An information page displays the DN, period of validity and status of the certificate. 4. Click Next. 5. Give a name and a description to your DS. To set a logical name, you can use up to 64 alphanumeric lowercase/uppercase characters ([a-z] [A-Z] [0-9]) including - * or =. Accented characters are forbidden. The description field is optional. This field can contain a maximum of 1,024 characters. 6. Select the status of your DS. Check Yes to activate it or No to deactivate it. 7. Choose whether you want to check that the key associated to your DS certificate is stored in the cryptograhic server. Note that the time required for the verification process depends on the performance of your cryptographic system. 8. Click Create. The following message is displayed: Do you really want to register the DS?

24 Electronic Seal Administrator Guide Click OK. The View DS page is displayed with the following message: The DS was inserted successfully. Search for a DS The DS management menu allows you to search for a DS by keyword. You can search for any DS registered in the current workspace. To search for a DS: 1. Select one of the following menus: Table 4.3. Search for a DS Menu Displayed Document Signers Possible actions DS management Eligible DS DS management View DS management Deactivated DS DS management Modification Eligible DSs Eligible DSs Deactivated DSs Deactivated DSs Deactivate, block None (viewing only) Activate, block Edit Note: : for more information on eligible DSs, please refer to Eligible DS on page Enter a keyword in the Logic name field (see also Table 4.5, Search options on page 26). 3. Click Search. DSs whose logical name matches the keyword you entered are displayed with the following information: Logic name of the DS; Quota of the DS; Number of signatures generated by the DS (Counter); Remaining number of signatures that can be generated (Margin);

25 Electronic Seal Administrator Guide 25 Period of validity of the certificate (start and end dates); Status of the DS. Click on the logical name of a DS to see detailed information about this DS (see Detailed Information About a DS on page 25). Note: : the number of search results is limited to 200. If you reach that limit, please narrow your search to reduce the number of results. Detailed Information About a DS You can access a DS's detailed information page from the search results page (see Search for a DS on page 24). Some of the fields can be modified if you did your search from the Modification menu. If you did your search from the View menu, then you cannot modify the information that is displayed. Table 4.4, Detailed Information About a DS on page 25, summarizes the information available and indicates if it can be modified from the Modification menu. Table 4.4. Detailed Information About a DS Logic name Information Description Can be modified from the Modification menu? The logical name of a DS is the name that appears in the user interface. SKI (Subject Key Identifier) SKI of the certificate No DN (Distinguished Name) DN of the certificate No Serial number Serial number of the certificate No Counter Quota Validity date Status The counter of a DS counts the number of signatures produced by the DS The Quota field determines the maximum number of signatures the DS is allowed to produce Each DS is associated with a certificate that has a specific period of validity The status of a DS is determined by a pair of values: the status of the certificate and the functional status of the DS. Certificate status: valid / expired. Yes No Yes No No

26 Electronic Seal Administrator Guide 26 Information Description Can be modified from the Modification menu? Functional status of the DS: activated / deactivated / blocked For instance, the status valid; activated indicates that the DS certificate is valid and that the DS is functional. For more information, please refer to Status on page 22. Certificate download Download link of the certificate No Description When you add a new DS, you can give additional information on the DS in the Description field. Yes Advanced Search DS The Logic name field allows you to enter a keyword in your DS search. If the keyword is the exact logical name of a DS, then it appears in the results list. Table 4.5, Search options on page 26, indicates different ways to enter keywords. Table 4.5. Search options Keyword Matching results DS names that do not appear in the results list certificate certificate certificates, Certificate, Certificates *tificate certificate, Certificate certificates, Certificates certifi* certificate, certificates Certificate, Certificates cer*te certificate Certificate, certificates, Certificates * All Document Signers of the selected menu Modify a DS To modify a DS: Note: : only deactivated DSs can be modified. To deactivate a DS, refer to. 1. Click DS management Modification. 2. Search for the DS you want to modify and select it.

27 Electronic Seal Administrator Guide 27 The information page of the DS is displayed. 3. Modify the information about the Document Signer. The table below summarizes the information that can be modified from the Modification menu. Table 4.6. Information that can be modified Logic name Quota Description 4. Click Edit. Information Description The logical name of a DS is the name that appears in the user interface. To set a logical name, you can use up to 64 alphanumeric lowercase/uppercase characters ([a-z] [A-Z] [0-9]) including - * or =. Accented characters are forbidden. The Quota field determines the maximum number of signatures the DS is allowed to produce. If you change the quota of an existing DS, the new value must be greater than the previous one. When you add a new DS, you can give additional information on the DS in the Description field. This field can contain a maximum of 1,024 characters. A confirmation message is displayed: Do you really want to modify the DS? 5. Click OK. The following message is displayed on the information page of the DS: Modifications have been successfully made. Deactivate a DS To deactivate an eligible DS: 1. Click DS management Eligible DS. 2. Search for the DS you want to deactivate and select it (see also Search for a DS on page 24). The information page of the DS is displayed. 3. Click Deactivate. A confirmation message is displayed: Do you really want to deactivate the DS? 4. Click OK.

