Certificate Services
Document Signing Certificate
Getting Started Guide
Using the SafeNet Authentication Client: 8.3
Document issue: 1.0
Date of issue: March 2017
For software release 12.1
Document Signing Certificate Getting Started Guide
Report any errors or omissions
Copyright © 2017 Entrust. All rights reserved.
Obtaining technical support
Entrust is a trademark or a registered trademark of Entrust,
Inc. in certain countries. All Entrust product names and logos
are trademarks or registered trademarks of Entrust, Inc. in
certain countries. All other company and product names and
logos are trademarks or registered trademarks of their
respective owners in certain countries.
For support assistance by you can email Customer Support
at [email protected] or visit our Web site
at https://www.entrust.com.
This information is subject to change as Entrust reserves the
right to, without notice, make changes to its products as
progress in engineering or manufacturing methods or
circumstances may warrant.
Export and/or import of cryptographic products may be
restricted by various regulations in various countries. Export
and/or import permits may be required.
2
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Supported platforms and software
........................5
Supported operating systems . . . . . . . . . . . . . . . . . . . . . . . . 5
Supported versions of Adobe Acrobat. . . . . . . . . . . . . . . . . . . 6
Supported Microsoft products . . . . . . . . . . . . . . . . . . . . . . . . 6
Documentation conventions
.................................7
Note and Attention text
...............................7
Obtaining technical assistance
...............................9
Technical support
....................................9
Telephone numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Email address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Related documentation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Documentation feedback
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Installing your Entrust certificate on a token . . . . . . . . . . . . . . . . . . . . . . . . .11
Before you start
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Downloading and installing the token software
Initializing your token
. . . . . . . . . . . . . . . . . . 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Picking up your Entrust certificate
. . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Changing the password for your token
Recovering a certificate
. . . . . . . . . . . . . . . . . . . . . . . . 31
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Signing a document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Signing a PDF document
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Signing a Microsoft Word document
. . . . . . . . . . . . . . . . . . . . . . . . . . 42
3
Document issue: 1.0
Report any errors or omissions
4
About this guide
This guide describes how to store an Entrust certificate on an iKey 5100 token. This
includes:
•
installing your token (drivers and software)
•
initializing your token
•
accessing the Entrust Certificate Retrieval Web pages to store the certificate on
your token
This guide also provides examples of how to sign and/or certify a document or form.
For more advanced features, see the documentation accompanying the software
product.
Note:
To navigate through this PDF, you can use the arrow buttons in the menu bar of Adobe
Reader.
Supported platforms and software
The software and token provided by Entrust was tested with the following Operating
Systems. It may also work with other operating systems, however it has not been
tested. Similarly, Entrust document signing certificates were tested with the Adobe and
Microsoft products listed below.
Supported operating systems
The following operating systems are supported:
5
About this guide
Report any errors or omissions
•
Microsoft Windows Server 2012 (64-bit), 2012 R2 (64-bit)
•
Microsoft Windows Server 2008 R2 SP1 (64-bit)
•
Microsoft Windows Server 2008 SP2 (32-bit)
•
Microsoft Windows 7 (32-bit and 64-bit)
•
Microsoft Windows 8.0
•
Microsoft Windows 8.1
•
Microsoft Windows 10
Supported versions of Adobe Acrobat
The following versions of Adobe Acrobat are supported:
•
Adobe Acrobat XI Standard
•
Adobe Acrobat XI Pro
•
Adobe Acrobat X Standard
•
Adobe Acrobat X Pro
•
Adobe Acrobat 9 Standard
•
Adobe Acrobat 9 Pro
•
Adobe Acrobat DC
Supported Microsoft products
Microsoft Office 2013
6
Document Signing Certificate Getting Started Guide
Report any errors or omissions
Documentation conventions
The following documentation conventions are used in Entrust guides:
Table 1: Typographic conventions
Convention
Purpose
Bold text
(other than
headings)
Indicates graphical user Click Next.
interface elements and
wizards.
Italicized text
Used for book or
document titles.
Entrust Certificate Services Enrollment Guide
Blue text
Used for hyperlinks to
other sections in the
document.
Entrust TruePass supports the use of many types
of digital ID.
