OpenOTP Electronic Signatures and Secure Transactions Approval
  Download PDF

1. Overview and Requirements

RCDevs offer now an easy way to sign any documents at anytime to all third party signatories. OpenOTP signature is a solution which is deployed on premise or in the cloud. Integrate OpenOTP signature in your infrastructure will allow electronic signatures for your company users (LDAP users). If you want to extend your signature processes to external users (users not part of your LDAP directory/directories configured with your WebADM), you have to integrate OpenOTP with YumiSign platform which requires a YumiSign API Key configured in OpenOTP settings. This YumiSign API Key is under YumiSign licensing and must be requested to RCDevs sales team. On premise signature with OpenOTP is under OpenOTP licensing. For more information regarding OpenOTP Signature and YumiSign licensing, contact RCDevs sales team.

The requirements to implement on premise electronic signature with RCDevs solutions are the following:

  • Have WebADM and OpenOTP v2 installed and configured in your infrastructure,
  • Communications allowed between your WebADM/OpenOTP infrastructure and https://cloud.rcdevs.com,
  • Push mechanisms configured with your WebADM/OpenOTP infrastructure,
  • OpenOTP Token mobile application. This application is used to authenticate the user and to provide him the documents/transactions who needs to be signed.
  • OpenOTP License supporting signature features. (CONFIRM for PSD2 and SIGN for Advanced/Qualified signature).
  • For qualified signature, a qualified signature creation device (QSCD) is required to achieve the signature.

RCDevs provides different ways to easily integrate electronic signature in your infrastructure:

  • Mail integration: RCDevs provides a mail integration with a postfix server designed to work with OpenOTP signature backend. This functionnality allows you to send an email to anybody part of your company and submit him a document for signature. This integration is user-friendly and very simple to use.

  • Plugins integrations: Simply download, install and configure signature plugins developped by RCDevs in your system like Nextcloud, EDM, SharePoint, Git and more coming soon.

  • User Self-Service Desk application: The web application User Self-Service Desk provides a new functionnality which allows you to submit a document for signature to yourself simply by drag and drop that document on a dedicated SelfDesk web page.

  • Custom integrations through APIs: Integrate OpenOTP signature APIs anywhere you need by implementing REST API calls part of your website, web banking, intranet, extranet, e-commerce website or even create a custom signature portal dedicated for that purpose and much more. This is the most flexible, powerful and customizable integration. To have an idea of what is possible with OpenOTP APIs Signature, visit and test YumiSign which is based on OpenOTP signature backend.

2. Signatories scenarios

We identified 3 common signing scenarios in the world of the signature to cover the different needs:

  1. Submit a document for signature to yourself,
  2. Submit a document for signature to someone or to multiple collaborators part of your company,
  3. Submit a document for signature to someone else not part of your company (External signatures require the easy to use YumiSign platform).

For items 1 and 2 we will talk about “Corporate Signatories” scenarios. Corporate scenarios involve that the signatories are part of LDAP directories configured with WebADM/OpenOTP.

For item 3 we will talk about “External signatories” scenario. External signatories scenario involves a signatory user which is not part of your LDAP directory configured with OpenOTP. The bridge between your on premise OpenOTP Signature integrations and external users is YumiSign platform. YumiSign will orchestrate the external accounts creation and the signature requests which is triggered from your OpenOTP backend. A subscription to YumiSign platform is required when YumiSign is involved. Licensing is based on who initiated the signature request. It is always free for the signatory for a request initiate by someone else.

These 3 scenarios are covered by RCDevs Signature solutions.

3. Signature levels

According to European Commission and electronic signatures regulation, there are 3 levels of electronic signature:

  • Simple electronic signatures: “An electronic signature is defined as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”. Thus, something as simple as writing your name under an e-mail might constitute an electronic signature.”

  • Advanced electronic signatures (AdES): An advanced electronic signature is an electronic signature which is additionally:

    • uniquely linked to and capable of identifying the signatory;
    • created in a way that allows the signatory to retain control;
    • linked to the document in a way that any subsequent change of the data is detectable.
  • Qualified electronic signatures (QES): A qualified electronic signature is an advanced electronic signature which is additionally:

    • created by a qualified signature creation device (QSCD);
    • is based on a qualified certificate for electronic signatures;
    • it is equivalent to a handwritten signature.

RCDevs is providing Standard, Advanced and Qualified signatures which meet the criteria of European Commission. See below, how it works with RCDevs solutions.

4. RCDevs transaction and signature solutions

RCDevs provides 3 kinds of electronic transactions/signatures (Simple, Advanced and Qualified Signatures) and also extra features like document sealing and timestamping. For the signature appears in Green in Adobe Reader, everything is related to what Adobde Reader is trusting. For more information regarding the Trust in Adobe Reader, have a look on the section 5 of this documentation.

The difference between a Transaction and an Electonic signature with RCDevs solutions is the fact that a document is attached to the request or not. Both types of request are using the same APIs. In the 2 types of requests, a signature is performed but at different levels/layers. When a document is attached, the document itself is signed, this is the scenario of electronic document signing. When there is no document attached to the request, it becomes a transaction and what is signed is the data attached to the transaction. Both kind of request can be signed in Standard, Advanced or Qualified mode.

4.1 Electronic Transactions

  • Standard Transaction Signing: This integration can be deployed for corporate signatories only. The user beforehand registered a Token on his LDAP account and his mobile. Electronic transaction can be used to validate a payment, a bank transfert, be involved for hierarchy approval for a particular action… everything that needs to be securely approved before an event occurs. Found below, an example of electronic transaction built with the Transaction tester of WebADM:

Once submitted, the request is prompted on the user mobile. User can review the transactions details and optional the form attached. Then he approve or deny the request.