28 Electronic Seal Administrator Guide 28 The following message is displayed on the information page of the DS: The DS has been successfully deactivated. When deactivated, a DS is unable to sign documents. To reactivate a DS, refer to Activate a DS on page 28. Deactivate Expired DSs The Expired DS menu gathers all the DSs whose certificate is expired. This menu allows you to deactivate the expired DS of your choice. To deactivate expired DSs: 1. Click DS management Expired DS. 2. In the list of expired DSs, click the name of the expired DS to deactivate. 3. Click Deactivate on the Certificate Management page. The folloing message displays: Do you really want to deactivate the DS? 4. Click OK. The following message displays: The DS has been successfully deactivated. Activate a DS Note: : DocuSign recommends that you activate only one DS per workspace in order to avoid confusion about which DS provided the signature. To activate a deactivated DS: 1. Click DS management Deactivated DS. 2. Search for the DS you want to activate and select it (see also Search for a DS on page 24). The information page of the DS is displayed. 3. Click Activate. A confirmation message is displayed: Do you really want to activate the DS? 4. Click OK. The following message is displayed on the information page of the DS: The DS has been successfully activated.

29 Electronic Seal Administrator Guide 29 Block a DS It is sometimes useful to block a DS. For instance, if the certificate of a DS has been revoked, it is recommended that you block this DS. Otherwise, the DS will still be able to sign documents. Important: : a blocked DS is permanently deactivated. Blocking a Document Signer does not revoke the associated certificate but prevents the DS from signing documents. To block a DS: 1. Click on DS management and select one of the following sub-menus: Eligible DS to block an eligible DS; Deactivated DS to block a deactivated DS. 2. Search for the DS you want to block and select it (see also Search for a DS on page 24). The information page of the DS is displayed. 3. Click Block. A confirmation message is displayed: Do you really want to block the DS? 4. Click OK. The DS is now permanently blocked. It can no longer sign documents.

30 Electronic Seal Administrator Guide 30 Signature Configuration Management Signature configurations vary according to the signature format. While CMS signatures only require a few parameters, PDF signatures require more configuration parameters, such as a time-stamping service. Electronic Seal uses a PDF form to collect the configuration parameters of a workspace. Use the Configuration menu to upload the form on the signature interface. The Configuration menu allows you to perform the following operations: Add a Signature Configuration on page 35. Modify a Signature Configuration on page 36. For more information on the configuration form, please refer to Presentation of the PDF Configuration Form on page 30. Note: : you need to have the DS management role to access the Configuration menu. Presentation of the PDF Configuration Form A digital signature has a specific format and can contain a number of parameters, such as a signature policy. These parameters are specified in the PDF configuration form provided with Electronic Seal. If you do not know where you can find this form, contact an administrator. To add a signature configuration in a workspace, fill in the PDF form with the appropriate parameters. Then, navigate to the Configuration menu to upload the PDF form on Electronic Seal. The PDF form contains the following sections: Signature policy on page 30. Signature parameters on page 31. Information about signatory on page 32. Time stamping service parameters on page 32. Parameters for PAdES-BASIC signature on page 33. Signature on page 35. Fill in the parameters that are relevant to your signature format: CMS, PAdES-BASIC, XMLDSIG, XAdES-BES, XAdES-EPES, XAdES-T or XAdES-XL. This section describes all the configuration parameters. To find out which fields are mandatory for your signature format, please refer to Signature Formats and PDF Configuration on page 60. Signature policy A signature policy contains the rules that determine whether a digital signature is valid. This policy specifies: who is allowed to sign, under which conditions, and what information is contained in the signature. The properties of a signature policy are:

31 Electronic Seal Administrator Guide 31 OID OID on page 31 Description on page 31 URI on page 31 Object identifier of the signature policy. Example: Description Description of the signature policy. URI Uniform resource identifier of the signature policy. Example: Signature parameters The Signature parameters section includes the signature format and the trust chain of the signing certificate. This section contains the following properties: Format on page 31 Trust chain certificates on page 31 Trust chain ARLs on page 32 OCSP Responder URI on page 32 Format The available signature formats are: CMS PAdES-BASIC XMLDSIG XAdES-BES XAdES-EPES XAdES-T XAdES-XL Trust chain certificates List of the CA certificates (in PEM format) that constitute the trust chain of the signature certificate. Example:

