What do we need signature for? What idea does a signature in a document emanates?
Well, a signature is nothing but a way of authenticating any document. Whenever we need to substantiate any document, papers, file etc. a mere signature at the bottom does it all.
But we live in a world of internet where all the documents that are shared are made and exchanged online. All the personal, legal, official, and even confidential information now-a -days are communicated online. All this sudden hike in online documentation and sharing calls for a method of authenticating an online document.
The Digital ID will be stored in the Windows Certificate Store where it is available to other Windows applications and protected by your Window login. For more information about how the Plug and Play (PnP) device installation uses the digital signature of a driver package'scatalog file, see Digital Signatures and PnP Device Installation.
A Digital signature is a way to warrant any online data or document. In other words it is used to authenticate digital information — such as documents, e-mail messages, and macros — by using computer cryptography. Moreover, a digital signature in a document helps us affirm that the document is not meddled or tampered with after it is signed by the legitimate authority by converting the file into a ‘Read Only’ format immediately after signing.
A Digital Certificate is, in a way, an ‘identity proof’ of the digital signature. There are two methods of getting a certificate.
NOTE – In this case if you share your digitally signed document with other people, they cannot verify the authenticity of the document without manually trusting the source.
There are in total two different ways to verify office documents with the help of digital signatures. You can either –
Both these methods are illustrated below.
Add visible signature to a document –
After the editing part of your document has ended, the final step that remains to make your document authentic is adding a digital signature to it. Given are the few steps to add digital signature to your word document –
Here you can either get a certificate from a Microsoft partner or you may create your own digital ID. I would suggest, for the time being, you should go with the second option and click OK and then fill your relevant details.
Once you are done filling, click Create and your digital ID is made.
Fill this data and select one or the both checkboxes (optional) given below and click OK.
Now to add printed version of your signature, type your name in the box next to X. Or you can also upload an image/logo by clicking on ‘Select Image’ option and selecting the image you like.
Now click the ‘Sign’ button.
Your visible signature is now uploaded in your document making it a ‘read only’ file. You may remove or look into this signature by right clicking on the signature block and selecting ‘Remove signature’ or ‘signature setup’ respectively.
Add invisible signature to a document –
If you do not need to insert visible signature lines into a document, but you still want to provide assurance as to the authenticity, integrity, and origin of a document, you can add an invisible digital signature to it.
For this, after your document is complete, go to ‘File’ (top left corner). In the drop down menu go to ‘Info’ and then click on ‘Protect Document’.
Again a drop down menu will appear. In this menu, click on ‘Add a Digital Signature’ button. A small window will now pop up on your screen like the image shown.
In this window, fill the relevant details (optional) and then click on ‘Sign’. Again a dialog box will appear as illustrated in point 5 above. Click on OK.
And you are done! Your document is added with an invisible signature and converted into un-editable file. An image at the bottom bar tells that the document is protected. It looks like –
This is how you can easily authenticate your Word documents by adding visible or invisible Digital Signatures to it.
If you couldn’t follow something from our article, please do tell us. We would be delighted to help you.
This HOWTO walks through one way to get smart card login functionality working on Windows 7/8 clients that are joined to an Active Directory domain hosted by a Samba 4 AD domain controller.
Some of the many related topics this HOWTO doesn't cover:
Although this HOWTO does not cover the ins-and-outs of working with smartcards -- as I said, there are a lot of different varieties out there, each fitting different types of users and needs -- here's the card and reader I used for those interested. This equipment met my needs. YMMV.
This is an ExpressCard/54 form-factor smart card reader. Apparently, Gemalto now sells this reader under the name 'IDBridge CT510.' Windows 7 and 8 drivers are available on Gemalto's website, and through the Microsoft Update Catalog website.
This card has been replaced by the 'IDPrime .NET' family of cards. The one I used appears to be closest to the 'ID Prime .NET 510' in functionality.
Windows 7 and 8 drivers can be downloaded from Gemalto's website.For Windows you will, at a minimum, need to have the card minidriver installed. The minidriver provides access to the smartcard for Windows, and is all you'll need to have installed in order to use this particular card for windows client logins once the card has the necessary certificates installed on it.
