\certifio-manager API documentation version \1.1.0

https://certifio.notariuslocal.com

Introduction

CertifiO Manager is your one-stop shop access to your digital signature, providing a near-zero footprint client side signature experience. Traditionnaly, client-side signature through a web page was based on Java Applets, but these are being phased out by all major browser vendors. As of today, Internet Explorer and Safari are the only browsers supporting them.

Installation

CertifiO Manager is a simple desktop application which acts as an access point to a digital signature. It executes a local web server which processes requests coming from a web site.

Installation details

  • Installation path: %APPDATA%\Notarius\certifio-manager
  • Logs: %APPDATA%\Notarius\log\certifio-manager
  • Local listening port: 24250
  • Startup exe: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\certifio-manager.exe

Requirements

Operating Systems

  • Windows 8 or 10, version 64-bits
  • OSX 10.10 or later

CPU/RAM

  • Modern CPU
  • 128MB RAM

Browsers

  • Microsoft Edge
  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer 11
  • Safari

User Mode

By default, the installation/update process gets triggered at the moment a function is called on CertifiO Manager. The user will be invited to download and execute the installation/update package. The package does not require administrative privileges.

Enterprise Mode

Some organizations have specific requirements regarding software installation/execution. For example, restrictions regarding executing software packages downloaded from the web, or restrictions regarding external accesses to remote systems. In these cases, CertifiO Manager can be deployed throughout the organization by following the procedure described below:

Silent install

CertifiO Manager can be installed silently by running the following command:

certifio-manager.exe /S

Configuration

CertifiO Manager addresses a lot of potential organization-specific restrictions by allowing the default behavior to be altered using environment variables:

Environment variableDescription
NTS_PROXY_HOSTInternal proxy host name / IP address. For example, *proxy.mybiz.com*
NTS_PROXY_PORTProxy port. For example: 80
NTS_NON_PROXY_HOSTSExclusion list, separated by pipes. For example, \*.noproxy.notarius.com|127.0.0.\*
CFM_LICENSEUse a specific license. Allows use of a test license with test domain authorizations.
CFM_AUTOUPDATEDefault to true. If false, the update process will be disabled. Used by organisations which disallow execution of EXE from the web.

Integration

The web site which will use a CertifiO Manager instance needs to be authorized by Notarius.

Integrating CertifiO Manager into an existing web application is as simple as sourcing the following javascript file:

The functions documented in Javascript API section will afterward be available to the application. CertifiO Manager also have the following dependencies:

An example integration is available here: https://notarius.com/cf-test/

Javascript API

The Javascript API provides the most simple way to integrate CertifiO Manager to a web application. It hides the low-level details and handles installation and updates.

CertifioManager Class
ConstructorDescription
CertifioManager(lang:string)Creates a new CertifioManager instance using the specified language (en or fr). Will try to communicate with a running instance of CertifiO Manager and triggers the installation/update process if needed.
MethodsDescription
getCertificates(success:func, failure:func)Return value: Array of available certificates (Certificate class) in the success callback.
sign(req:SignRequest, success:func, failure:func)Return value: Signature result in success callback. Result is a Base64-encoded string whose value depends on SignRequest.type specified.
Certificate Class. /certs Response
PropertiesDescription
deviceIdType: string. Unique reference to this certificate.
cnType: string. The Common Name (CN part of DN).
dnType: string. The Distinguished Name.
orgType: string. The Organization Name (The O part of DN).
displayNameType: string. A human friendly name. Format is: CN (ORG). For example, John Doe (OIQ).
encodedFormType: string. A base-64 encoded representation of the X.509 Certificate. To create a .cer file to be used in conjonction with ConsignO Server, you should add to the resulting string:
1.- At the beginning, this text: -----BEGIN CERTIFICATE-----
2.- To the end, this text: -----END CERTIFICATE-----
SignRequest Class. /signatures Request
PropertiesDescription
deviceIdType: string. Unique reference to the signing certificate.
typeType: string. The signature type. One of:
  • ENVELOPED: Result will be the original data with signature in a single data structure (P7M format)
  • DETACHED: Result will be the signature only (P7S format)
  • PKCS1.5: Result will be the signature only (PKCS1.5 format)
dataType: string. Data To Be Signed.

Examples

Listing the available certificates

var mgr = new CertifioManager("en");
mgr.getCertificates(
  function(certs){
    $.each(certs, function (i, cert) {
        //fill select box with certificate display name
        $('#certificates').append($('<option>', {
            value: cert.deviceId,
            text : cert.displayName)
        }));
    });
  },

  function(resp) {
    console.error(resp);
  }
);

Authentication

Authentication based on a digital signature is essentially a signature over a random value known only by the server. The signature result is sent back to the server, which will verify the signature and log in the digital signature owner.

var req = {
  //seleted certificate device id
  deviceId: $('#certificates').val(),
  type: "ENVELOPED",
  data: "myrandomvalueonlyknownbyserver"
}

mgr.sign(req,
  function(data){
    //submit data to server
  },
  function(resp){
    console.error(resp);
  }
);

Signing the web page content

var req = {
  //seleted certificate device id
  deviceId: $('#certificates').val(),
  type: "ENVELOPED",
  data: $('html').html();
}

mgr.sign(req,
  function(data){
    //submit data to server
  },
  function(resp){
    console.error(resp);
  }
);

Signing a PDF file

In order to sign a PDF with a local digital signature without sending the full PDF file client-side, ConsignO Server Automation (CSA) is needed on the server side to prepare and finalize the PDF signature.

