When using a previously successfuly working P12 certificate with the latest versions of the Kofax SignDoc product family an error appears when signing a signature field:
- SignDoc SDK: SIGNDOC_DOCUMENT_RETURNCODE_INVALID_ARGUMENT Couldn't add the signature! cannot use certificate: certificate does not have required key usage
- SignDoc Standard: GUI Error - The current signing session was modified concurrently in another browser or tab. / SignDoc Web log file error as below
- SignDoc Web: java.lang.IllegalStateException: cannot use certificate: certificate does not have required key usage
- SignDoc Desktop: SDVSignDocPlugin::addSignature signdoc error_code(16) addSignature(Cannot use PKCS#12 certificate (No usable certificate found))
The issues is related to the usage of a certificate that includes the key usage extension but does not carry the KeyUsage extension Bit (https://tools.ietf.org/html/rfc5280#section-22.214.171.124) digitalSignature OR nonRepudiation OR both.
To check whether your certificate carries one or the other KeyUsage you can use the Java based certificate tool Portecle (http://portecle.sourceforge.net/) (here an example with the SignDoc Web cert_store.p12 Demo Certificate carrying the "Digital signature" Extension Value):
For a Certificate to be valid for Kofax SignDoc in general it has to either
omit the KeyUsage extension completely OR needs to carry the KeyUsage extension Bit (https://tools.ietf.org/html/rfc5280#section-126.96.36.199) digitalSignature OR nonRepudiation OR both.
Known issue in relation to the KeyUsage extension Bit:
The error text "cannot build certificate chain: invalid purpose" is caused by another issue related to the dissimilar usage of the ExtendedKeyUsage extension in addition to the KeyUsage extension.
According to RFC 3280 (X.509) (https://www.ietf.org/rfc/rfc3280.txt) both extensions (KeyUsage and ExtendedKeyUsage) must have the same usage.
This issue can be resolved by one of the below two options:
- Have the correct coresponding usage, i.e. "digitalSignature" or "nonRepudation" or both in the ExtendedKeyUsage extension
- Remove the ExtendedKeyUsage extension completely if it is not required
In addition to the above the key length of the RSA keys must be a multiple of 8 bits and between 1024 bits and 4096 bits (inclusive).
Keys for ECDSA (https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) must use one of these curves: prime192v1, prime256v1, secp224r1, secp384r1, secp521r1.
Create valid certificate without KeyUsage Extension
To produce a self-signed certificate without the KeyUsage extension the Java based certificate tool Portecle (http://portecle.sourceforge.net/) can be used (not to be used for production):
File -> New Keystore (Ctrl + N) / Type of new Keystore: PKCS #12 Tools -> Generate Key Pair... (Ctrl + G) / Key Algorithm: RSA, Key Size: 2048 / CN: Demo User, OU: ESign, O: Kofax, L:Irvine, ST: California, Eemail@example.com (rest as per default) / Alias: Demo File -> Save Keystore (Ctrl + S) -> Enter preferred password -> Choose location and enter name: cert_store.p12
Create valid certificate with digitalSignature KeyUsage Extension
To produce a valid self-signed certificate with the digitalSignature KeyUsage Extension the Java Key Tool can be leveraged (not to be used for production):
From the Java bin folder (e.g. C:\Program Files\Java\jre1.8.0_131\bin) execute the below command (adapt file path, password and other parameters accordingly):
keytool -genkey -alias DEMO -keyalg RSA -ext KU=digitalSignature -storetype pkcs12 -keystore c:\users\Administrator\Desktop\cert_store.p12 -dname "CN=Demo User, OU=ESign, O=Kofax, L=Irvine, S=California, C=US" -storepass password -keypass password
Level of Complexity
Kofax Signdoc SDK
Kofax Signdoc Web
Kofax Signdoc Desktop