Proof of the transaction generated on the backend :

Mobile Transaction Confirmation

Started: 2022-06-03 10:16:35
Stopped: 2022-06-03 10:16:42
User DN: CN=yoann traut,OU=SUPAdmins,DC=support,DC=rcdevs,DC=com
User IP: 192.168.3.132
Client ID: OpenOTP
Client IP: 192.168.4.20

Hash Data: ff620fda9bde137f50f18173ded2b8f343f92c49 (Nonce + Data)
OTP Token: Token #1 (TOTP)
OTP Algo: SHA1
OTP Key: 3275721181 (CRC32)
OTP Nonce: f3abeb492249b93f5d14c642b9ef3a359807c57b
OTP Result: 718173DE (OATH)

Transaction Details (Base64)
PGh0bWwgc3R5bGU9ImNvbG9yOndoaXRlIj4NCjxiPlNhbXBsZSBDb25maXJtYXRp
b248L2I+PGJyPg0KPGJyPg0KQWNjb3VudDogRXhhbXBsZTxicj4NCkFtb3VudDog
WFhYLlhYIEV1cm9zPGJyPg0KPC9odG1sPg==

This methods can be used to have a secure confirmation of a transaction to meet PSD2 regulation.

  • Advanced Transaction Signing: This integration can be deployed for corporate signatories only. Corporate signatories (users part of your LDAP backends connected to your OpenOTP suite), can use WebADM or Corporate user certificates: SignScope=Local (WebADM can be configured as Standalone CA or Subordinate CA of your existing entreprise CA). The user beforehand registered a Token on his LDAP account and his mobile. The Transaction signing is performed with user’s certificate. Technically, this level of Advanced confirmation is equivalent to Qualified signature in terms of cryptography operations. The difference is that the Advanced Transaction Signing do not use a Qualified Signature/Seal Creation Device (QSCD). Instead, it uses a compagny user certificate (SignScope=Local) or a certificate issued by RCDevs root CA (SignScope=Global). The user will be prompted on his mobile to create a new certificate (user-friendly CSR prompt). The CSR and the key will be generated on the mobile based on information provided by WebADM PKI service. Once generated, the CSR will be sent from the mobile to your WebADM PKI service (Rsignd) and signed by the WebADM CA. That certificate will be then sent back to the mobile and registered in WebADM SQL database. The certificate will be stored in the keychain of the mobile. Transaction will then be signed by the freshly generated key that never left the mobile and the signed transaction will be sent back to the OpenOTP/Yumisign backend. Certificates issued by WebADM for signing purpose are valid for 1 month. After 1 month, the certificate is expired and will needs to be renewed. This renewal operation is done automatically in signature workflow. Certificate issued on mobiles can be revoked at any time through WebADM Admin GUI > Databases > Client, Server and Mobile Certificates. Found below, the certificate issued for that user in the Client, Server and Mobile Certificates database :

Corporate Certicate issued by WebADM PKI are listed here (SignScope=Local). Certificates issued by RCDevs Root CA are also under your control as they are stored in your WebADM SQL database. Then you can revoke a user certificate issued by RCDevs CA at anytime by clicking Enabled button on the corresponding certificat. When a certificate has been revoked by a WebADM administrator, the concerned user can not sign document anymore.

Revocation can be cancelled at some point by clicking again Enabled button on the appropriate certificat.

Found below, details of Transaction signed with a Corporate issued certificate (SignScope = Local). A P7M file is returned by the API for each transaction. That file is a Cryptographic Message Syntax (CMS) and can be read with the following OpenSSL command :

openssl asn1parse -in output.p7m -inform der

Which result with the following :

