Edit on GitHub

Certificate requirements - Signature sessions

In order to restrict the certificates that the user will be able to choose during a signature session, specify a list of certificate requirements when creating the session. The user will only be able to select certificates that meet all of the specified requirements.

Each requirement is composed of a type and, depending on the type, an argument. For instance, let's say you need to restrict users to only sign documents using certificates whose private key is protected by a cryptographic device, which is what the CryptoDevice requirement does. This specific requirement does not take an argument, so we only have to specify its type.

On .NET:

var response = await restPkiService.CreateSignatureSessionAsync(new CreateSignatureSessionRequest() {
    ...,
    CertificateRequirements = new List<CertificateRequirement> {
        new CertificateRequirement { Type = CertificateRequirementTypes.CryptoDevice }
    }
});
return Redirect(response.RedirectUrl);

Direct API integration:

POST {endpoint}/api/signature-sessions
{
    ...,
    "certificateRequirements": [
        {
            "type": "CryptoDevice"
        }
    ]
}

See the different requirement types available on the next section.

Supported requirement

The following requirement types are currently available:

  • CryptoDevice: requires certificates to have a private key protected by a cryptographic device
  • Cpf: requires certificates to have a certain Brazilian CPF number
Note

If you need a different requirement, contact us

CryptoDevice

Use the CryptoDevice requirement to restrict users to only choose certificates whose private key are protected by a cryptographic device (typically a cryptographic token). This requirement does not take an argument.

Note

For ICP-Brasil certificates, this means A3 or A4 certificates only.

Cpf

Use the Cpf requirement to restrict users to only choose certificates having a certain Brazilian CPF number. Pass the CPF on the argument, with or without punctuation (but with leading zeroes).

Note

This requirement has the side effect of improving user experience when using cloud certificates, since the user is not required to type in his CPF to check the available cloud certificates (the CPF is inferred from the requirement).