Microsoft's Wunderlist to-do app has been living on borrowed time for a while now. It was back in 2017 when the software giant announced it would be phasing out the app, which strangely enough, Microsoft had only purchased in 2015. Download Software Download. Free and safe download. Download the latest version of the top software, games, programs and apps in 2020. The Download App is a free application from Download.com that helps keep the software on your Windows computer up-to-date, as well as clean up the. Download application for computer. With amazing new capabilities and updates to features you use every day, iOS 8 is the biggest iOS release ever. Learn more about iOS 8; The latest version of OS X features an elegant design, includes enhancements to the apps you use most, and enables your Mac and iOS devices to work together in new ways. CNET Download provides free downloads for Windows, Mac, iOS and Android devices across all categories of software and apps, including security, utilities, games, video and browsers.
Gemalto also provides a PKCS#11 library for this card that allows applications to communicate with it via the standard PKCS#11 interface. Examples of such applications include Mozilla Firefox and Truecrypt. Using the PKCS#11 library, you can add and delete certificates from the smartcard within Firefox, and you can also set the smartcard's PIN. However, as far as I know, you can't use Firefox to change the card's admin/unblock key, which, on the Gemalto cards at least, is set to a default of all zeros. If you want to use these cards outside a casual setting, make sure you change the admin/unblock key. Gemalto distributes the PKCS#11 libraries as pre-compiled libraries, so they are OS-family specific. Currently, there's one for Windows and one for MacOS X 10.7-10.8 available on the relevant Gemalto download page. The Gemalto website states elsewhere that there is a Linux version of the library available by special request.
I generally followed the Main Samba HOWTO, up until the point where the Windows client sucessfully joined the domain. I deviated in a few ways, listed here.
I used Windows 7 as my client instead of Windows XP.
The directions in this HOWTO currently do not result in successful smart card logins on Windows XP clients. The Samba log will show a sucessful Kerberos authentication, but the logon will fail on the Windows XP client with an error message in the event log about an 'Invalid algorithm specified.'
I suspect the problem is that I (sanely) used SHA256 as my signing hash. Windows XP did not support the SHA2 suite of hashes at all until Service Pack 3, and even then, there are still issues. One possible fix (that I have not tried) would be to replace 'sha256' with 'sha1' in the OpenSSL configuration file provided, and in the command used to generate the Root CA certificate, and then see if the resulting set-up successfully works on Windows XP. But even if it does, is it really worth it, given the reasons why you'd use a smart card for login?
In addition to the packages listed in the Samba HOWTO, I also installed the following packages on the Ubuntu server that was running Samba:
Samba 4.0.1 was configured as follows:
The Active Directory domain was provisioned as follows:
For this HOWTO, I have created two users: Tina Admin, with the username tina and password 1123Eureka5; and Jerry User, with the user name jerry and password pa$$w0rd. The single client Windows workstation is named Buffalo. The directory is organized as follows:
For the purposes of this HOWTO, the CDP location will be http://crl.greatlakes.example.com/greatlakes.crl, and will be hosted on a webserver on the domain controller. In general, one should not host other externally accessible services on the directory server, but this shouldn't be an issue for the purposes of this limited setup. As mitigation, the CDP server name will be an alias set up as a DNS CNAME record, so that the CDP server can be moved to another server later. As an alternative, I believe that one could set up an LDAP CDP within the directory, which the MS support document shows is acceptable for the purpose of revocation checking during logon. I am not sure how to set this up, however.
A base OpenSSL configuration file is show below. You will need to customize it for your location.
Follow these steps to set up the basic CA structure:
From the CA Base Directory, execute the following command:
You will be prompted for a password for the CA private key. You will need it to issue any certificates signed by the CA. You will then be asked to provide other information that will be incorporated in to the certificate.
If all goes well, a public CA root certificate will be created in the CA Base Directory with the name cacert.pem. The private key will be created in the directory 'private', with the name cakey.pem. Remember that anyone with the CA key (and the password for it) can issue certificates from the CA -- and create valid login credentials for your domain.
Using the following command, output the CA root certificate to text format, and examine the outputted file.
