Use of A1 digital certificate installed on the server

Asked

Viewed 1,214 times

2

I work with the development of a Java web application for managing electronic medical records, in which it is necessary to sign XML documents digitally.

This application is used by more than 200 users within the hospital environment and these users use several different computers to access it.

When we started development, we chose to use A3 certificates precisely because the user uses different machines to access the system. At the time the best way we could find to do this was through Java Web Start.

However, I was recently informed that it may be possible to place A1 digital certificates directly on the Web server, which would greatly facilitate the hospital’s activities, especially in relation to costs.

Some similar questions have already been answered as this one, but I didn’t quite understand if this is the case I’m dealing with.

So:

  1. Is it possible to import A1 certificates from all users and store them directly on the server? (I know that it is not possible to convert existing A3 to A1)
  2. In this case, users will only need to enter their PIN to sign the documents?
  3. Also, at the time of signing the system will display all +200 certificates stored so that the user chooses yours and put the PIN?

2 answers

2


Rather, a short summary of how certificates and digital signature work. At the end of the reply I left references, after all it is a complex subject and the details would not fit here.

In general, we are talking about public key cryptography, in which there is a pair of keys: one public and one private (see the links at the end for more details).

The certificate only contains the public key. The private key (which is used to sign digitally) is separate of the certificate, are two different "things" (although related, since the public key of the certificate is used to verify the signature made with its respective private key).

In the case of A3, both the certificate and your private key are stored on some physical media (a card, token, whatever), and access to the private key is password protected (the PIN you type when you will use it).

In the case of A1, the only difference is that it is not stored in a media, but in a file. The most common formats are the Keystore (JKS) and PKCS12 (pfx files, most common in Windows).

Both work similarly: they have several different entries, identified by some name (called "alias"). And in each alias, you can have a certificate, or the certificate + private key. This file is usually password protected (it can be configurable depending on the way you create these files) - the class java.security.KeyStore, for example, allows creating and manipulating both types (JKS and pfx).

Now to the questions:

You can import A1 certificates from all users and store them directly on the server?

Yes, as long as you also store your private keys (as they are used to sign digitally). You can store everything in a single store, and use different aliases for each customer, or use a separate store for each. Where the files are will depend on your solution (they can be blobs in the database, files in some server folder, etc).

Since kesytore is recommended to have a password, the user will need to type it to access their respective private key when signing the document.

Users will only need to enter their PIN to sign the documents?

If the only use they make of the private key is at the time of signing, then yes, only at this time will it be necessary to enter the PIN.

If the private key is not used for anything else (for example, to authenticate on the site using the certificate), then the signature would be the only time the password is required.

Only it has a detail: as the certificate+private key are on the server, your system will have to make the user enter the password (through some interface, via form, etc), because all access to kesytore and signature will be done on the server, since that’s where the private keys are.

It’s a different situation than when the certificate is installed on the client’s machine, because in this case, the broswer/OS does the "field medium" and automatically asks for the password.

Also, at the time of signing the system will display all +200 certificates stored so that the user chooses yours and put the PIN?

If the certificate is on the server, then you can control what the user can see. Your application could only upload that user’s certificates, since it probably shouldn’t even see the others (it’s how I imagine your system to be).


References:

  • 1

    Thank you. Your reply was very helpful.

-1

yes, it is possible to store the permissible certificates in your permissions list (Keystore) that will be read by your apache. You configure it in the same xml that configures apache SSL or HTTPS access and provides the server certificate, below documentation:

https://www.ibm.com/support/knowledgecenter/pt-br/SS4GSP_6.2.7/com.ibm.udeploy.install.doc/topics/ssl_config_server_bds.htm

l And as far as I know yes, the user will have a list of certificates installed in the browser to select his and enter the password.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.