    0:d=0  hl=4 l=8880 cons: SEQUENCE          
    4:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
   15:d=1  hl=4 l=8865 cons: cont [ 0 ]        
   19:d=2  hl=4 l=8861 cons: SEQUENCE          
   23:d=3  hl=2 l=   1 prim: INTEGER           :01
   26:d=3  hl=2 l=  15 cons: SET               
   28:d=4  hl=2 l=  13 cons: SEQUENCE          
   30:d=5  hl=2 l=   9 prim: OBJECT            :sha256
   41:d=5  hl=2 l=   0 prim: NULL              
   43:d=3  hl=3 l= 137 cons: SEQUENCE          
   46:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data
   57:d=4  hl=2 l= 124 cons: cont [ 0 ]        
   59:d=5  hl=2 l= 122 prim: OCTET STRING      :<html style="color:white">
<b>Sample Signature</b><br>
<br>
Dummy Information #1<br>
Dummy Information #2<br>
</html>
  183:d=3  hl=4 l=1819 cons: cont [ 0 ]        
  187:d=4  hl=4 l= 971 cons: SEQUENCE          
  191:d=5  hl=4 l= 691 cons: SEQUENCE          
  195:d=6  hl=2 l=   3 cons: cont [ 0 ]        
  197:d=7  hl=2 l=   1 prim: INTEGER           :02
  200:d=6  hl=2 l=   2 prim: INTEGER           :B2
  204:d=6  hl=2 l=  13 cons: SEQUENCE          
  206:d=7  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
  217:d=7  hl=2 l=   0 prim: NULL              
  219:d=6  hl=2 l=  52 cons: SEQUENCE          
  221:d=7  hl=2 l=  25 cons: SET               
  223:d=8  hl=2 l=  23 cons: SEQUENCE          
  225:d=9  hl=2 l=   3 prim: OBJECT            :commonName
  230:d=9  hl=2 l=  16 prim: UTF8STRING        :WebADM CA #20034
  248:d=7  hl=2 l=  23 cons: SET               
  250:d=8  hl=2 l=  21 cons: SEQUENCE          
  252:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
  257:d=9  hl=2 l=  14 prim: UTF8STRING        :Support RCDevs
  273:d=6  hl=2 l=  30 cons: SEQUENCE          
  275:d=7  hl=2 l=  13 prim: UTCTIME           :220602104934Z
  290:d=7  hl=2 l=  13 prim: UTCTIME           :220702104934Z
  305:d=6  hl=3 l= 139 cons: SEQUENCE          
  308:d=7  hl=2 l=  14 cons: SET               
  310:d=8  hl=2 l=  12 cons: SEQUENCE          
  312:d=9  hl=2 l=   3 prim: OBJECT            :surname
  317:d=9  hl=2 l=   5 prim: UTF8STRING        :traut
  324:d=7  hl=2 l=  14 cons: SET               
  326:d=8  hl=2 l=  12 cons: SEQUENCE          
  328:d=9  hl=2 l=   3 prim: OBJECT            :givenName
  333:d=9  hl=2 l=   5 prim: UTF8STRING        :yoann
  340:d=7  hl=2 l=  33 cons: SET               
  342:d=8  hl=2 l=  31 cons: SEQUENCE          
  344:d=9  hl=2 l=   9 prim: OBJECT            :emailAddress
  355:d=9  hl=2 l=  18 prim: UTF8STRING        :support@rcdevs.com
  375:d=7  hl=2 l=  20 cons: SET               
  377:d=8  hl=2 l=  18 cons: SEQUENCE          
  379:d=9  hl=2 l=   3 prim: OBJECT            :commonName
  384:d=9  hl=2 l=  11 prim: UTF8STRING        :yoann traut
  397:d=7  hl=2 l=  23 cons: SET               
  399:d=8  hl=2 l=  21 cons: SEQUENCE          
  401:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
  406:d=9  hl=2 l=  14 prim: UTF8STRING        :RCDevs Support
  422:d=7  hl=2 l=  23 cons: SET               
  424:d=8  hl=2 l=  21 cons: SEQUENCE          
  426:d=9  hl=2 l=   3 prim: OBJECT            :2.5.4.97
  431:d=9  hl=2 l=  14 prim: UTF8STRING        :VATLU-00000000
  447:d=6  hl=4 l= 290 cons: SEQUENCE          
  451:d=7  hl=2 l=  13 cons: SEQUENCE          
  453:d=8  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  464:d=8  hl=2 l=   0 prim: NULL              
  466:d=7  hl=4 l= 271 prim: BIT STRING        
  741:d=6  hl=3 l= 142 cons: cont [ 3 ]        
  744:d=7  hl=3 l= 139 cons: SEQUENCE          
  747:d=8  hl=2 l=  94 cons: SEQUENCE          
  749:d=9  hl=2 l=   8 prim: OBJECT            :Authority Information Access
  759:d=9  hl=2 l=  82 prim: OCTET STRING      [HEX DUMP]:3050302506082B060105050730018619687474703A2F2F3139322E3136382E342E33312F6F6373702F302706082B06010505073002861B687474703A2F2F3139322E3136382E342E33312F6361636572742F
  843:d=8  hl=2 l=  41 cons: SEQUENCE          
  845:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Distribution Points
  850:d=9  hl=2 l=  34 prim: OCTET STRING      [HEX DUMP]:3020301EA01CA01A8618687474703A2F2F3139322E3136382E342E33312F63726C2F
  886:d=5  hl=2 l=  13 cons: SEQUENCE          
  888:d=6  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
  899:d=6  hl=2 l=   0 prim: NULL              
  901:d=5  hl=4 l= 257 prim: BIT STRING        
 1162:d=4  hl=4 l= 840 cons: SEQUENCE          
 1166:d=5  hl=4 l= 560 cons: SEQUENCE          
 1170:d=6  hl=2 l=   3 cons: cont [ 0 ]        
 1172:d=7  hl=2 l=   1 prim: INTEGER           :02
 1175:d=6  hl=2 l=  20 prim: INTEGER           :0AD37EE93FDBFE67F1115F96850D4495C8DA6DEF
