Onboard Users
This guide explains how to onboard users to become signers. This requires onboarding them as approvers and creating an SKA-protected signing key.
Create an Approver
Every user who wants to create Qualified Electronic Signatures or Seals must onboard as an approver. This involves creating an approver key pair. The corresponding approver certificate can then be attached to the SKA policy of the signing key, to be used to authorize usage of the signing key.
- Create an approver with an approver key pair.
- When using the TSB, you can use the TSB's approver management. This will onboard the approver to the Securosys Authorization App.
- When using JCE or PKCS#11, you need to manually create the approver key pair in an application that the user controls. Here, we call this the "Authorization App". How these key pairs are created is up to you.
- Create a Certificate Signing Request (CSR) for the approver public key.
- Send the CSR to the Certificate Authority (CA) and have it issue an approver certificate.
Instead of the Securosys Authorization App, you can develop a custom app for your users. The user flows are the same. The user simply needs a secure application to hold their approver key pair.
Create an SKA key
Create an SKA key, via the REST API via the JCE API, or via the PKCS#11 API. Attach the previously issued approver certificate to the SKA policy. For organization seals, attach multiple approver certificates and define an m-of-n SKA policy.
This SKA key is the key that users will use to create Qualified Electronic Signatures and Seals. The SKA policy enforces that users have sole control over their signing key. This enforcement happens in the SAM module inside the tamper-protected Primus HSM.
Next Steps
Use the created SKA key to create a Qualified Electronic Signature.