Refer to CSA documentation, functions prepareExtSignPDF and finalizeExtSignPDF.

//the method below should submit selected certificate to server for external signature preparation by CSA
var dataToBeSigned = prepareSig(selectedCert.encodedForm);

//do the actual signing using type PKCS1.5
var req = {
  //seleted certificate device id. Must match the certificate selected during signature preparation
  deviceId: selectedCert.deviceId,
  type: "PKCS1.5",
  data: dataToBeSigned;
}

mgr.signatures(req,
  function(data){
    //the method below should submit data to server for signature finalization by CSA
    finalizeSig(data);
  },
  function(resp){
    console.error(resp);
  }
);

API resources

Examples: Click on the green POST button for each resource.

In the current version, the following resources are available:

/certs

In case of a success callback, it will list an array of available certificates (Certificate class) available in the localhost.

post

post

HTTP status code 200

Body

Media type: application/json

Type: object

Properties
  • data: required(object)

    Listing of all the certificates available.

    • type: required(string)

      It will be set to MSCAPI

    • url: required(string)

      Unique URL to this certificate within MSCAPI.

    • cn: required(string)

      The Common Name (CN part of DN).

    • deviceId: required(string)
    • org: required(string)

      The Organization Name (The O part of DN).

    • dn: required(string)
    • encodedForm: required(string)

      A base-64 encoded representation of the X.509 Certificate. To create a .cer file to be used in conjonction with ConsignO Server, you should add to the resulting string, At the beginning, this text; -----BEGIN CERTIFICATE-----. To the end, this text; -----END CERTIFICATE-----

    • displayName: required(string)

      A human friendly name. Format is

    • notBefore: required(number)

      The start date of the certificate

    Example:

