Configuring digital signature keys and certificates

1. Introduction

A .dat digital signature key and CA certificate are two different components of the data signing method.

A .dat digital signature key is a file that contains a private key used to sign files, drivers, and other software. A .dat system signature key is usually securely stored on the software developer’s computer and not shared with other users.

A CA (Certificate Authority) certificate is an electronic document containing information about the public key and the certificate owner, such as their company name, date of issue, and expiration date. CA certificates are used to verify the authenticity of software signers.

1.1. Signing data with a public key

Public key data signing is a cryptographic method used to ensure data integrity, authenticity, confidentiality, and veracity. This method uses a pair of keys: a private key and a public key. Keys are generated by certificate authorities licensed by the state (such as Accredited Key Certification Centers in Ukraine, for instance). Keys may also be issued by banks, state registrars, and other authorized organizations that go through mandatory audits and certifications. This approach ensures high level of trust in the keys and their use.

Here is how signing data with a public key works:

  • A message that needs to be signed is created.

  • The hash value of the data is calculated using a hash function.

  • The resulting hash value is encrypted using a private key.

  • A digital signature is added to the message.

    The digitally signed message can be verified using the public key.

Here is how the signature is verified:

  • The digital signature is decrypted using the public key to obtain the hash value.

  • The hash value of the original data is calculated.

  • The calculated hash values are compared. If they match, the signature is valid, and data has not been modified after signing.

1.2. How the Platform works with digital signatures

All operations with keys on the Platform are handled by the digital signature subsystem, namely the digital signature service (digital-signature-ops). This service performs a set of operations for applying and verifying digital seals, as well as verifying digital signatures to ensure data immutability during cross-service interactions using specialized crypto modules. In Ukraine, the service is based on the IIT Java digital signature cryptographic library provided by the Institute of Information Technologies (IIT).

Digital signature service enables the following:

  • Receive information about the owner of a digital signature.

  • Check the Qualified Electronic Signature (QES) used to sign the document by an officer and service recipient.

  • Check whether the applied digital signature belongs to the user.

  • Apply a system digital signature, or registry digital seal, to data or an electronic document.

  • Check whether the applied digital seal belongs to the registry.

2. Digital key types used on the Platform

There are three types of digital keys used on the Platform. Depending on which level they are used on, digital signature keys can be divided into these groups:

  • Platform digital signature keys (Platform keys)

  • registry digital signature keys (registry keys)

  • user data signature keys (QES)

2.1. Platform digital signature keys

Platform digital signature keys are used in these operations:

  • Starting the digital-signature-ops cryptoservice pod for the Keycloak user identification and authentication service.

  • Authenticating through external providers — for example, to encrypt data when signing in via id.gov.ua.

You can configure the keys in the Control Plane admin console.

To learn more about configuring Platform keys, see Updating the Platform digital signature keys and certificates.

2.2. Registry digital signature keys

Registry digital signature keys are used in these operations:

  • Starting the digital-signature-ops cryptoservice pod for the registry.

  • (Digital seal) Signing the data that needs to be saved from the business process management system (BPMS) to the registry’s data factory.

  • (Digital seal) Signing the documents that the system generated for registry users, such as excerpts.

You can configure the keys in the Control Plane admin console when deploying or editing a registry.

To learn more about configuring registry keys, see Updating registry digital signature keys and certificates.

2.3. User data signature keys (QES)

User data signature keys (QES) are used in these operations:

  • Signing data with QES to sign in to the user portal through the IIT digital signature widget.

  • Signing UI form data in business processes using the IIT digital signature widget.