 1197:d=6  hl=2 l=  13 cons: SEQUENCE          
 1199:d=7  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 1210:d=7  hl=2 l=   0 prim: NULL              
 1212:d=6  hl=2 l=  52 cons: SEQUENCE          
 1214:d=7  hl=2 l=  25 cons: SET               
 1216:d=8  hl=2 l=  23 cons: SEQUENCE          
 1218:d=9  hl=2 l=   3 prim: OBJECT            :commonName
 1223:d=9  hl=2 l=  16 prim: UTF8STRING        :WebADM CA #20034
 1241:d=7  hl=2 l=  23 cons: SET               
 1243:d=8  hl=2 l=  21 cons: SEQUENCE          
 1245:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
 1250:d=9  hl=2 l=  14 prim: UTF8STRING        :Support RCDevs
 1266:d=6  hl=2 l=  32 cons: SEQUENCE          
 1268:d=7  hl=2 l=  13 prim: UTCTIME           :210426130149Z
 1283:d=7  hl=2 l=  15 prim: GENERALIZEDTIME   :20710414130149Z
 1300:d=6  hl=2 l=  52 cons: SEQUENCE          
 1302:d=7  hl=2 l=  25 cons: SET               
 1304:d=8  hl=2 l=  23 cons: SEQUENCE          
 1306:d=9  hl=2 l=   3 prim: OBJECT            :commonName
 1311:d=9  hl=2 l=  16 prim: UTF8STRING        :WebADM CA #20034
 1329:d=7  hl=2 l=  23 cons: SET               
 1331:d=8  hl=2 l=  21 cons: SEQUENCE          
 1333:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
 1338:d=9  hl=2 l=  14 prim: UTF8STRING        :Support RCDevs
 1354:d=6  hl=4 l= 290 cons: SEQUENCE          
 1358:d=7  hl=2 l=  13 cons: SEQUENCE          
 1360:d=8  hl=2 l=   9 prim: OBJECT            :rsaEncryption
 1371:d=8  hl=2 l=   0 prim: NULL              
 1373:d=7  hl=4 l= 271 prim: BIT STRING        
 1648:d=6  hl=2 l=  80 cons: cont [ 3 ]        
 1650:d=7  hl=2 l=  78 cons: SEQUENCE          
 1652:d=8  hl=2 l=  29 cons: SEQUENCE          
 1654:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
 1659:d=9  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:041428A7DC1346E132C0CC1421BD7726117EFE230517
 1683:d=8  hl=2 l=  31 cons: SEQUENCE          
 1685:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
 1690:d=9  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:3016801428A7DC1346E132C0CC1421BD7726117EFE230517
 1716:d=8  hl=2 l=  12 cons: SEQUENCE          
 1718:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
 1723:d=9  hl=2 l=   5 prim: OCTET STRING      [HEX DUMP]:30030101FF
 1730:d=5  hl=2 l=  13 cons: SEQUENCE          
 1732:d=6  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 1743:d=6  hl=2 l=   0 prim: NULL              
 1745:d=5  hl=4 l= 257 prim: BIT STRING        
 2006:d=3  hl=2 l=   0 cons: cont [ 1 ]        
 2008:d=3  hl=4 l=6872 cons: SET               
 2012:d=4  hl=4 l=6868 cons: SEQUENCE          
 2016:d=5  hl=2 l=   1 prim: INTEGER           :01
 2019:d=5  hl=2 l=  58 cons: SEQUENCE          
 2021:d=6  hl=2 l=  52 cons: SEQUENCE          
 2023:d=7  hl=2 l=  25 cons: SET               
 2025:d=8  hl=2 l=  23 cons: SEQUENCE          
 2027:d=9  hl=2 l=   3 prim: OBJECT            :commonName
 2032:d=9  hl=2 l=  16 prim: UTF8STRING        :WebADM CA #20034
 2050:d=7  hl=2 l=  23 cons: SET               
 2052:d=8  hl=2 l=  21 cons: SEQUENCE          
 2054:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
 2059:d=9  hl=2 l=  14 prim: UTF8STRING        :Support RCDevs
 2075:d=6  hl=2 l=   2 prim: INTEGER           :B2
 2079:d=5  hl=2 l=  13 cons: SEQUENCE          
 2081:d=6  hl=2 l=   9 prim: OBJECT            :sha256
 2092:d=6  hl=2 l=   0 prim: NULL              
 2094:d=5  hl=3 l= 160 cons: cont [ 0 ]        
 2097:d=6  hl=2 l=  24 cons: SEQUENCE          
 2099:d=7  hl=2 l=   9 prim: OBJECT            :contentType
 2110:d=7  hl=2 l=  11 cons: SET               
 2112:d=8  hl=2 l=   9 prim: OBJECT            :pkcs7-data
 2123:d=6  hl=2 l=  47 cons: SEQUENCE          
 2125:d=7  hl=2 l=   9 prim: OBJECT            :messageDigest
 2136:d=7  hl=2 l=  34 cons: SET               
 2138:d=8  hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:AB66B49FBBC6F1A3B69A52E4018D530264E6C906C49F8059D28A79D1245E325D
 2172:d=6  hl=2 l=  55 cons: SEQUENCE          
 2174:d=7  hl=2 l=  11 prim: OBJECT            :1.2.840.113549.1.9.16.2.47
 2187:d=7  hl=2 l=  40 cons: SET               
 2189:d=8  hl=2 l=  38 cons: SEQUENCE          
 2191:d=9  hl=2 l=  36 cons: SEQUENCE          
 2193:d=10 hl=2 l=  34 cons: SEQUENCE          
 2195:d=11 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:C57B3CF43DC7FDAEE473122966509829D29AA07B911D46E54682C9E0DD9BBC7F
 2229:d=6  hl=2 l=  26 cons: SEQUENCE          
 2231:d=7  hl=2 l=   9 prim: OBJECT            :signingTime
 2242:d=7  hl=2 l=  13 cons: SET               
 2244:d=8  hl=2 l=  11 prim: UTCTIME           :2206031252Z
 2257:d=5  hl=2 l=  13 cons: SEQUENCE          