Underlined blue
text
Used for Web links.
For more information, visit our Web site at
www.entrust.net.
Courier type
Indicates installation
paths, file names,
Windows registry keys,
commands, and text
you must enter.
Use the entrust-configuration.xml file to
change certain options for Verification Server.
Angle brackets
Indicates variables (text By default, the entrust.ini file is located in
you must replace with
<install_path>/conf/security/entrust.
your organization’s
ini.
correct values).
<>
Example
Note and Attention text
Throughout this guide, paragraphs are set off by ruled lines above and below. They
provide key information with two levels of importance, as shown below.
Note:
Information to help you maximize the benefits of your Entrust product.
7
About this guide
Report any errors or omissions
Attention :
Issues that, if ignored, may seriously affect performance, security, or the operation of
your Entrust product.
8
Document Signing Certificate Getting Started Guide
Report any errors or omissions
Obtaining technical assistance
Entrust recognizes the importance of providing quick and easy access to our support
resources. The following subsections provide details about the technical support and
information available to you.
Technical support
For Entrust technical support services, visit our Web site at:
http://www.entrust.net/ssl-technical/index.htm
For technical resources including a comprehensive Knowledge Base visit:
http://www.entrust.net/knowledge-base/index.cfm
Telephone numbers
For support assistance by telephone call one of the numbers below:
•
1 (866) 267-9297 (toll free within North America)
•
1 (613) 270-2680 (outside North America)
Email address
The email address for Customer Support is:
[email protected]
9
About this guide
Report any errors or omissions
Related documentation
This section describes related documents that may be used in conjunction with this
guide.
•
Token software information (http://www.safenet-inc.com)
Documentation feedback
You can rate and provide feedback about Entrust product documentation by completing
the online feedback form. Any information that you provide goes directly to the
documentation team and is used to improve and correct the information in our guides.
You can access this form by:
10
•
clicking the Report any errors or omissions link located in the header of Entrust’s
PDF documents (see top of this page).
•
following this link: http://go.entrust.com/documentation-feedback
Installing your Entrust certificate on
a token
This chapter describes how to enroll your token and install your Entrust certificate on
your token. This guide assumes that you have already purchased a document signing
certificate.
This chapter includes the following sections:
•
“Before you start” on page 12
•
“Downloading and installing the token software” on page 13
•
“Initializing your token” on page 21
•
“Picking up your Entrust certificate” on page 27
•
“Changing the password for your token” on page 31
•
“Recovering a certificate” on page 36
11
Installing your Entrust certificate on a token
Report any errors or omissions
Before you start
To install and use your Entrust certificate you require:
12
•
a supported browser with Internet access
•
a supported operating system (see “Supported operating systems” on page 5)
•
an iKey 5100 token (provided by Entrust)
•
the email message from Entrust you received after purchasing the certificate— this
message contains a link to a Web page where you can download the required
software and certificate
•
a supported Adobe or Microsoft product (“Supported platforms and software” on
page 5)
Document Signing Certificate Getting Started Guide
Report any errors or omissions
Downloading and installing the token
software
In order to manage your token, including tasks such as logging in, initializing, and
resetting your password, you must download and install the token software provided
by Entrust.
Complete the following procedure to obtain and install the token software.
Attention :
Do not plug your token into your computer until you have completed this procedure.
To obtain and install the token software
1
In the notification email sent to you by Entrust, click the link to the Entrust Certificate
Retrieval Web pages.
The Entrust Certificate Retrieval login page appears.
2
In the text field, enter the passphrase issued to you by Entrust.
3
Click Submit to log in.
13
Installing your Entrust certificate on a token
4
Report any errors or omissions
Download the appropriate 32-bit or 64-bit software package, depending on your
operating system (see “Supported operating systems” on page 5).
Optionally, use the MD5 Checksum hash to insure that the file is correct and was not
corrupted during the download. (Using the MD5 Checksum hash requires the Microsoft
Checksum Integrity Verifier or a similar utility).
5
Save the software to your computer.
6
Double-click the installer file (EntrustSACInstaller_<number>.msi) to begin
installing your software.
The Entrust SafeNet Authentication Client Installation Wizard appears.
