- GMO Sign Digital Signatures are powered by GlobalSign’s Digital Signing Service (DSS).
- You will request API credentials to access your Digital Signing Service (DSS) Account and then link them to your GMO Sign Account.
- Follow this guide to request DSS API Credentials manually :
Part 1 - Generate a Key Pair
You will need to generate an RSA key pair (a public and private key) and share the public key to GlobalSign. The public key is used to securely encrypt your Digital Signing Service API credentials while providing them to you. You will then use your private key to decrypt your API Credentials.
There are various methods for generating public/private keys. For the purposes of this example, we used OpenSSL.
Note: You are required to use the OpenSSL version 1.1.1.
- To generate the private key, run the following script:
openssl genrsa -des3 -out /PATH/TO/privatekey.pem 2048
- To generate the public key using the private key, run the following script:
openssl rsa -in /PATH/TO/privatekey.pem -outform PEM -pubout -out /PATH/TO/publickey.pem
This method will generate the private key in an encrypted file using a user-supplied passcode, which is recommended for most purposes.
You will need to supply the contents of the publickey.pem file to GlobalSign during the onboarding process. It has the format of:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
Part 2 - Decrypt the API Credentials
GlobalSign will provide you with your DSS API Credentials in an encrypted file, which you must decrypt to receive the API Key and Secret. If using OpenSSL, you are required to use the OpenSSL version 1.1.1, and follow these steps:
- GlobalSign will email a file named something like:
- Save the file on your computer.
- Run the following command. Note that the privatekey.pem is the private key generated as part of the key generation process discussed above. If you have protected your private key with a passcode, you will be prompted for it during this process step.
openssl pkeyutl -inkey </PATH/TO/PRIVATE_KEY.PEM> -in </PATH/TO/ENCRYPTEDFILE.ENC> -out </PATH/TO/FILETOCREATE.txt> -decrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
- The FILETOCREATE.txt element will contain your Key and Secret; the API key also forms part of the encrypted file name after the word ‘cred-‘.
|For example : account-09A9A9A9A9A954FT1T1T1T10-cred-000b1c3e71ad7z5-globalsign.enc|
Follow this guide to Link your DSS API credentials in GMO Sign - https://gmo-agree.zendesk.com/hc/en-us/articles/900004853686