In particular, ensure that the CRL distribution point is correct. Technically, the value listed in the CA cert might be ignored, but it will matter in issued certificates, and it's much easier to fix errors now -- just delete the root certificate and private key, change the relevant values in the configuration file, and create a new root certificate and key.
Windows doesn't understand PEM-formatted certificates, so we'll create a DER-formatted copy of the CA root certificate, and give it a Windows-friendly .cer extension.
Before you can issue certificates, you will need to obtain the 'User Principal Name' of each user that will be logging in via smart card, as well as the GUID of your domain controller.
I assume you have installed the Remote Server Administration Tools on a domain-joined Windows client machine - you'll need the included Active Directory Tools. If not, please go ahead and do so now. Then launch the Active Directory Services Interfaces Editor (listed as ADSI Edit in the Administrative Tools menu), while logged in as a domain Administrator.
Right-click on the 'ADSI Edit' in the upper left hand corner of the screen and select 'Connect To..'
The Connection Settings dialog box should appear. You should be able to just click OK.
Once a connection has been established, you can browse down the tree.
When you expand the 'Default naming context' and its child 'DC=greatlakes,DC=example,DC=com', you'll see a list of child nodes of items in Active Directory.
Select the child node called 'OU=Domain Controllers'. There should be one child: 'CN=NIAGRA'. Right click on that child and select 'Properties' from the pop-up menu.
The Attribute Editor appears. Scroll down until you find the entry for the attribute 'objectGUID', then click the 'View' button.
Make sure that the 'Value format' is set to Hexadecimal, then copy the value listed and save it somewhere.
Click OK to close the Attribute Editor dialog, then close the Attribute Editor window for the Niagra domain controller object.
A UserPrincipalName is a user's identifying name within the underlying Kerberos authentication. You will need a user's UPN so you can make a part of their login certificate, which will allow the Kerberos authentication logic on the Samba domain controller to map the certificate to an Active Directory user account.
A UPN is an attribute of a user object. In this test setup, all users are located in the 'People' Organizational Unit, so expand that node in ADSI Edit.
The user Tina Admin is in the 'ITAdmins' Organizational Unit, so expand that node, then right-click on the 'CN=Tina Admin' node, and select 'Properties' from the popup menu.
Repeat the procedure to obtain the UPN of Jerry User, who is located in the 'FieldReps' Organizational Unit.
Add the following section to the CA's OpenSSL configuration file (openssl.cnf), editing as indicated
The 'extendedKeyUsage' line consists of previously-defined aliases for object identifiers (OIDs). The serverAuth and clientAuth aliases are built-in to OpenSSL, while the 'msKDC' alias is defined in the 'new_oids' section at the top of the OpenSSL configuration file.
The 'subjectAltName' line is a list of alternative identifiers for the subject of the certificate. The contents are determined by the requirements that Microsoft has specified for Domain Controller certificates. In particular, Microsoft has required that a DC's certificate contain:
Afterwards, replace the commented-out line in the OpenSSL configuration file
with this line, which tells OpenSSL to add the extensions listed in the 'usr_cert_mskdc' section to certificates it issues from the CA.
Save the configuration file and then use the following commands to create a request for, and then issue a signed certificate for the domain controller.
You will then be asked for some information about the certified entity. When it asks for the Common Name (CN) enter the DNS name of the server. You can leave the email address blank.
Now have the CA issue the certificate:
Enter the password for the CA root key, verify the information for the requested certificate. If it's correct, type 'y' to issue the certificate, and 'y' to commit it to the CA's internal database.
Your domain controller certificate is dc-cert.pem, with a private key stored in the private directory as dc-key.pem.
If you convert your domain controller certificate to DER format and open it on a Windows machine, you can verify that the subject alternative name contains an entry of type 'DS Object Guid', and a value of '04 10 [Domain Controller GUID]'. According to Microsoft's documentation, the 04 is the tag byte for an octet string, while the 10 is the length of the string (16 bytes).
Append the following to the OpenSSL configuration file of your CA, and edit the 'subjectAltName' line to include the UPN of one of your users.
For Tina Admin, the resulting line will be:
The 'msUPN' is another OID, this time indicating that the following value is a userPrincipalName.
