Article : Digitally signing PDF files from the Linux command line

Digitally signing PDF files from the Linux command line

PDF documents that have been digitally signed are legally enforceable in many countries, and in the medical legal field it’s very important to ensure that a patients medical documentation has not been altered since the doctor or consultant signed them.

In ALMA version 2, I am introducing a new work flow allowing consultants to digitally sign clinic letters being sent back to the GP. As the final letter is rendered as a PDF using LaTeX, I needed to find a Linux command line utility which could sign each PDF with a unique certificate identifying the person who checked and signed the content.

I settled on using PortableSigner which is a Java application distributed under a free European Union Public Licence (EUPL). What I like about PortableSigner, is that you can embed a comment (-c), reason (-r) and location (-l) during the PDF signing process. The location field could store the computers host name or IP address, confirming which terminal the signer was sat at while signing the letter.

Below is a sample command line showing how to sign a PDF called input.pdf


java -jar PortableSigner.jar -n -t input.pdf -o output.pdf -s certificate.pfx -p secret -b en -c "Signed after 4 alterations" -r "Approved for publication" -l "Department of Dermatology"
Now when the PDF is opened in Adobe Reader, the signing toolbar appears and the PDF is protected for edits, allowing us to prove to clinical audit that the PDF has not been altered since it was signed.
Automating the self signed certificate creation

With several hundred doctors and health professionals who could potentially sign documents, I needed to find a way automate the creation of unique certificates for each member of staff storing each certificate under the users unique employee number.

In the example code below I am creating a certificate which is valid for one year for a Dr Khan, employee number 357. You can see that I am embedding the consultants name, job title and hospital name in the organisation field of the certificate.


openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout 357.key -out 357.pem
-subj "/C=GB/ST=Cumbria/O=Dr Z Khan Consultant Dermatologist (Holby City Hospital)/CN=pdf.alma.io"
From the first example above, you can see that PortableSigner expects a pfx (Personal Information Exchange) file as the certificate input. We can generate one of those from the pem file just created, using the following openssl command.


openssl pkcs12 -export -out 357.pfx -in 357.pem
However, when you run this command you are prompted to enter an export password, and then verify it. This password is required when signing the PDF with your pfx file. I wanted the ALMA application to automatically create these files when a new employee is added to the system. I also wanted the system to issue and maintain a unique certificate password for each employee.

My solution to this problem, was to have ALMA write an expect script. Expect is a tool for automating interactive applications such as telnet and ftp - and worked well for automating the insertion of the export password. Below is an example of the expect script that ALMA writes, calls from the command line and then deletes the script to remove traces of the password.


#!/usr/bin/expect -f
spawn openssl pkcs12 -export -out 357.pfx -in 357.pem
expect "Enter Export Password:"
send "$secret_strong_password\r"
expect "Verifying - Enter Export Password:"
send "$secret_strong_password\r"
interact
It’s worth pointing out that the password is not stored in the ALMA database. It's generated from a number of elements within the database, including the unique employee ID number, to ensure each staff member has a unique strong password, which can be re-generated when required to sign a new PDF.

Need help signing PDF files for your business?

If you need help with signing your PDF documents digitally, then please get in touch as I will be able to help you on a consultancy basis. I will advise on which certificate authorities are explicitly trusted by the Adobe Reader software so that you get the pale blue notification bar verifying your signature when opening a signed document. I can install the necessary software and certificates on your company website, or if needed provide you with a server dedicated for signing documents. Staff can then upload PDF versions of invoices and letters which need signing with your company signature. I can also help build a work flow system if you need to capture multiple signatories on a document such as a contract. Once all signatories have approved the document, a locked down digitally signed copy would be emailed to all signatories.

About the author

Paul BradleyPaul Bradley is an experienced software developer who has deployed many large IT projects in his career – if you would like to contact him, then please use one of the methods highlighted on the home page.

This article was first published on September 20, 2013.
See the archives for more Linux articles.