Applying digital signatures (x.509 certificates) to attachments (PDF; DOCX)


applies to version: 8.2.x; author: Paweł Jawień

With the introduction of WEBCON BPS 8.2, it is possible for workflow users to apply x.509 digital signatures to common workflow attachments, like PDF and DOCX documents

Some reasons for applying qualified and non-qualified digital signatures to documents include:

  • Authentication – Digital signatures can be used to irrefutably authenticate the source of a message.
  • Integrity – There is no way for a 3rd party to modify the document. Any attempt to tamper with the file, even without decrypting it, will invalidate the signature
  • Non-repudiation – Once the author has signed the document, they cannot at a later time deny having signed it.

There Is also the option to add a Time Stamp, which provides information on the time and date of the document’s signing.

To enable applying digital signatures to attachments, version 8.2 of WEBCON BPS introduces a new Action kind: “Sign an attachment”, in the group “Digital signatures and certificates”.

WARNING! Sign an attachment Action is only possible for ‘Attachments menu’ type Actions. It is impossible to define this action for „On Exit” or „On Path” type Actions.

To supplement this Action, a way to verify (via BPS Action) digital signatures has also been implemented (described further down).

Configuring a “Sign an attachment” Action

As stated above, the Action “Sign an attachment” is only possible to configure for “Attachment menu” type actions.

Select the desired Step, go to the „Actions” tab, create a new action and set the following parameters:

  • Action name: The name that will be displayed in the attachments menu in SharePoint.
  • Action type: Attachments menu
  • Action kind: Sign an attachment


After filling in those fields, go to the configuration screen by clicking the “Configuration” button in the bottom right corner.


In the configuration options, select “Signature performed by user” (the other option, “Signature executed by server” will be described in a separate article).

In the section titled “Configuration of signed attachments”, the system allows you to define how the attachment titles will be handled once the digital signature is applied. In practice, when a digital signature is applied to a document, a new version of that document is created containing the digital signature. The newly created document may have an updated file name, changed description, or even may be assigned to a different category of attachments.


A simple workflow was created to register PDF and/or DOCX documents. To register a document the Workflow user must first apply a digital signature (an action which will verify the signature has been added to the “Register…” path).

The user adds the document to the Workflow in the form of an attachment (in this example: manual CI_WEBCON.pdf).

In the attachments menu (click the dropdown menu next to an attachment) the newly defined actions should appear, including the “Sign an attachment” Action mentioned above.


Activating this action should bring up a certificate selection screen.


After choosing the right certificate, the document will be signed digitally (as long as the certificate’s Issuer is compatible with the Certificate issuer filter).

If the digital signature is valid, a system message should inform you that the “Sign an attachment” Action has been completed successfully.


Additionally you can check the digital signature in the PDF file itself. For documents that have a digital signature applied, your chosen PDF reader should inform you of any signatures and a “Signature panel” tab will allow you to view and verify details about the document’s digital signatures.


„Verify attachment’s signature” BPS action

In order to supplement the “Sign an attachment” action, an additional “Verify attachment’s signature” action has also been created. Verification allows you to view not only the certificate’s source and issuer, but also all its parameters (expiration date, whether the issuer is trusted or not, references etc.)

In contrast to „Signing an attachment”, which can only be defined for an „Attachment menu” Action type, verification can be defined for other Action types, like “On exit” or “On path”.

In the above example, we used „On exit”. This makes it necessary for the user to apply a valid digital signature to the attachment before he is able to complete his current Workflow Step.


Select „Verify attachment’s signature” as the Action kind, then go to the configuration screen using the Configuration button in the bottom right.


The first section: „Attachments to be processed” we can specify how source files are selected for the validation process, either by defining a category, regular expression or an SQL query.

The “Verification parameters” section is used to define:

  1. Validation level
    1. Valid signature – the validity of the signature is verified, but not the validity of the issuer.
    2. Valid signature and trusted certificate – both the validity of the signature and the issuer are checked.
  2. Certificate issuer filter – Similarly to the “Sign an attachment” Action, you can filter by the “Issuer” field found in the certificate’s properties. The system will check this field against whatever it finds in “Issuer” certificate property.
  3. Behavior
    1. Information – Regardless of whether the verification is successful or not, the system will allow the Workflow to progress down the Path. The verification outcome is logged in the system.
    2. Block transition – If the verification fails, the system will block the Path and deny entry to the next Step. The outcome is logged in the system.

The final “Verification results” section is used for specifying Form fields, in which information about the outcome of the verification process is contained (the information logged in these Form fields can then be used further in the Workflow)

Examples of the verification process


In the event of a successful  verification, the system will allow the Workflow to proceed down the Path and enter the next Step. Simultaneously, it will fill out the “Details attribute” and “Log attribute” with information regarding the verification process.

Below is an example of validation details:

Validating file manual CI_WEBCON – signed.pdf (3108)
Signature name: Grzegorz Straś; signature validation result: Valid
Chain validation status: Valid
Filter verification of issuer passed
File validation result: Valid

If the signature validation fails, and the “Block transition” option was chosen, the system will display an error message and deny passage.



Actions involving digital signatures can only be performed in Internet Explorer 8.0 or higher (They require Active-X to be installed).

Leave a Reply

Your email address will not be published. Required fields are marked *