14
Document Signing Certificate Getting Started Guide
7
Report any errors or omissions
Click Next.
15
Installing your Entrust certificate on a token
The Interface language page appears.
16
8
Select the language to use for the installation.
9
Click Next to continue.
Report any errors or omissions
Document Signing Certificate Getting Started Guide
Report any errors or omissions
The License Agreement page appears.
10 Accept the license agreement by clicking I accept the license agreement. You must
accept the license agreement to proceed with the installation.
11 Click Next to continue.
The Installation Type page appears.
17
Installing your Entrust certificate on a token
12 Select Standard.
13 Click Next to continue.
The Destination Folder page appears.
18
Report any errors or omissions
Document Signing Certificate Getting Started Guide
Report any errors or omissions
14 Either keep the default installation folder, or click Browse to select a new installation
folder.
15 Click Next to continue.
16 You may be asked to allow the installer to make changes to the hard drive of the
computer.
Click Yes to proceed.
19
Installing your Entrust certificate on a token
Report any errors or omissions
17 The Updating System page appears. The page displays the progress of the
installation. When the installation is complete, a success message appears.
18 Click Finish.
You have successfully installed the token software. You must enroll the token before
picking up your certificate.
20
Document Signing Certificate Getting Started Guide
Report any errors or omissions
Initializing your token
You must initialize the new token before it can store your Adobe signing certificate.
Attention :
If this is not a new token, be aware that initializing the token deletes any information
already stored on it.
Note:
When you plug a new token into the USB port you will be asked to enter the default
password and change it. The default password is 1234567890.
Complete the following procedure to enroll your token.
To enroll your token
1
Insert your token into a USB slot on your computer.
If the token is not recognized by the computer, the SafeNet icon in the system tray is
grayed-out:
21
Installing your Entrust certificate on a token
Report any errors or omissions
When the token has been recognized by the computer and the drivers have been
installed, the Safenet icon in the system tray switches from grayed-out to active:
2
When the SafeNet icon has become active, right-click the icon and then select Tools.
If you do not see the icon in the system tray:
22
•
On Microsoft Windows Server 2008 or Windows 7, select Start > All Programs
> SafeNet > SafeNet Authentication Client > SafeNet Authentication
Client Tools.
•
On Microsoft Windows Server 2012 R2 or Windows 8.1, select Start, then click the
down arrow to access Apps, then click SafeNet Authentication Client Tools.
(When listed by name or category, SafeNet Authentication Client Tools is
listed under SafeNet.)
Document Signing Certificate Getting Started Guide
Report any errors or omissions
The SafeNet Authentication Client Tools dialog box appears.
3
If you are using a new token, select View Token Info. If you are reinitializing a
previously-used token, select the Advanced view icon.
Information about the token appears. For example:
23
Installing your Entrust certificate on a token
4
In the tree view, expand SafeNet Authentication Client Tools > Tokens.
5
Under Tokens:
•
If you are using a new token, right-click the blank entry and select Initialize
Token.
•
If you are reinitializing a previously-used token, right-click the name of the token
you want to reinitialize and select Initialize Token.
The Initialize Token dialog box appears.
24
Report any errors or omissions
Document Signing Certificate Getting Started Guide
Report any errors or omissions
6
In the Token Name field, enter a name for the token.
7
In the New Token Password and Confirm fields, enter and confirm a new
password.
Note:
You will be asked for this password when you use the certificate.
8
Click Start.
25
Installing your Entrust certificate on a token
Report any errors or omissions
The Initialize Token Notification dialog box appears, warning you that initializing
the token will delete all content on the token.
9
Click OK.
10 A status bar appears, indicating the progress of the initialization. When the initialization
is complete, a success message appears.
11 Click OK
26
Document Signing Certificate Getting Started Guide
Report any errors or omissions
Picking up your Entrust certificate
When your certificate is ready, Entrust sends you an email containing a link to the
Certificate Retrieval Web pages. You are also provided with a passphrase that allows
you to log into the Entrust Certificate Retrieval Web pages and obtain the Entrust
certificate.
When you pick up the certificate, the page is able to store it directly on your token.
