eZīmogs+ mākonī (qualified electronic seal in cloud) integration guidlines

The organization's electronic seal attached to the document confirms the immutability of the content of this document and the belonging to the organization (origin), as well as shows the exact time of eZīmogs (electronic seal) creation.

📗

eZīmogs+ mākonī (eZīmogs+ cloud) - provides a qualified electronic seal level for the document created with it.

eZīmogs+ cloud certificates are stored in the LVRTC infrastructure, and access to them is ensured through the identity verification tools of a natural person (to whom the company has granted the right to use the electronic seal on its behalf) - eParaksts mobile or eID card. Read more about obtaining and managing the eZīmogs+ cloud here (link will be provided along with production availability)."

📗

To seal documents with eZīmogs+ cloud, it is necessary to integrate this solution into your information system. For this purpose, use e-Identity and Signing platform.

Test environment credentials

To try eZīmogs+ cloud in the test environment, you need the access to eParaksts test environment and the test version of eParaksts mobile or eID card.
To create an eZīmogs+ cloud test user, it will be necessary to provide us the following data: identity information of your test user – name, surname, personal code, and the developer's (person who will use the specific user) phone number.
For detailed information on obtaining test environment credentials, please contact the eParaksts customer support service at [email protected].


What is necessary to integrate eZīmogs+ cloud into your system?

  1. For integration of eZīmogs+ cloud functionality, please use the e-Identity and Signing Platform (Sign API).
    💡 Important – please keep in mind, that SignAPI eSealCreate method is not applicable for eZīmogs+ cloud.
  2. To perform sealing with eZīmogs+ cloud you need access to end users (natural person who is authorized to seal documents in on behalf of the company) authentication and signing (in this case qualified electronic seal (qseal)) certificates. To get end users eParaksts mobile authentication certificate use integration platform (eidas.eparaksts.lv), for eID authentication certificate use browser plugin (used read certificates from smart card reader).
  3. After getting the end user certificates use integration platform with your credentials for backend request to get server to server access (introspect) token which is used to authenticate against SignAPI service.
  4. Authenticate with introspect token to SignAPI service, start SignAPI session, upload file and calculate signable data with qseal certificate retrieved in step 2.
  5. Create digital seal using integration platform (eidas.eparaksts.lv) method /trustedx-resources/esigp/v1/signatures/server/raw (or .../batch).
  6. Finalize document signing using end users authentication certificate (eID or eParaksts mobile) and signature value from previous step.
  7. Download and validate sealed document.
  8. Full documentation of SignAPI service is available here.

Useful hints

Obtain Signing Identity Information

There are four types of signing identity: mobile identities for advanced electronic signing and authentication; server identities for qualified electronic signing (serverid) and qualified electronic seal (qseal) (there is also a possibility that one user can have multiple qseal identities).

Server based legal person sign identities

Identities with legal person qualified e-seal certificate. Zero to N per user token. All CN labels are unique. Identities should contain all following mandatory labels:
a. eparaksts
b. esealc
c. CN:
d. x509:keyUsage:contentCommitment

As an option to select the required sign identity integrators can enumerate mandatory CN: label values to create a list of available sign identities.


User password input dialog

In the password input window, the Common Name (CN) value of the certificate will be additionally specified, allowing the user to understand which password request is being made. For example, for an individual's signature certificate password request, the indication will be “MĀRA PARAUDZIŅA”, while for the eZīmogs+ cloud case, it will be “SIA PARAUDZIŅŠ (ACCOUNTING): eZīmogs”.


Signing identity labels

The available signing identities for the user are currently labeled with tags "eparaksts", "serverid", "serveridVersion1", "x509:keyUsage:contentCommitment". For eSeal+ purposes, the tag "qsealc" (eIDAS Qualified Certificate for Electronic Seals -QSealC) is used, along with the addition of an additional dynamic tag with the corresponding certificate's Common Name (CN) value and a static value “: eZīmogs". For example, "eparaksts", "qsealc", "qsealcVersion1", "x509:keyUsage:contentCommitment", "SIA PARAUDZIŅŠ (RAŽOŠANA) : eZīmogs". The value of dynamic tags is used to distinguish legal identities from natural person certificates and other eZīmogs+ cloud available to the person during signing process (one person can have several eZīmogs+ cloud certificates).