 2259:d=6  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 2270:d=6  hl=2 l=   0 prim: NULL              
 2272:d=5  hl=4 l= 256 prim: OCTET STRING      [HEX DUMP]:033DB25DF1F17A30C28B8E20029D453C7BD9475121F09667FDF902AF7149C2A226EAEC5042718604E097A07B900A1A3506F6D4FCA2A920FE066F8A4929083387E8963BC1D259B746823EFC6FCD3A638F41E187D35A026DB239317CC3D3A83E4B686B5F00F7B39F3E783BE7B77D4F7547F3DB7775D78C6514C88E542A940F5197760F865337EF655B92D748CDF907C2E0941D0C906AD9B01DF83AC1004CD61D672F613DE4D9707BC37BDF48DA784FDAB39D73353D65A481F62117004D4E2DC5DBAA0742B35DEF6D56A575227D6292680B38AD9DDEAA8A1CFE119D0677C4B4FD256C18BA164E55784B8FAD10A47D8E2E774A802B78B389A51AB379ADB3A0B75BAD
 2532:d=5  hl=4 l=6348 cons: cont [ 1 ]        
 2536:d=6  hl=4 l=3103 cons: SEQUENCE          
 2540:d=7  hl=2 l=  11 prim: OBJECT            :id-smime-aa-timeStampToken
 2553:d=7  hl=4 l=3086 cons: SET               
 2557:d=8  hl=4 l=3082 cons: SEQUENCE          
 2561:d=9  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
 2572:d=9  hl=4 l=3067 cons: cont [ 0 ]        
 2576:d=10 hl=4 l=3063 cons: SEQUENCE          
 2580:d=11 hl=2 l=   1 prim: INTEGER           :03
 2583:d=11 hl=2 l=  13 cons: SET               
 2585:d=12 hl=2 l=  11 cons: SEQUENCE          
 2587:d=13 hl=2 l=   9 prim: OBJECT            :sha256
 2598:d=11 hl=4 l= 282 cons: SEQUENCE          
 2602:d=12 hl=2 l=  11 prim: OBJECT            :id-smime-ct-TSTInfo
 2615:d=12 hl=4 l= 265 cons: cont [ 0 ]        
 2619:d=13 hl=4 l= 261 prim: OCTET STRING      [HEX DUMP]:30820101020101060B2A84680186F6770204010E3031300D0609608648016503040201050004209B7D073AA62FAEB2535638F9EB1FA3892158D7A1B23F7FE8A9A4B61E164B77C7020711C379A702E5BA180F32303232303630333132353232385A30030201010211009FDBDBCD36F3ADC12EB24097A573C33AA06AA4683066310B300906035504061302504C3121301F060355040A0C1841737365636F20446174612053797374656D7320532E412E3119301706035504030C1043657274756D205154535420323031373119301706035504610C10564154504C2D35313730333539343538A11E301C06082B06010505070103010100040D300B30090607040081975E0101
 2884:d=11 hl=4 l=1700 cons: cont [ 0 ]        
 2888:d=12 hl=4 l=1696 cons: SEQUENCE          
 2892:d=13 hl=4 l=1160 cons: SEQUENCE          
 2896:d=14 hl=2 l=   3 cons: cont [ 0 ]        
 2898:d=15 hl=2 l=   1 prim: INTEGER           :02
 2901:d=14 hl=2 l=  20 prim: INTEGER           :1193735F17C17E144D3F928F619BBFD5027DB1E9
 2923:d=14 hl=2 l=  13 cons: SEQUENCE          
 2925:d=15 hl=2 l=   9 prim: OBJECT            :sha512WithRSAEncryption
 2936:d=15 hl=2 l=   0 prim: NULL              
 2938:d=14 hl=2 l= 111 cons: SEQUENCE          
 2940:d=15 hl=2 l=  11 cons: SET               
 2942:d=16 hl=2 l=   9 cons: SEQUENCE          
 2944:d=17 hl=2 l=   3 prim: OBJECT            :countryName
 2949:d=17 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 2953:d=15 hl=2 l=  29 cons: SET               
 2955:d=16 hl=2 l=  27 cons: SEQUENCE          
 2957:d=17 hl=2 l=   3 prim: OBJECT            :organizationName
 2962:d=17 hl=2 l=  20 prim: UTF8STRING        :Narodowy Bank Polski
 2984:d=15 hl=2 l=  38 cons: SET               
 2986:d=16 hl=2 l=  36 cons: SEQUENCE          
 2988:d=17 hl=2 l=   3 prim: OBJECT            :commonName
 2993:d=17 hl=2 l=  29 prim: UTF8STRING        :Narodowe Centrum Certyfikacji
 3024:d=15 hl=2 l=  25 cons: SET               
 3026:d=16 hl=2 l=  23 cons: SEQUENCE          
 3028:d=17 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 3033:d=17 hl=2 l=  16 prim: UTF8STRING        :VATPL-5250008198
 3051:d=14 hl=2 l=  30 cons: SEQUENCE          
 3053:d=15 hl=2 l=  13 prim: UTCTIME           :170315102318Z
 3068:d=15 hl=2 l=  13 prim: UTCTIME           :280315235959Z
 3083:d=14 hl=2 l= 102 cons: SEQUENCE          
 3085:d=15 hl=2 l=  11 cons: SET               
 3087:d=16 hl=2 l=   9 cons: SEQUENCE          
 3089:d=17 hl=2 l=   3 prim: OBJECT            :countryName
 3094:d=17 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 3098:d=15 hl=2 l=  33 cons: SET               
 3100:d=16 hl=2 l=  31 cons: SEQUENCE          
 3102:d=17 hl=2 l=   3 prim: OBJECT            :organizationName
 3107:d=17 hl=2 l=  24 prim: UTF8STRING        :Asseco Data Systems S.A.
 3133:d=15 hl=2 l=  25 cons: SET               
 3135:d=16 hl=2 l=  23 cons: SEQUENCE          
 3137:d=17 hl=2 l=   3 prim: OBJECT            :commonName
 3142:d=17 hl=2 l=  16 prim: UTF8STRING        :Certum QTST 2017
 3160:d=15 hl=2 l=  25 cons: SET               
 3162:d=16 hl=2 l=  23 cons: SEQUENCE          
 3164:d=17 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 3169:d=17 hl=2 l=  16 prim: UTF8STRING        :VATPL-5170359458
 3187:d=14 hl=4 l= 546 cons: SEQUENCE          
 3191:d=15 hl=2 l=  13 cons: SEQUENCE          