32 Electronic Seal Administrator Guide BEGIN CERTIFICATE----- Certificat1 EBLiMzIJrcHF -----END CERTIFICATE BEGIN CERTIFICATE----- Certificat2 EBLiMzIJrcHF -----END CERTIFICATE----- Trust chain ARLs Lists of revoked CAs, used to verify that the CAs in the trust chain have not been revoked. Example: -----BEGIN X509 CRL----- ARL1 XbDj1YlrrKI2lZFx -----END X509 CRL BEGIN X509 CRL----- ARL2 XbDj1YlrrKI2lZFx -----END X509 CRL----- OCSP Responder URI Address of the OCSP responder used to obtain the revocation status of signature certificates. Example: Information about signatory The Information about signatory section contains the following properties: Role (optional): indicates the function of the signer. Example: manager. Place of signature (optional): indicates the place of signature. Example: Paris. Time stamping service parameters For PAdES-BASIC, XAdES-T and XAdES-XL signatures, you need to configure a time-stamping service. The properties of a time-stamping service are: Time stamping service URI on page 33 Time stamping policy OID on page 33 Time stamping authority trust chain certificates on page 33 Time stamping authority trust chain ARLs on page 33

33 Electronic Seal Administrator Guide 33 OCSP Responder URI on page 33 Time stamping service URI Address of the time-stamping service. Example: Time stamping policy OID Object identifier of the time-stamping policy. Time stamping authority trust chain certificates List of the CA certificates (in PEM format) that constitute the trust chain of the time-stamping authority certificate. Example: -----BEGIN CERTIFICATE----- Certificat1 EBLiMzIJrcHF -----END CERTIFICATE BEGIN CERTIFICATE----- Certificat2 EBLiMzIJrcHF -----END CERTIFICATE----- Time stamping authority trust chain ARLs Lists of revoked CAs, used to verify that the CAs in the time-stamping authority trust chain have not been revoked. Example: -----BEGIN X509 CRL----- ARL1 XbDj1YlrrKI2lZFx -----END X509 CRL BEGIN X509 CRL----- ARL2 XbDj1YlrrKI2lZFx -----END X509 CRL----- OCSP Responder URI Address of the OCSP responder used to obtain the revocation status of time-stamping certificates. Example: Parameters for PAdES-BASIC signature For PAdES-BASIC signatures, you need to configure additional parameters that are specific to PDF signature:

34 Electronic Seal Administrator Guide 34 Type of signature on page 34 Optional properties on page 34 Visibility of signature on page 34 Visible properties of signature field on page 34 Type of signature Fill in this parameter to choose between a certification signature and an approval signature. For certification signatures, several options are available (see Table 5.1, Types of certification signatures on page 34). Table 5.1. Types of certification signatures Type of signature Description Certification (no modification allowed after signature) Any modification made to the document after its certification deletes the certification signature. Certification (forms input and signatures allowed) Certification (forms input, signatures and notes allowed) After certification, any user can fill in the form and sign it. The document remains certified. After certification, any user can fill in the form, sign it and add comments. The document remains certified. Optional properties The optional properties are: Place of signature Place where the signature is issued. Example: Paris. Note: : the location specified in the Optional properties section overrides the one specified in the Information about signatory section. Reason of signature Reason for signing. Example: I validate this document.. Signatory information address of the signer. Example: contact@opentrust.net. Visibility of signature Indicates whether the signature field is visible in the document. Note: : if you want a visible signature field, you need to specify the name of the signature field. You can also define the elements that are displayed in the signature field (see Visible properties of signature field on page 34). Visible properties of signature field Fill in the Visible properties of signature field section to select the information that is displayed in the visible signature field (see also Visibility of signature on page 34) and to specify the label

35 Electronic Seal Administrator Guide 35 that precedes this information. The Name of signature field field contains the name of the PDF field where the signature should be added. Additional properties are listed in Table 5.2, Optional properties of the visible signature field on page 35. To add a visible piece of information in the signature field, check the corresponding box and choose a label. Table 5.2. Optional properties of the visible signature field Open text CN Property Description Text to be displayed in the signature. Common Name (CN) contained in the signing certificate. If you check this property, the CN of the signer will be inserted in the signature field, preceded by the text contained in the Label field. Example: Digitally signed by: John Doe. Place Place specified in Optional properties on page 34 Reason Date Logo Back image Reason specified in Optional properties on page 34 Date when the document is signed. Inserts a logo (JPG, GIF, PNG or TIF) in the left half of the signature field. Can be used to insert a company logo. If you check this property, the image loaded in the form will be added in the signature field. Inserts a background image (JPG, GIF, PNG or TIF) in the signature field. If you check this property, the image loaded in the form will be added as background of the signature field. Signature This field can be used to sign the configuration form. Add a Signature Configuration To add a signature configuration, you need a duly completed PDF configuration form. To add a signature configuration: 1. Click Document signature management Configuration to display the document signature configuration management page. 2. In the Configuration file field, click Browse to select the PDF configuration form. 3. Click Next.