Hi, > I've finally got by PKI infrastructure generating proper certificates > with OpenXPKI. > > In the details of the certificate on Acrobat, there's a message saying > that the time of the signature was determined from the signers computer. > > I'd like to implement trusted time-stamping > (https://en.wikipedia.org/wiki/Trusted_timestamping).
From the previous communication I am trying to put things together. Actually it is really not easy to help people on this mailing list if they don’t provide context to their questions. I understand you want to sign PDF documents in a way that the signature can be verified correctly by the relying party (e. g. a person using Acrobat Reader to read the document). You also wish to embed a timestamp in the PDF signature, so that the relying party performs the certificate validity check not based on the current (reading) time but at signature generation. This is common practice with document signing but requires a trusted timestamping service as you found out. From a previous mail on this list I also deduce you want to achieve that the relying party will be able to verify the document signature without having to perform local modifications, such as importing your Root CA certificate as trusted. You will need the following: - a Digital Certificate which is capable of document signing (i. e. correct key usage/certificate profile) - the document signing certificate must be trusted by the relying party - this means that the document signing certificate is issued by a public CA or by a subordinate CA which is trusted as per the commonly accepted trusted Root Certificates in people’s operatings systems - a RFC 3161 time stamping server trusted by the relying party - a software component which can compose a PDF signature based on the above components, using the document signer certificate and the timestamping service to generate a PDF signature OpenXPKI is none of those. OpenXPKI is a trustcenter software which creates and manages Digital Certificates, it does not do document signing. OpenXPKI could act as a subordinate CA to a publicly trusted CA, or it could act as a proxy to the public API of a public CA, allowing you to request certifiates from this public CA. Best regards, Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