 3193:d=16 hl=2 l=   9 prim: OBJECT            :rsaEncryption
 3204:d=16 hl=2 l=   0 prim: NULL              
 3206:d=15 hl=4 l= 527 prim: BIT STRING        
 3737:d=14 hl=4 l= 315 cons: cont [ 3 ]        
 3741:d=15 hl=4 l= 311 cons: SEQUENCE          
 3745:d=16 hl=2 l=  22 cons: SEQUENCE          
 3747:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
 3752:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 3755:d=17 hl=2 l=  12 prim: OCTET STRING      [HEX DUMP]:300A06082B06010505070308
 3769:d=16 hl=2 l=  12 cons: SEQUENCE          
 3771:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
 3776:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 3779:d=17 hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
 3783:d=16 hl=3 l= 172 cons: SEQUENCE          
 3786:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
 3791:d=17 hl=3 l= 164 prim: OCTET STRING      [HEX DUMP]:3081A1801429B3C8C4DFA387F866051258FD462AB8980D7987A173A471306F310B300906035504061302504C311D301B060355040A0C144E61726F646F77792042616E6B20506F6C736B693126302406035504030C1D4E61726F646F77652043656E7472756D20436572747966696B61636A693119301706035504610C10564154504C2D35323530303038313938821440F8F78AB0E364105691C8D9E02CF8C1C6400A46
 3958:d=16 hl=2 l=  49 cons: SEQUENCE          
 3960:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Certificate Policies
 3965:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 3968:d=17 hl=2 l=  39 prim: OCTET STRING      [HEX DUMP]:302530230604551D2000301B301906082B06010505070201160D7777772E6E63636572742E706C
 4009:d=16 hl=2 l=  14 cons: SEQUENCE          
 4011:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
 4016:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 4019:d=17 hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030206C0
 4025:d=16 hl=2 l=  29 cons: SEQUENCE          
 4027:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
 4032:d=17 hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414B2BD12CB0781E27BA3B0611D4A4379A887F4D076
 4056:d=13 hl=2 l=  13 cons: SEQUENCE          
 4058:d=14 hl=2 l=   9 prim: OBJECT            :sha512WithRSAEncryption
 4069:d=14 hl=2 l=   0 prim: NULL              
 4071:d=13 hl=4 l= 513 prim: BIT STRING        
 4588:d=11 hl=4 l=1051 cons: SET               
 4592:d=12 hl=4 l=1047 cons: SEQUENCE          
 4596:d=13 hl=2 l=   1 prim: INTEGER           :01
 4599:d=13 hl=3 l= 135 cons: SEQUENCE          
 4602:d=14 hl=2 l= 111 cons: SEQUENCE          
 4604:d=15 hl=2 l=  11 cons: SET               
 4606:d=16 hl=2 l=   9 cons: SEQUENCE          
 4608:d=17 hl=2 l=   3 prim: OBJECT            :countryName
 4613:d=17 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 4617:d=15 hl=2 l=  29 cons: SET               
 4619:d=16 hl=2 l=  27 cons: SEQUENCE          
 4621:d=17 hl=2 l=   3 prim: OBJECT            :organizationName
 4626:d=17 hl=2 l=  20 prim: UTF8STRING        :Narodowy Bank Polski
 4648:d=15 hl=2 l=  38 cons: SET               
 4650:d=16 hl=2 l=  36 cons: SEQUENCE          
 4652:d=17 hl=2 l=   3 prim: OBJECT            :commonName
 4657:d=17 hl=2 l=  29 prim: UTF8STRING        :Narodowe Centrum Certyfikacji
 4688:d=15 hl=2 l=  25 cons: SET               
 4690:d=16 hl=2 l=  23 cons: SEQUENCE          
 4692:d=17 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 4697:d=17 hl=2 l=  16 prim: UTF8STRING        :VATPL-5250008198
 4715:d=14 hl=2 l=  20 prim: INTEGER           :1193735F17C17E144D3F928F619BBFD5027DB1E9
 4737:d=13 hl=2 l=  13 cons: SEQUENCE          
 4739:d=14 hl=2 l=   9 prim: OBJECT            :sha256
 4750:d=14 hl=2 l=   0 prim: NULL              
 4752:d=13 hl=4 l= 356 cons: cont [ 0 ]        
 4756:d=14 hl=2 l=  26 cons: SEQUENCE          
 4758:d=15 hl=2 l=   9 prim: OBJECT            :contentType
 4769:d=15 hl=2 l=  13 cons: SET               
 4771:d=16 hl=2 l=  11 prim: OBJECT            :id-smime-ct-TSTInfo
 4784:d=14 hl=2 l=  28 cons: SEQUENCE          
 4786:d=15 hl=2 l=   9 prim: OBJECT            :signingTime
 4797:d=15 hl=2 l=  15 cons: SET               
 4799:d=16 hl=2 l=  13 prim: UTCTIME           :220603125228Z
 4814:d=14 hl=2 l=  47 cons: SEQUENCE          
 4816:d=15 hl=2 l=   9 prim: OBJECT            :messageDigest
 4827:d=15 hl=2 l=  34 cons: SET               
 4829:d=16 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:DE9DE66106E93BB55DECFAA09EBEC7C6C8FDC3482CF46C5070B76DEBAAFD1E1B
 4863:d=14 hl=2 l=  55 cons: SEQUENCE          
 4865:d=15 hl=2 l=  11 prim: OBJECT            :1.2.840.113549.1.9.16.2.47
 4878:d=15 hl=2 l=  40 cons: SET               
 4880:d=16 hl=2 l=  38 cons: SEQUENCE          
 4882:d=17 hl=2 l=  36 cons: SEQUENCE          
