Skip to main content
Version: 4.33

How to sign documents with the unattended agent using AutoFirma

Overview

This guide explains how to sign documents using the unattended agent and AutoFirma. It is useful to admins and developers looking for a way to enhance signature operations.

Background

Unattended or massive signing refers to automated signature operations performed without user interaction. In this mode, documents are signed by services that access the necessary signing keys securely and automatically. This approach is used to sign PDF documents, XML files (such as electronic invoices), or other binary files, when signatures must be applied on a server.

The unattended signing requires the installation of the Redtrust Linux agent.

note

Redtrust is only compatible with AutoFirma 1.8.4 or higher.

Before you start

Before proceeding with this guide, you must have:

info

When installing AutoFirma, you will need to install java and the libnss3-tools using these commands:

apt-cache search java | more
sudo apt install openjdk-11-jre
sudo apt install libnss3-tools

Be aware that the sudo apt –fix-broken install documented in the AutoFirma link above may not work.

Steps

  1. Access your Linux machine where the unattended agent is installed.

  2. Check that the agent is running.

    systemctl status KeyfactorService.service

  3. Configure the agent with the credentials of the service user that will sign the documents..

    keyfactor-setup hostname=IP_OR_HOSTNAME clientid=CLIENT_ID username=USERNAME password=PASSWORD loglevel=LOGLEVEL

    For example, the command for a user cris@local.users in agent01.example.com is:

    keyfactor-setup hostname=agent01.example.com clientid=T4N3r2WBbvKfyYe8/z+SVW5N= username=cris@local.users password=ChangeMe123 loglevel=LOW
    note

    loglevel represents the amount of detail to include in logs. Valid values: NONE, LOW, HIGH.

  4. Sign the documents with the following command. This command calls AutoFirma and instructs it to use the Redtrust PKCS#11 module as the certificate store.

    autofirma sign -store pkcs11://usr/lib/libkeyfactorpkcs11.so -i ORIGINAL_FILE_NAME_WITH_EXTENSION -o NAME_OF_THE_SIGNED_FILE -filter subject.contains:USER_DNI

tip

If you don't know the DNI associated with the certificate, run the following command to see the subject of the certificate and add any part of the it that is unique to that certificate.

pkcs11-tool --module /usr/lib/libkeyfactorpkcs11.so --list-objects --type cert

Alternatively, use the GUI to select the certificate you need.

autofirma sign -store pkcs11://usr/lib/libkeyfactorpkcs11.so -i ORIGINAL_FILE_NAME_WITH_EXTENSION -o NAME_OF_THE_SIGNED_FILE -certgui