Skip to content
On this page

Certifications

CRLCheck

The 'CRLCheck' setting checks certificate chain trust and revocation. It has five possible value. The check is only done for client-side signed data, not the server certificate itself. It is assumed to be trusted.

  • 0 No trust or CRL checking is done at all (not recommended).
  • 1 Check trust and revocation on the client certificate only. If no revocation pointer is in the certificate, then treat the cert as not revoked.
  • 2 Check trust and revocation on the client certificate only. Revocation info must be available locally or must be retrievable online from information in the certificate.
  • 3 Same as '1' but checks all certs in the chain up through the root cert.
  • 4 Same as '3' but checks all certs in the chain up through the root. WARNING: all certs below the root must have local or retrievable revocation info or the check will fail.

Store

  • "PFX" The AlphaTrust® e-Sign Signing Key/Cert is in the 'pronto.pfx' file in the /pronto/programs/ directory. (Default setting if missing or set to an incorrect value).
  • "CU" The AlphaTrust® e-Sign Signing Key/Cert is in the CurrentUser "MY" Store in the Windows CryptoAPI system. CurrentUser is account that the AlphaTrust® e-Sign Service and the IIS app pools are running under (see setup documentation for details).
  • "LM" The AlphaTrust® e-Sign Signing Key/Cert is in the LocalMachine "MY" Store in the Windows CryptoAPI system. LocalMachine is the SYSTEM account. The AlphaTrust® e-Sign Service and IIS app pools must be set to run under the SYSTEM Service account for this to work (see setup documentation for details).

StorePW

Password for the PFX file to be user by AlphaTrust® e-Sign. This value is not the true PFX password. You cannot install the pronto.pfx file using this password.

Subject

If present, this string must be present in the X.509 Subject field of the signing certificate (from whatever STORE location) or signing will fail. Case-insensitive. The data for this setting may be blank (default).

Issuer

If present, this string must be present in the X.509 Issuer field of the signing certificate (from whatever STORE location) or signing will fail. Case-insensitive. The data for this setting may be blank (default).

CustomRevocationCheckingCAs

A comma separated list of Certification Authorities (CAs) that have custom revocation checking requirements supported by AlphaTrust® e-Sign. The client signing certificate's Issuer record is checked for a match or partial match to this list. If a match is found AND the CA has a supported custom revocation checker then that checking mechanism is used rather than a standard CRL check.

NOTE

CRLCheck must be a valid non-zero value is order for custom revocation checking to be used.




Settings FOR AlphaTrust Document Signing Service (below)

These apply only if you are participating in this program. Contact AlphaTrust Support for more information and see the documentation for more details.

CertificationCertificateName

The string or sub-string that matches the digital certificate common name field for the digital certificate that is installed to be used for applying PDF certifying digital signatures to completed documents.

CertificationCertificateStore

See "Store" above. "LM" is preferred.

  • "LM"
  • "CU"

CertificationReasonText

This text is visible in the signature information field for the certifying digital signature within the PDF, and expresses the reason for the digital signature.

CertificationLocationText

This text is visible in the signature information field for the certifying digital signature within the PDF, and expresses the geographic location related to the digital signature. This is usually the certificate owner's legal City, State/Province and Country and not the server location.

For example: "Dallas, Texas USA"

CertificationTimestampURL

The timestamp URL assigned to you by the Adobe CDS certification authority - the issuer of the CDS certificate (usually GlobalSign). This URL will be used to obtain a secured, signed, trusted timestamp for the certification digital signature. If nothing is set here, then no secure timestamp will be included in the digital signature. A local timestamp (not trusted) will be used instead. A secure timestamp is recommended.

CertificationCryptoProvider

A valid crypto provider string (consult the documentation). If blank the Microsoft CryptoApi provider associated with the certificate will be used.

EnforceAddDigitalSignaturesForAllPDFDocumentsType

Force the additional of of embedded PDF digital signatures per ESRA Standards to all PDF documents. The type of digital signature(s) to force is controlled by this setting. This system-wide setting can be overridden by an account level setting (per account). The account level setting can be overridden on a per document basis by the "DocService" type requested.

  • 0 Do not force embedded PDF digital signatures
  • 1 Enforce embedded PDF "certification" - MDP signature [DEPRECATED]
  • 2 Enforce embedded PDF "seal" - standard invisible digital signature from the system.
  • 3 Enforce CryptoSignatures for all end user signatures and initials. This embeds a standard PDF digital signature (visible in the document) for each signature or initial. Special restrictions apply to the use of this type and it is not recommended at the system-wide level.