 4884:d=18 hl=2 l=  34 cons: SEQUENCE          
 4886:d=19 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:673BE8A1DA927DB63CCAB7CB3E7AC352DC3AEB6A8DA3E2A359CA158D0A440DB8
 4920:d=14 hl=3 l= 189 cons: SEQUENCE          
 4923:d=15 hl=2 l=  11 prim: OBJECT            :id-smime-aa-signingCertificate
 4936:d=15 hl=3 l= 173 cons: SET               
 4939:d=16 hl=3 l= 170 cons: SEQUENCE          
 4942:d=17 hl=3 l= 167 cons: SEQUENCE          
 4945:d=18 hl=3 l= 164 cons: SEQUENCE          
 4948:d=19 hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:6E23CDB967F06D3FDA85316C5B47361CD55542AC
 4970:d=19 hl=3 l= 139 cons: SEQUENCE          
 4973:d=20 hl=2 l= 115 cons: SEQUENCE          
 4975:d=21 hl=2 l= 113 cons: cont [ 4 ]        
 4977:d=22 hl=2 l= 111 cons: SEQUENCE          
 4979:d=23 hl=2 l=  11 cons: SET               
 4981:d=24 hl=2 l=   9 cons: SEQUENCE          
 4983:d=25 hl=2 l=   3 prim: OBJECT            :countryName
 4988:d=25 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 4992:d=23 hl=2 l=  29 cons: SET               
 4994:d=24 hl=2 l=  27 cons: SEQUENCE          
 4996:d=25 hl=2 l=   3 prim: OBJECT            :organizationName
 5001:d=25 hl=2 l=  20 prim: UTF8STRING        :Narodowy Bank Polski
 5023:d=23 hl=2 l=  38 cons: SET               
 5025:d=24 hl=2 l=  36 cons: SEQUENCE          
 5027:d=25 hl=2 l=   3 prim: OBJECT            :commonName
 5032:d=25 hl=2 l=  29 prim: UTF8STRING        :Narodowe Centrum Certyfikacji
 5063:d=23 hl=2 l=  25 cons: SET               
 5065:d=24 hl=2 l=  23 cons: SEQUENCE          
 5067:d=25 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 5072:d=25 hl=2 l=  16 prim: UTF8STRING        :VATPL-5250008198
 5090:d=20 hl=2 l=  20 prim: INTEGER           :1193735F17C17E144D3F928F619BBFD5027DB1E9
 5112:d=13 hl=2 l=  13 cons: SEQUENCE          
 5114:d=14 hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 5125:d=14 hl=2 l=   0 prim: NULL              
 5127:d=13 hl=4 l= 512 prim: OCTET STRING      [HEX DUMP]:47ECE4C54DA2CA8E0D6BFFA0D16392C00A36D4EC0EB59B8378C2AB2F5672B5CFD15085FF31209CD9E224853305FB0B34C0E9F9EC0A09D3B30B4126FA4EB2DEA8230B68AEC33F6EA9CEF4AB7B9EC955EA5D539F3EBB2161EC79A37C274AA47A1EF0636239564631A692726052236B0111C842DCB0A79D15901706C490EF181EB204157E2AE5259375DA548380A964CC908A455930CBEBBA738E2AC128E267B136B14E66BFDABB437C842911AEE5723E9B998B96FC68EF0A4DC86814F8B0EC2BDE0CFB20ED2382683571425867D947D4AB830AFD615A3629C575C51EC94C89C7B6A6D9713CD61B6D51C751428E4373292875994FBCAA9387DF6962C356803A30F912BF95CEF4CC9CF951DF5CC14F9D54880C80CD5BCB8DC6FD57C874B832A87156399BAF361129080FD1B7B8E9D0F6984B180F62412A678053FC0D57F8BF089DAF5F03598A94DB297021FA27FFF61E18CBBCFFB7EC74AD1130B94B398FBBE68417118076BFAE2134B9A158411458C9106498E765D032633D9C32C0E8B41B036A99EC4B1AB368EB0749F4AB26213B3CB91D11FADCA4D2F4AB26988AB820B2BD20AAF0A16F3EE5D3289DFB11892038B5231A4E9DCD4CBD1EBBF751013994A569F9D048FA8E476E7EE9A14532CCDC157000FA109474F05B32D5CB32E44A177C54EB4EBFF97A8A7D50EA92AAB5573B44226F8E9228F1A9C1CC5B5D4FB4F6F86D0AC6BA
 5643:d=6  hl=4 l=3237 cons: SEQUENCE          
 5647:d=7  hl=2 l=   6 prim: OBJECT            :0.4.0.1733.2.4
 5655:d=7  hl=4 l=3225 cons: SET               
 5659:d=8  hl=4 l=3221 cons: SEQUENCE          
 5663:d=9  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
 5674:d=9  hl=4 l=3206 cons: cont [ 0 ]        
 5678:d=10 hl=4 l=3202 cons: SEQUENCE          
 5682:d=11 hl=2 l=   1 prim: INTEGER           :03
 5685:d=11 hl=2 l=  13 cons: SET               
 5687:d=12 hl=2 l=  11 cons: SEQUENCE          
 5689:d=13 hl=2 l=   9 prim: OBJECT            :sha256
 5700:d=11 hl=4 l= 281 cons: SEQUENCE          
 5704:d=12 hl=2 l=  11 prim: OBJECT            :id-smime-ct-TSTInfo
 5717:d=12 hl=4 l= 264 cons: cont [ 0 ]        
 5721:d=13 hl=4 l= 260 prim: OCTET STRING      [HEX DUMP]:30820100020101060B2A84680186F6770204010E3031300D060960864801650304020105000420EA1E42681AC3F814DFE4A3A924E0874512BAB22BDEC38BF570F0B2FAAA9BB8F0020711C379A702E5C4180F32303232303630333132353232385A300302010102101FCF8909AAEE0A415F8C9A990EF08B73A06AA4683066310B300906035504061302504C3121301F060355040A0C1841737365636F20446174612053797374656D7320532E412E3119301706035504030C1043657274756D205154535420323031373119301706035504610C10564154504C2D35313730333539343538A11E301C06082B06010505070103010100040D300B30090607040081975E0101
 5985:d=11 hl=4 l=1700 cons: cont [ 0 ]        
 5989:d=12 hl=4 l=1696 cons: SEQUENCE          
 5993:d=13 hl=4 l=1160 cons: SEQUENCE          
 5997:d=14 hl=2 l=   3 cons: cont [ 0 ]        
 5999:d=15 hl=2 l=   1 prim: INTEGER           :02
 6002:d=14 hl=2 l=  20 prim: INTEGER           :1193735F17C17E144D3F928F619BBFD5027DB1E9