The ExtendedKeyUsage 'scardLogin' is an alias for the OID 18.104.22.168.4.1.322.214.171.124. By default, when Windows looks at all the certificates on a smart card, it only recognizes certificates with that EKU value as potential certificates for logging in. (You can, however, can change that by enabling the group policy setting ' Allow certificates with no extended key usage certificate attribute').
Finally, replace the line in the configuration file
and save the configuration file.
Execute the following command from the CA Base Directory to create a certificate request for Tina Admin:
Then provide the requested information. The key piece of information is the Common Name.
Then enter the following command to verify the certificate information, and have the CA sign the request and issue the certificate:
Convert the resulting CA certificate to DER format, and on Windows, you can open the DER-formatted certificate and verify that the UPN attribute is correct, and that the certificate has Smart Card Logon as an enhanced key usage:
Edit the OpenSSL configuration file for Jerry User, and then create his certificate.
In the CA Base Directory, create a CRL using the following command:
In the CA Base Directory, create a DH parameters file for the domain controller by executing the following command. The parameters size must match that of the domain controller certificate. Feel free to add some random files to the mix.
This will probably take a while, so go out and get some fresh air. (If you decided that you had to have a 4096-bit certificate for your domain controller, good luck!)
While this isn't strictly necessary, it will make it possible to move the CDP location at a later date, without having to change the information in any of the certificates. Obviously, you can only do this if you didn't pick a name that is already being used for other services.On the Samba domain controller, enter the command (substituting your domain information):
To verify that the record is working correctly, ping the new alias (e.g., crl.greatlakes.example.com) from both your Samba server and your Windows client.
In my sample domain, I installed the lighttpd web server on the domain controller. By default, its document root directory is /var/www. I've copied the CRL generated earlier to the document root directory, and given it the name 'greatlakes.crl' to match the name listed in each certificate as the CRL Distribution Point.
Verify that Windows machines in your domain can access the CRL at the correct location by entering the CRL distribution location listed in your certificates into Internet Explorer on a domain-joined Windows client. If successful, IE should ask whether to open or save the file, and if you click open, you should see a window containing information about the CRL.
In the tls subdirectory, there will already exist a ca certificate named ca.pem, and a domain controller certificate/private key pair named cert.pem and key.pem, respectively. Delete all three files (after backing them up somewhere).
You'll need to have the following files on your DC. In this example, they will have the following names:
Put each of these files, except the Domain Controller's private key, in the now-empty 'tls' sub-directory of your Samba domain controller's provision. Then, create a directory named 'secure' in the tls directory, and put the Domain Controller's private key in this newly-created 'secure' directory. Make sure that both the 'secure' folder and the Domain Controller's private key are only accessible to root (and the user that Samba is running as, if it is different).
The resulting directory/file structure is as follows:
Samba can't read encrypted private key files, so you'll need to decrypt the domain controller's private key file and store it somewhere. For simplicity, I stored it in the same directory as the encrypted key, and named it dc-privkey.pem. You'll need to run this command as a user than can access the private key.
Again, make sure that only root (and the user account Samba is running as, if it is different) can access the private key file (whether encrypted or decrypted).
Add the following lines to the global section of your smb.conf (adjust for your provision location):
Verify using the logs that there were no errors loading the certificate and associated files.
Open the Kerberos configuration file in your Samba provision, /usr/local/samba/private/krb5.conf, and edit it to look like the following (adjusted for your domain, of course). The first four lines should be identical to the contents of the existing contents of the krb5.conf file. (You can find out more regarding these settings here.)
Note: the dash in 'enable-pkinit' is not a typo.
Save the configuration file and close it.
Archive your existing system-wide Kerberos configuration file (typically /etc/krb5.conf) file and then replace it with a symlink to Samba's internal Kerberos configuration file.
Start the Samba DC again and ensure that it starts up cleanly.
Logon to a domain-joined Windows client as a domain administrator, and copy a DER-format copy of the CA root certificate to the Desktop. Give it the file name cacert.cer, then, open the Group Policy Management tool.
Expand the tree node labeled 'Forest: greatlakes.example.com,' then expand the child node labeled 'Domains,' and finally, expand the child node labeled 'greatlakes.example.com.'