User token sample

{ 
  …, 
  "sign_identities": [ 
    { 
      "access": [ 
        { 
          "user_id": "efc651efcdec32f1e6cab9dc0f0cdf60" 
        } 
      ], 
      "domain": "citizen", 
      "self": "https://eparaksts/trustedx-resources/esigp/v1/sign_identities/sqnd2nvpkr0siar572hi8a9t1h", 
      "description": "eparaksts:qsealc:sign", 
      "links": { 
        "Signatures.create.server.raw": { 
          "auth": { 
            "oauth2": { 
              "scopes": [ 
                "urn:safelayer:eidas:sign:identity:use:server" 
              ] 
            } 
          } 
        } 
      }, 
      "id": "sqnd2nvpkr0siar572hi8a9t1h", 
      "type": "pki:x509", 
      "labels": [ 
        "qsealc", 
        "qsealcVersion1", 
        "CN:SIA DEMO QSEALC (Testēšana) : eZīmogs", 
        "x509:keyUsage:contentCommitment", 
        "eparaksts", 
        "tknid:nRI7j+e/FlfLFmFB/3L15cmhdmA\u003d" 
      ], 
      "status": { 
        "value": "enabled" 
      } 
    }, 
    { 
      "access": [ 
        { 
          "user_id": "efc651efcdec32f1e6cab9dc0f0cdf60" 
        } 
      ], 
      "domain": "citizen", 
      "self": "https://eparaksts/trustedx-resources/esigp/v1/sign_identities/fmc8755q6fgqg341jlo7pkucm5", 
      "description": "eparaksts:qsealc:sign", 
      "links": { 
        "Signatures.create.server.raw": { 
          "auth": { 
            "oauth2": { 
              "scopes": [ 
                "urn:safelayer:eidas:sign:identity:use:server" 
              ] 
            } 
          } 
        } 
      }, 
      "id": "fmc8755q6fgqg341jlo7pkucm5", 
      "type": "pki:x509", 
      "labels": [ 
        "qsealc", 
        "qsealcVersion1", 
        "CN:SIA DEMO QSEALC : eZīmogs", 
        "x509:keyUsage:contentCommitment", 
        "tknid:nwUFDyZk5kTrLa9gJijd5bS+PPM\u003d", 
        "eparaksts" 
      ], 
      "status": { 
        "value": "enabled" 
      } 
    }, 
    { 
      "access": [ 
        { 
          "user_id": "efc651efcdec32f1e6cab9dc0f0cdf60" 
        } 
      ], 
      "device_id": "3ae81f567fbe23cbb672a7b1e9b30d5db2793b4d", 
      "domain": "citizen", 
      "self": "https://eparaksts/trustedx-resources/esigp/v1/sign_identities/v05nvkmq3lgjh4f6n2naoe7aee", 
      "description": "eparaksts:mobileid:auth", 
      "id": "v05nvkmq3lgjh4f6n2naoe7aee", 
      "type": "pki:x509", 
      "labels": [ 
        "mobileidVersion2", 
        "mobileid", 
        "x509:keyUsage:digitalSignature", 
        "eparaksts" 
      ], 
      "status": { 
        "value": "enabled" 
      } 
    }, 
    { 
      "access": [ 
        { 
          "user_id": "efc651efcdec32f1e6cab9dc0f0cdf60" 
        } 
      ], 
      "device_id": "3ae81f567fbe23cbb672a7b1e9b30d5db2793b4d", 
      "domain": "citizen", 
      "self": "https://eparaksts/trustedx-resources/esigp/v1/sign_identities/7rifb8vo8msc54f3nbfu9hv96h", 
      "description": "eparaksts:mobileid:sign", 
      "id": "7rifb8vo8msc54f3nbfu9hv96h", 
      "type": "pki:x509", 
      "labels": [ 
        "mobileidVersion2", 
        "mobileid", 
        "x509:keyUsage:contentCommitment", 
        "eparaksts" 
      ], 
      "status": { 
        "value": "enabled" 
      } 
    }, 
    { 
      "access": [ 
        { 
          "user_id": "efc651efcdec32f1e6cab9dc0f0cdf60" 
        } 
      ], 
      "domain": "citizen", 
      "self": "https://eparaksts/trustedx-resources/esigp/v1/sign_identities/7mmprhva8url12kk1vauj2ikuj", 
      "description": "eparaksts:serverid:sign", 
      "links": { 
        "Signatures.create.server.raw": { 
          "auth": { 
            "oauth2": { 
              "scopes": [ 
                "urn:safelayer:eidas:sign:identity:use:server" 
              ] 
            } 
          } 
        } 
      }, 
      "id": "7mmprhva8url12kk1vauj2ikuj", 
      "type": "pki:x509", 
      "labels": [ 
        "tknid:GqiMOC71ahoIeMNJUsDWicFANAw\u003d", 
        "serveridVersion1", 
        "x509:keyUsage:contentCommitment", 
        "CN:ANDRIS PARAUDZIŅŠ", 
        "eparaksts", 
        "serverid" 
      ], 
      "status": { 
        "value": "enabled" 
      } 
    } 
  ], 
  … 
}