Certificate Management¶
Digital certificates are essential for creating legally binding, cryptographically signed PDFs.
Why Certificates Are Needed¶
Digital signatures require a certificate to:
- Create legally binding signatures - Cryptographic proof of signing
- Verify document integrity - Detect any tampering
- Provide non-repudiation - Prove who signed
- Enable long-term validation - Signatures remain valid over time
Certificate Types¶
Self-Signed Certificates¶
- Generated by GxPSign
- Good for testing and development
- Free to create
- Not trusted by external PDF readers by default
CA-Issued Certificates¶
- Issued by a trusted Certificate Authority (CA)
- Automatically trusted by PDF readers
- Required for external document sharing
- Has associated costs
Recommendation
For production use, especially if sharing documents externally, use a CA-issued certificate.
Managing Certificates¶
Viewing Certificates¶
Certificates are managed through Django Admin:
- Access Django Admin (
/admin/) - Go to Signature Certificates
- View all organization certificates
Certificate Information¶
Each certificate displays:
| Field | Description |
|---|---|
| Name | Friendly name for the certificate |
| Subject | Certificate subject (organization info) |
| Issuer | Who issued the certificate |
| Valid From | Start of validity period |
| Valid Until | Expiration date |
| Serial Number | Unique certificate identifier |
| Is Default | Whether this is the default for signing |
Generating Self-Signed Certificates¶
Using Django Admin¶
- Go to Django Admin > Signature Certificates
- Select certificates to generate for
- Choose Generate self-signed certificate from Actions
- Click Go
Using Management Command¶
# Generate for all organizations without certificates
uv run python manage.py generate_default_certificates --all
# Generate for a specific organization
uv run python manage.py generate_default_certificates --org-id <id>
Certificate Details¶
Self-signed certificates are generated with:
- 2048-bit RSA key
- 365-day validity
- SHA-256 signature algorithm
- Organization name as subject
Importing External Certificates¶
Prerequisites¶
Before importing, you'll need:
- PEM-encoded certificate file
- PEM-encoded private key file
- Private key password (if encrypted)
Import Process¶
- Go to Django Admin > Signature Certificates
- Click Add Signature Certificate
- Enter:
- Name: Descriptive name
- Certificate PEM: Paste certificate content
- Private Key PEM: Paste private key content
- Key Password: If key is encrypted
- Is Default: Check if this should be the default
- Click Save
Security Warning
Never share private key data. Keep private keys secure and limit access to certificate management.
Certificate Validation¶
When you save, the system validates:
- Certificate format is valid
- Private key matches certificate
- Certificate is not expired
- Key password is correct (if encrypted)
Default Certificate¶
Setting a Default¶
Each organization should have one default certificate:
- Go to Django Admin > Signature Certificates
- Click on the certificate
- Check Is Default
- Click Save
How Default Is Used¶
- All new signatures use the default certificate
- If no default, the first valid certificate is used
- Documents can override with a specific certificate
Certificate Expiration¶
Monitoring Expiration¶
The admin interface shows expiration warnings:
- Red: Expired
- Yellow: Expiring within 30 days
- Green: Valid for more than 30 days
Renewal Process¶
- Obtain a new certificate from your CA
- Import the new certificate
- Set it as the new default
- Test with a new signature
- Optionally remove the old certificate
Plan Ahead
Start renewal at least 30 days before expiration to avoid signing interruptions.
Hardware Security Modules (HSM)¶
For highest security environments, consider using an HSM:
- Private keys never leave the HSM
- Tamper-resistant hardware
- Required for some compliance standards
- Contact support for HSM integration
Timestamping¶
Trusted Timestamps¶
GxPSign can add trusted timestamps to signatures:
- Proves when the signature was made
- Independent verification of time
- Required for long-term validation
TSA Configuration¶
- Obtain TSA credentials from a provider
- Configure in organization settings:
- TSA URL
- Authentication credentials
- Enable timestamping for signatures
TSA Providers¶
Common trusted timestamp providers:
- DigiCert
- Sectigo (formerly Comodo)
- GlobalSign
- FreeTSA (for testing)
Long-Term Validation (LTV)¶
What is LTV?¶
LTV embeds all necessary validation data in the signed PDF:
- Certificate chain
- Revocation information (CRL/OCSP)
- Timestamp certificates
Why LTV Matters¶
Without LTV, signatures may become unverifiable when:
- Certificates expire
- CRL/OCSP servers are unavailable
- CA goes out of business
With LTV, signatures remain verifiable indefinitely.
Enabling LTV¶
LTV is automatically enabled when:
- A trusted timestamp is added
- Certificate chain is available
- Revocation data can be obtained
Troubleshooting¶
Certificate Not Recognized¶
- Ensure the certificate chain is complete
- Check that the certificate is not expired
- Verify the private key matches
Signatures Show as Invalid¶
- Certificate may have expired
- Document may have been modified
- LTV data may be missing
Cannot Generate Certificate¶
- Check database connectivity
- Verify organization exists
- Review error messages in logs
Best Practices¶
- Use CA-issued certificates for production
- Monitor expiration dates proactively
- Enable LTV for long-term validation
- Use trusted timestamps for legal compliance
- Secure private keys with strong access controls
- Regular backups of certificate data