Right click on the node labeled 'Default Domain Policy,' and select the top menu option, 'Edit..'
In the Group Policy Management Editor window that opens, expand the 'Policies' node under 'Computer Configuration', then expand the 'Windows Settings' node, then 'Security Settings', and then expand the node labeled 'Public Key Policies.'
Right click on the child node labeled 'Trusted Root Certification Authorities' and select 'Import..' from the popup menu. The 'Certificate Import Wizard' appears.
Click 'Next,' then enter the location of the root certificate file that you copied over earlier.
Click Next. The next page of the dialog box should present you with a non-choice - the certificate will be placed in the 'Trusted Root Certification Authorities' certificate store -- which is exactly what you want.
Click Next. The summary page should appear.
Click Finish, and if the certificate was successfully imported into the Default Domain Group Policy, you will see the message 'The import was successful.' Click OK. The root certificate should now appear under Trusted Root Certification Authorities in the Group Policy Management Editor.
Close the Group Policy Management Editor and the Group Policy Management window. Once domain clients update their group policy, they will trust your CA as a legitimate certificate authority.
One way to update group policy is to reboot. The other way is to open a command prompt with administrator privileges and execute the following command:
Windows should tell you that it has updated both Computer policy and User policy.
In a command prompt with administrative privileges, execute the following command to open the Microsoft Management Console (MMC):
In the window that opens, go to the File menu and select 'Add/Remove Snap-in..'
Select the 'Certificates' snap-in from the list on the left hand side of the dialog box and click 'Add', then choose 'Computer account' in the dialog box that appears, and click 'Next.' Select 'Local computer' in the next window, and click 'Finish.'
The right hand side of the 'Add or Remove Snap-ins' window should now have an entry 'Certificates (Local Computer)'. If so, click 'OK'.
In the middle pane, double click on the item labeled 'Certificates (Local Computer),' and then double-click on the 'Trusted Root Certification Authorities' item that appears in the middle pane.
Double click on the lone 'Certificates' item that now appears in the middle pane.
A list of certificates is displayed. Verify that your root certificate is among them.
Close the MMC window. You can safely select No when it asks you if you want to save.
We also need to add the root CA certificate to the domain's Enterprise NTAuth store, by following Method 2 listed here. Specifically, at a command prompt with administrative privileges, execute the following command:
If all goes well, you should see the following output:
Unfortunately, how one does this largely depends on the smart card hardware you're using and the infrastructure you're setting up. The myriad permutations and considerations go far beyond the scope of this document.
One way is to use Firefox's Certificates panel (located in the Options Window under Advanced-Encryption). Firefox can use a PKCS#11 library/driver for your particular smart card as a Security Device; when the module is loaded in the Security Device panel and you've logged into the smart card, you can use the Certificates panel to add or remove the certificates installed on the smart card. You'll need to have a PKCS#11 library/driver for your card, and you'll need to have your user certificates/private keys packaged into PKCS#12 files in order to have Firefox import them onto the smart card.
Whatever the method, you will likely need to have a PKCS#12 file containing both your user's certificate private key in order to import them onto the smart card. You can do this with OpenSSL. The following command will create a PKCS#12 file for the Tina Admin user's certificate
You will prompted for a password three times. The first one is to decrypt the existing private key file. The second one is for a password to encrypt the private key when it is stored in the PKCS#12 file. The third one is to verify that you typed the second one correctly.
At this point, if you log out from the domain-joined Windows client, and then insert the smart card with the user logon certificate installed on it, you should see a smart card icon on the Windows welcome screen. (You may have to press Escape and/or CTRL+ALT+DELETE a few times.)
Click on it, then enter the smartcard's PIN in the provided box.
Provided you entered the correct PIN, you should be logged in to the Windows client.
After this procedure has been completed for the first time, other Windows clients in the same domain should work once they update group policy -- assuming they have the necessary smart card and smart card reader drivers installed. Clients joined to the domain at a later date will update group policy when they join the domain.
To give another user the ability to login with a smart card, add the user to the directory, create a certificate for them (using their UPN), and put it on a smart card. The user will then be able to login to the domain with that smart card at properly set up workstations.