Note:
If you are picking up a Document Signing certificate for the first time, be sure that you
have already completed the following procedures:
- downloaded and installed the token software as described in “Downloading and
installing the token software” on page 13
- initialized the token as described in “Initializing your token” on page 21
Complete the following procedure to obtain your Entrust certificate.
To obtain your Entrust certificate
1
Insert your token into a USB port.
2
In the notification email sent to you by Entrust, click the link to the Entrust Certificate
Retrieval Web pages.
The Entrust Certificate Retrieval login page appears.
3
In the text field, enter the passphrase issued to you by Entrust.
4
Click Submit to log in.
27
Installing your Entrust certificate on a token
Report any errors or omissions
5
Read the software subscription agreement.
6
If you agree to all terms and conditions of the subscription agreement, click Accept.
You must accept the subscription agreement to retrieve the certificate and install it on
the token.
You are prompted to select a CSP (Cryptographic Service Provider) and create the
certificate.
7
From the Select CSP drop-down list, select a Cryptographic Service Provider (in this
case, the eToken Base Cryptographic Provider CSP).
8
Click Create Certificate.
The Token Logon dialog box appears.
28
Document Signing Certificate Getting Started Guide
9
Report any errors or omissions
In the Token Password field, enter the password that you created for your token.
This is the password you created specifically for the token during SafeNet token
initialization. This is not the passphrase you used to log in to the Entrust Web site.
A Web Access Confirmation dialog box appears.
10 Click Yes to proceed.
The Web site generates the certificate on your token. This process will take a few
moments. When the certificate has been created, a success message is displayed.
29
Installing your Entrust certificate on a token
Report any errors or omissions
Your certificate is now ready for use.
The certificate is also added to the Windows Certificate Store. This allows Adobe
Acrobat to recognize the signature so you can use the certificate. This is not the same
as validating another user’s signature.
30
Document Signing Certificate Getting Started Guide
Report any errors or omissions
Changing the password for your token
Complete the following procedure when you need to change the password for your
token.
Attention :
If you forget your password, you must initialize your token. Initializing your token
deletes its contents including certificates and keys. For more information, see
“Recovering a certificate” on page 36.
To change your token password
1
Insert your token into a USB slot on your computer.
2
From the desktop system tray, right-click the SafeNet icon and then select Tools.
If you do not see the icon in the system tray:
•
On Microsoft Windows Server 2008 or Windows 7, select Start > All Programs
> SafeNet > SafeNet Authentication Client > SafeNet Authentication
Client Tools.
•
On Microsoft Windows Server 2012 R2 or Windows 8.1, select Start, then click the
down arrow to access Apps, then click SafeNet Authentication Client Tools.
(When listed by name or category, SafeNet Authentication Client Tools is
listed under SafeNet.)
The SafeNet Authentication Client Tools dialog box appears.
31
Installing your Entrust certificate on a token
3
Click the Advanced View icon.
Information about the token appears.
32
Report any errors or omissions
Document Signing Certificate Getting Started Guide
Report any errors or omissions
4
In the tree view, expand SafeNet Authentication Client Tools > Tokens.
5
Under Tokens, right-click on the entry for your token and select Change Password.
A Change Password dialog box appears.
33
Installing your Entrust certificate on a token
Report any errors or omissions
6
In the Current Token Password field, enter the current token password.
7
In the New Token Password and Confirm Password fields, enter and confirm a
new token password.
The new password must comply with the password settings defined on the token.
Strong passwords contain at least eight characters, and include at least one uppercase
character, one lowercase character, one number, and one non-alphanumeric character.
Easily-guessed passwords are not secure.
8
Click OK.
If the password was changed successfully, a success message appears.
34
Document Signing Certificate Getting Started Guide
Report any errors or omissions
You have successfully changed the token password.
35
Installing your Entrust certificate on a token
Report any errors or omissions
Recovering a certificate
If you need to recover your certificate—for example, because you forgot the
password—you have the following options:
•
If you need to recover your certificate within 30 days of purchasing it, Entrust
Certificate Services will reissue it once for free. After the 30 day period, or if you
need to recover the certificate more than once, you must purchase a new
certificate.
•
If the certificate is from a single certificate order and you forget the password
before the certificate is generated, Entrust Certificate Services support will reset
the password for you.
