Methods for signing CEP documents with external counterparties
Today, electronic document management is an integral part in all areas of society, and its implementation at enterprises and institutions is of national importance. Ukraine has a clear course towards digitization and the transfer of most services and services to the online environment.
Perhaps, every citizen in one way or another faced with the creation, signing, sending documents in electronic form.
Most of the public sector has already been transferred to electronic document management, and the obligation to implement it is enshrined at the legislative level.
As for private business, the state also gradually accustomed it and transferred it to an electronic document management system.
First, there was the concept of "electronic digital signature", but now the technology has been updated, and replaced by a "qualified electronic signature, and ATsSK have become qualified providers of trust services.
Today, most large-scale enterprises, institutions, organizations, regardless of their form of ownership, cannot imagine their activities without electronic document management.
All processes of electronic interaction of subjects are related to electronic trust services and are regulated by the Law of Ukraine No. 2155-VIII dated 05.10.2017 "On electronic trust services".
If we have an established electronic document management system at the enterprise, then we can easily create electronic documents, sign them and send them to our external counterparties for signing on their part.
A mandatory component of electronic document management is the signing of electronic documents with a qualified electronic signature (hereinafter referred to as QES).
Qualified electronic signature - an improved electronic signature, which is created using a qualified electronic signature and is based on a qualified public key certificate (part 23, art. 1 of the Law of Ukraine "On electronic trust services").
In this case, the company or our counterparties act as users of electronic trust services, that is, subscribers, creators of electronic seals, senders and recipients of electronic data, other individuals and legal entities receiving electronic trust services from providers of such services (part 27.art1 of the Law of Ukraine "On electronic trust services").
The concept of CEP is inextricably linked with the concept of a qualified public key certificate.
Qualified public key certificate - a public key certificate issued by a qualified provider of electronic trust services, a certification authority or a central certification body and meets the requirements of the Law of Ukraine "On Electronic Trust Services".
The same certificate includes certain information that establishes and confirms that the CEP belongs to the person who uses it. The certificate also contains information about the provider of the electronic service and its compliance with the requirements in accordance with the legislation of Ukraine.
Where can you get an electronic signature?
To be able to sign electronic documents, provide electronic reporting or electronic declarations, a person must obtain a qualified electronic signature.
Its issuance, in accordance with the Law of Ukraine "On Electronic Trust Services", is carried out by qualified providers of electronic trust services, the list of which is contained in the Trust List.
Accredited Key Certification Centers (ACSK), created in accordance with the Law of Ukraine "On Electronic Digital Signature", which were going to provide qualified electronic trust services, were automatically included by the central certification body in the Trust List as qualified representatives of electronic trust services. In other words, a qualified electronic signature can also be obtained from the ATsSK.
The list of providers of electronic trust services can be viewed on the website of the Central Certifying Authority (hereinafter referred to as the CPA) at the link.
So, let's look at the existing ways of signing electronic documents with a qualified electronic signature (QES).
The easiest way to sign a CEP document is with the help of the Central Certification Authority resource, which we have already mentioned above.
This web resource was developed by the Ministry of Digital Transformation of Ukraine (Mintsifry) - the main body in the system of central executive authorities, which ensures the formation and implementation of state policy in the field of electronic trust services and performs the functions of a central certification authority.
To do this, the user must go to the "Trust Services" section and click on the inscription "Sign document", after which he will be taken to the section where he can choose with what he wants to sign the document.
The user can use the "Diya. Signature" or using an existing electronic signature.
"Diya. Signature"
If you have already activated the “Diya.Signature” function in the “Diya” application and created it, then by reading the QR code on the site you will be able to use your signature and sign the document on your smartphone.
Electronic signature
When a user chooses to sign a file with an electronic signature, they are presented with options on how to read the key. The key may be on file media, it may be a token, or a signature using cloud media.
The file media is a special file containing your private key.
This file is usually named Key-6 with *.dat extension (there are also *.pfx,*.pk8,*.zs2,*.jks extensions).
In order to use the file media, you need to:
- Select from the list the provider of electronic trust services - the entity you contacted to obtain an electronic signature.