    {
  "type": "mscapi",
  "url": "mscapi://CURRENT_USER/UID=9999 + CN= CompanyName - TEST, OU=Company Name, O=CertifiO - Org., O=Test Interne, C=CA",
  "cn": "CompanyName - TEST",
  "deviceId": "de2712",
  "org": "Company Name",
  "dn": "CN= CompanyName - TEST + UID=9999, OU=Company Name, O=CertifiO - Org., O=Test Interne, C=CA",
  "encodedForm": "MIIHHzCCBQegAwIBAgINAKIk308AAAAAVWcf6zANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJDQTEVMBMGA1UEChMMTm90YXJpdXMgSW5jMSkwJwYDVQQDEyBOb3Rhcml1cyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAeFw0xOTA5MTMxNzAxMjJaFw0yMTA5MTMxNzMxMjJaMIHMMQswCQYDVQQGEwJDQTEVMBMGA1UEChMMVGVzdCBJbnRlcm5lMRUwEwYDVQQKEwxDZXJ0aWZpTyBQcm8xLTArBgNVBAsUJE9JUSAtIE9yZHJlIGRlcyBpbmfpbmlldXJzIGR1IFF16WJlYzFgMBMGCgmSJomT8ixkAQETBXJjaXFhMEkGA1UEAxRCTWF0aGlldSBGb3J0aW4gLS0gSW5n6W5pZXVyIC0gT0lRIC0gT3JkcmUgZGVzIGluZ+luaWV1cnMgZHUgUXXpYmVjMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwwQw/aRQSHDraPwmVfdkdkVPWK/Gl6o0jy6UFNnTldYXhMxfGm6mTrn+HgPHSpFycMshTVlRNUrbWY/i/35j4jrekN5s+3Of+nus9hCHasRVFfr4O8z6P7J1iXl5+jJomW3FRLBia2cT3RAnCrfKm3ndpKtLaulO/MXjAroIgyG3/TZI7Z25JFhoWQyxv0ForRviYmRtDUQItxOKlc/LhvX/KF6AsmYCaASEXzoi4X/I0t2WXN94YhUkygJ+7BW1CtU55ORhjuLKCqqatS+6cGhfXjotlFUpyUt3uoLt74sN1oDkiLIjPHdkq9xs4JomK9dX+yGhsTuhdKla1UVMAwIDAQABo4ICejCCAnYwCwYDVR0PBAQDAgeAMD8GCiqGSIb3LwEBCQEEMTAvAgEBhipodHRwOi8vdHNhMS5ub3Rhcml1cy5jb20vdHNhMS1jYTEvYTE3YzJjNTQwbAYDVR0gBGUwYzA6BgZgfIb3DgIwMDAuBggrBgEFBQcCARYiaHR0cHM6Ly9ub3Rhcml1cy5jb20vY2VydGlmaWNhdGlvbjALBglgfIb3DgIDAwEwCwYJYHyG9w4CAwIBMAsGCWB8hvcOAgMBATA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwMS5ub3Rhcml1cy5jb20vb2NzcDEtY2EyMCAGA1UdEQQZMBeBFXJjaUB0ZXN0LnRlc3QtbnRzLmNvbTAbBgNVHQkEFDASMBAGCSqGSIb2fQdEHTEDAgEXMIHKBgNVHR8EgcIwgb8wgbyggbmggbaGUmh0dHA6Ly9jcmwxLm5vdGFyaXVzLmNvbS9jcmwxLWNhMi9jcmwvbm90YXJpdXNfY2VydGlmaWNhdGVfYXV0aG9yaXR5XzJfY3JsZnVsbC5jcmykYDBeMQswCQYDVQQGEwJDQTEVMBMGA1UEChMMTm90YXJpdXMgSW5jMSkwJwYDVQQDEyBOb3Rhcml1cyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjENMAsGA1UEAxMEQ1JMNTArBgNVHRAEJDAigA8yMDE5MDkxMzE3MDEyMlqBDzIwMjEwNzA5MjIzMzQ2WjAfBgNVHSMEGDAWgBTv9yWJQ7+st6QTVbPusXS2Amo4SzAdBgNVHQ4EFgQUpE9k33cLSaggG2btv3dJvfekXAcwDQYJKoZIhvcNAQELBQADggIBAJNWAODh/DHsNhb3eJ4wOLbQ5OGAfaea0Xkpytgx8mZZPQFeaAM0ZVnlmWsG4qxP6p4rb7JpaoLQYUvY2GVgZfNdseYy30RcTOcXjyswsgYRcW6ZVHNrxlEWQBYBMv25cK6LYqPJBN3OMIW4oTF1FkqBPZb8NNcLoclf8KuRqi/ZMkNGVaO3AhHnjfzpnLjO5IUKrlA6imlu1GWzMkdVxkOlI9ELLGsfRv0u3j0GVvBzEz4o+dV+kLZKwGqCUCotXAaSbvwZqMeRpdg2WG6InGh98FOHG7ljOidE25vZ9bv9TpP0jqj1jv/Ib7qk+5OVFAXa0baZ66dTd19rRTwQbtOeRE1VoRSlf/PDbRnvSr53JX0M/nbiv4pZZpDxu/J3WRY8i6hz4nbQZvsir0NjBjBcOsosF66W8wcJrpyOfltK+EEqgp5HWAm/AKPBKVSIJTEOC8CpFOw3ayo1yDE56m2nL9JPxF66zbBvUlhSyPI7QojT0xoCLzStq1I6y3RlqnwBNWf10sPUk1ZcYlIuO4XXZJoHKKBirmm8N2qdifd6+kyW+Y3r1D2G0swjLeesXC4wXQVeUw4sAxCmVF9AGzcD6F1RKSXjerOcBVANBlTzEoTlS3inFHOLCIOcu1QghITxM4saQytlhidXY8JnC2tx/4A7E5jImsaxI9b2eYlq",
  "displayName": "CompanyName - TEST",
  "notBefore": 1453924476000
}

/signatures

Signature result in success callback. Result is a Base64-encoded string whose value depends on SignRequest.type specified.

post

post

Body

Media type: multipart/form-data

Type: object

Properties
  • json: required(object)
    • deviceId: required(string)

      Unique reference to the signing certificate.

    • Type: required(string)

      The signature type. One of:

      • ENVELOPED: Result will be the original data with signature in a single data structure (P7M format)
      • DETACHED: Result will be the signature only (P7S format)
      • PKCS1.5: Result will be the signature only (PKCS1.5 format)
    • data: required(string)
    • password: (string)

      Leaving this argument empty will prompt Entrust login window to pop-up, so that the user can enter its password.

    Example:

    {
  "deviceId": "93399a",
  "Type": "PKCS1.5",
  "data": "MDEwDQYJYIZIAWUDBAIBBQAEIIqLd6WVtsMrEDWpKolCaKey9BYAeq1MH0G5/vguRgmF",
  "password": ""
}

HTTP status code 200

Body

Media type: application/json

Type: object

Properties
  • data: required(string)

Example:

{
  "data": "qCx43cfwU/vo1n0aeqgoUQNqHwnmCw+ERS2I/mj5gstKqr82Y4X2R2X7qInOgRNI21o/2uhmLCydP7dhpyUkV5U5Z3lGNMmhbBJ/aCMBZa2RRd72WsqQ4GUvf4ywj6tR6k74TL5+Cmhc8debvjgpH0S/DhwlSpw6ZwnCTLG+U0HLdapWM9IgvfVRcQAVa26M/mkeBR3LBB+fskg0n5qmHjcMt/tOeMPi4fISxnzNf7aLKzDhDR5COgAZJ0MCAnytYEZQeLGrzunp4U6jF9xW55/9bkX78E32LNnrM3uUhBBNU397YIYa68JvfT5g5ZWaXAJ1t+yOVMYcPjFQhxT/FQ=="
}