Digital signatures

Starting with FileHold 15.2, Microsoft Word documents undergoing workflow can be converted to PDF format. Along with this conversion, it is possible to add a digital signature envelope protected by a certificate with a private key from the Windows certificate store on the FileHold application server.

The following article describes how to create a self signed certificate, add it to the Windows certificate store, and prepare it for use in a workflow template. This example was created on Windows Server 2016, but the same process is similarly applicable to all supported versions. You should consult with your certificate management and legal experts to ensure you are creating a digital signature that meets the requirements of your application. The remainder of this article is intended for readers with Windows administration skills.

Windows includes a Powershell cmdlet for creating self signed certificates. The following command will create an example certificate with a 2048 bit public key and a 5 year validity. The friendly name is important as this is what is displayed when creating the FileHold workflow template. If you will use multiple certificates with workflow templates, make sure the friendly names are sufficiently descriptive to allow the template designers to choose the correct certificate.

New-SelfSignedCertificate -subject "CN=FileHold Systems Inc.,O=FileHold Systems Inc.,L=Burnaby,ST=British Columbia,C=CA" -KeySpec "Signature" -KeyUsage "DigitalSignature" -FriendlyName "FileHold Digital Signature" -NotAfter $([datetime]::now.AddYears(5)) -CertStoreLocation "Cert:\LocalMachine\My"

The certificate store location should match the setting in the library manager web config file. The following example is the default value in the web config for the C2PDFCertificateStore. See the knowledge base for all possible values for this key.

<add key="C2PDFCertificateStore" value="\LocalMachine\My" />

When the certificate has been correctly created, you should be able to view it with the certificate add-in for MMC (Microsoft Management Console). Since we have installed the certificate in the local machine store, ensure you choose the local machine settings for the certificate add-in.

Windows certificate store

You should be able to see the key symbol on the certificate icon to indicate the private key is present. You will need to give full control to the FileHold service user in order to allow signing inside FileHold. Select the option to “Manage private keys…” and add the permission. If you do not do this, you may be able to add the certificate to the template, but you will not be able to complete the workflow without getting an access error.

Folder permissions

In order to use your new certificate, follow the knowledge base instructions for creating a workflow template and choose the convert to PDF feature in the workflow activity. Check the box to incorporate a digital signature and select your friendly name from the list. If you do not see your certificate, confirm it was installed with a private key and in a certificate store location that matches your web config file.

PDF options on workflow template

Now you are ready to create a signed PDF document from your Word document. Simply initiate the workflow and when it completes you will have a new version of the Word document in PDF form. Open the document in Adobe Reader or similar PDF viewer and you will be able to inspect the certificate details and determine the validity of the certificate.

Digital signature verification

If your certificate is self created, as in this example, Adobe Reader will show that it is not trusted unless the workstation where your document is being viewed has your certificate loaded to its trusted certificate store.

Russ Beinder

Russ Beinder is the Chief Technology Officer at FileHold. He is an entrepreneur, a seasoned business analyst, computer technologist and a certified Project Management Professional (PMP). For over 35 years he has used computer technology to help organizations solve business problems.