- Upload a file with a private key from external media or a computer.
- Specify the password for accessing the private key in the field.
This password is known only to the user, and in no case should he tell it to anyone else. As soon as the CSO receives the correct password, it will immediately transfer the user to the document signing section.
Token (secure carrier) - a compact device in the form of a USB flash drive, designed to ensure the user's information security, remote access to information and is used to identify its owner. Simply put, the key information about the owner of the electronic signature and keys is stored on the token. To use the token, you need to install special software on your computer.
Cloud storage means storing your private key with the help of a third-party service (storage in a secure cloud storage). In this case, to read the key, you must select your transmitter from the list and go through authorization in its system. After that you can use your key.
Signing technology
As for the software signing technology itself, the user has a choice here.
The first way: he can impose a CEP on the document as a result of its introduction into the document itself. This is when the data and signature are in one file (CAdES format) (according to international terminology - CAdES, enveloped).
As a result of the operation, the user receives one file containing an electronic document and a signature created for it. In this case, the document will have the extension ".p7s.". To check the CEP, you will need to open the document in the CPO and use the check.
The second way is when the user creates two documents, one of which is the original document, and the second is the CEP. That is, the data and the signature will be separate files (CAdES format) (according to international terminology - CAdES, detached). As a result, the user receives one file containing directly the signature created for the electronic document.
In this variant, it is the second document that will receive the “.p7s.” extension, but in order to check the presence of a QEP on the first document, both documents must be uploaded to the CPA. If only one document is uploaded, the CSO will answer: “Verification of a qualified electronic signature, which is formed as a separate file with the .p7s extension, is performed if there is a file with data that has a qualified electronic signature. The name of such a file is usually identical to the name of a file with a .p7s extension. Select this file and add it to the file with a qualified electronic signature."
The difference between the first and second methods is that in the first case, the signature is attached to the original file and forms a single whole, that is, the *.ps7 extension. When signing into a document, the signature is attached to the hash and is integral with it.
In this case, the original file is stored in one package with the signed hash in the archive file.
In the first case, the original file is not needed for verification, and in the second case, it is needed, but most electronic document management systems store it in their user accounts.
The third way: data and signature in the archive (ASiC-S format) (according to international terminology - ASIC-S) is a data container containing a group of file objects and their associated qualified electronic signature and/or qualified timestamp using the ZIP format.
Signature formats:
After the user selects the type of electronic signature, he must decide on the format of the signature. There are the following formats:
• CAdES-X Long is intended for archiving long-term signatures, providing the ability to establish the validity of the signature in the long term (after the expiration of the qualified certificate);
• CAdES-C (Complete) — qualified electronic signature format with a full set of verification data (everything necessary for verifying qualified certificates is already included in the signature);
• CAdES-T (Timestamp) — Qualified electronic signature format with a qualified timestamp. It makes it possible to control the invariance of the signature, as well as to clearly recognize the timestamp received from a trusted server;
• CAdES-BES (Basic Electronic Signature) provides basic data authentication and data integrity protection. It does not allow to establish the authenticity of the signature if the signature is verified after the expiration of the certificate or if the certificate is canceled after the formation of a qualified electronic signature.
The last thing the user has to do is upload the document on which he wants to apply the CEP and click the "Sign" button. After that, the CSO will show on the screen the results of the creation of the CEP. The user clicks Save and receives an electronic document from the CEP.
How to sign a document for your counterparty?
Signing a document to your counterparty is very simple. After you have signed and saved the electronic document on the service, you need to send the document in *p7s format to the counterparty. After reviewing the document, the counterparty also signs it using his electronic key on any service.
To check if a document is signed, you need to upload it to the system on the DSO service and you will see all the information about the signers of your document.
With the help of our service https://instaco.com.ua/ you can easily introduce electronic document management at your enterprise. You can use the services of receiving and sending electronic documents through our service, as well as use the extended functionality of the system in terms of maintaining the register of counterparties, generate a document filled with data, and sign it with a qualified digital signature.
Date of publication: 07.08.2022