•
If your certificates are managed using Entrust Certificate Services, your Certificate
Services Administrator can reset your password without intervention by Entrust
support.
The Token Utility cannot recover the certificate. Use one of the methods listed above if
you need to recover your certificate.
36
Signing a document
This chapter provides basic information about how to sign an Adobe PDF or Microsoft
Word file, and how to set signature preferences.
Documents can also be certified to ensure that they are not altered after the signature
is applied. For more advanced configuration options, see the Adobe or Microsoft
documentation. A digital signature enables recipients to verify that the document came
from you or passed though your possession, providing accountability.
37
Signing a document
Report any errors or omissions
Signing a PDF document
You can add one or more digital signatures to a PDF file or form using Adobe Acrobat
or Adobe Acrobat Reader.
One or more signature fields can be created directly on the PDF for easy viewing. The
field contains details about the certificate and the signature name. This example
explains how to sign a PDF using Adobe Reader and a document signing certificate on
a token.
Note:
Procedures in this chapter are based on Adobe Acrobat Reader DC version 2015.010.
The instructions may be differ for other versions of Adobe Reader and Adobe Acrobat.
Complete the following procedures to sign a document:
•
“Select your certificate in Adobe Reader” on page 38
•
“To sign the PDF document” on page 39
Select your certificate in Adobe Reader
38
1
Insert your token in a USB port on your computer.
2
Open the PDF document in Adobe Reader.
3
From the main toolbar, click Edit > Preferences
4
In the Preferences page, select Signatures.
5
In the Identities and Trusted Certificates panel, click More.
Document Signing Certificate Getting Started Guide
Report any errors or omissions
6
In the Digital ID and Trusted Certificate Settings page select Windows Digital IDs and
choose your document signing certificate from the list.
7
From the pencil icon (edit) menu select Use for Signing.
8
Close the Digital ID and Trusted Certificate Settings page and click OK in the
Preferences page.
To sign the PDF document
1
Be sure that your token is plugged in to a USB port on your computer.
2
In the Adobe Reader ribbon, select the Tools tab.
3
Scroll down to the Certificates tool and click Open.
a
Select Digitally Sign in the ribbon.
39
Signing a document
Report any errors or omissions
4
Read the information dialog and click OK.
5
In your PDF, click and drag your mouse to create a signature field.
6
In the Sign Document dialog, edit the appearance of the signature if required. Help is
provided for this dialog.
7
Click Sign.
8
Adobe Reader automatically asks you to select a file name and location for the signed
PDF. When you are finished click Save.
9
When asked, enter the password for your token to allow Reader to use the certificate.
10 You may be asked for permission to connect to the Entrust timestamp server if this
option is enabled in Adobe Acrobat Reader. Click Yes to continue.
40
Document Signing Certificate Getting Started Guide
Report any errors or omissions
11 The signature appears in the selected area of the document.
41
Signing a document
Report any errors or omissions
Signing a Microsoft Word document
Microsoft Word provides the ability to add signatures from one or more individuals to
provide accountability and assure authenticity. This example explains how to sign a
Word document using a document signing certificate on a token.
Note:
Note: this procedure is based on Microsoft Office 2013. The procedure my differ for
other Microsoft Office versions.
To sign a Word document
42
1
Plug the token with your Entrust Document Signing certificate into a USB port on your
computer.
2
In your Word document, select the File tab.
3
Be sure that Info is selected in the left menu.
4
Select Protect Document > Add a Digital Signature.
Document Signing Certificate Getting Started Guide
5
6
Report any errors or omissions
In the Sign dialog:
a
Select the Commitment Type (creator, approver, or creator and approver).
b
Enter a purpose for signing the document.
c
Click Details to enter information about who you are (title and location). This
information will become part of your signature.
d
Click Change to select your Entrust document signing certificate, if it does not
appear in the bottom panel.
e
Click Sign.
Provide your token password, if requested.
43
Signing a document
44
Report any errors or omissions
7
If the Request Permission to use a Key dialog appears, select Grant permission to
continue.
8
Word signs the document and displays a success message.
9
To view the signatures, select the File tab > Info > View Signatures.