 6024:d=14 hl=2 l=  13 cons: SEQUENCE          
 6026:d=15 hl=2 l=   9 prim: OBJECT            :sha512WithRSAEncryption
 6037:d=15 hl=2 l=   0 prim: NULL              
 6039:d=14 hl=2 l= 111 cons: SEQUENCE          
 6041:d=15 hl=2 l=  11 cons: SET               
 6043:d=16 hl=2 l=   9 cons: SEQUENCE          
 6045:d=17 hl=2 l=   3 prim: OBJECT            :countryName
 6050:d=17 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 6054:d=15 hl=2 l=  29 cons: SET               
 6056:d=16 hl=2 l=  27 cons: SEQUENCE          
 6058:d=17 hl=2 l=   3 prim: OBJECT            :organizationName
 6063:d=17 hl=2 l=  20 prim: UTF8STRING        :Narodowy Bank Polski
 6085:d=15 hl=2 l=  38 cons: SET               
 6087:d=16 hl=2 l=  36 cons: SEQUENCE          
 6089:d=17 hl=2 l=   3 prim: OBJECT            :commonName
 6094:d=17 hl=2 l=  29 prim: UTF8STRING        :Narodowe Centrum Certyfikacji
 6125:d=15 hl=2 l=  25 cons: SET               
 6127:d=16 hl=2 l=  23 cons: SEQUENCE          
 6129:d=17 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 6134:d=17 hl=2 l=  16 prim: UTF8STRING        :VATPL-5250008198
 6152:d=14 hl=2 l=  30 cons: SEQUENCE          
 6154:d=15 hl=2 l=  13 prim: UTCTIME           :170315102318Z
 6169:d=15 hl=2 l=  13 prim: UTCTIME           :280315235959Z
 6184:d=14 hl=2 l= 102 cons: SEQUENCE          
 6186:d=15 hl=2 l=  11 cons: SET               
 6188:d=16 hl=2 l=   9 cons: SEQUENCE          
 6190:d=17 hl=2 l=   3 prim: OBJECT            :countryName
 6195:d=17 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 6199:d=15 hl=2 l=  33 cons: SET               
 6201:d=16 hl=2 l=  31 cons: SEQUENCE          
 6203:d=17 hl=2 l=   3 prim: OBJECT            :organizationName
 6208:d=17 hl=2 l=  24 prim: UTF8STRING        :Asseco Data Systems S.A.
 6234:d=15 hl=2 l=  25 cons: SET               
 6236:d=16 hl=2 l=  23 cons: SEQUENCE          
 6238:d=17 hl=2 l=   3 prim: OBJECT            :commonName
 6243:d=17 hl=2 l=  16 prim: UTF8STRING        :Certum QTST 2017
 6261:d=15 hl=2 l=  25 cons: SET               
 6263:d=16 hl=2 l=  23 cons: SEQUENCE          
 6265:d=17 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 6270:d=17 hl=2 l=  16 prim: UTF8STRING        :VATPL-5170359458
 6288:d=14 hl=4 l= 546 cons: SEQUENCE          
 6292:d=15 hl=2 l=  13 cons: SEQUENCE          
 6294:d=16 hl=2 l=   9 prim: OBJECT            :rsaEncryption
 6305:d=16 hl=2 l=   0 prim: NULL              
 6307:d=15 hl=4 l= 527 prim: BIT STRING        
 6838:d=14 hl=4 l= 315 cons: cont [ 3 ]        
 6842:d=15 hl=4 l= 311 cons: SEQUENCE          
 6846:d=16 hl=2 l=  22 cons: SEQUENCE          
 6848:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
 6853:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 6856:d=17 hl=2 l=  12 prim: OCTET STRING      [HEX DUMP]:300A06082B06010505070308
 6870:d=16 hl=2 l=  12 cons: SEQUENCE          
 6872:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
 6877:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 6880:d=17 hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
 6884:d=16 hl=3 l= 172 cons: SEQUENCE          
 6887:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
 6892:d=17 hl=3 l= 164 prim: OCTET STRING      [HEX DUMP]:3081A1801429B3C8C4DFA387F866051258FD462AB8980D7987A173A471306F310B300906035504061302504C311D301B060355040A0C144E61726F646F77792042616E6B20506F6C736B693126302406035504030C1D4E61726F646F77652043656E7472756D20436572747966696B61636A693119301706035504610C10564154504C2D35323530303038313938821440F8F78AB0E364105691C8D9E02CF8C1C6400A46
 7059:d=16 hl=2 l=  49 cons: SEQUENCE          
 7061:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Certificate Policies
 7066:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 7069:d=17 hl=2 l=  39 prim: OCTET STRING      [HEX DUMP]:302530230604551D2000301B301906082B06010505070201160D7777772E6E63636572742E706C
 7110:d=16 hl=2 l=  14 cons: SEQUENCE          
 7112:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
 7117:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 7120:d=17 hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030206C0
 7126:d=16 hl=2 l=  29 cons: SEQUENCE          
 7128:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
 7133:d=17 hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414B2BD12CB0781E27BA3B0611D4A4379A887F4D076
 7157:d=13 hl=2 l=  13 cons: SEQUENCE          
 7159:d=14 hl=2 l=   9 prim: OBJECT            :sha512WithRSAEncryption
 7170:d=14 hl=2 l=   0 prim: NULL              
 7172:d=13 hl=4 l= 513 prim: BIT STRING        
 7689:d=11 hl=4 l=1191 cons: SET               
 7693:d=12 hl=4 l=1187 cons: SEQUENCE          
 7697:d=13 hl=2 l=   1 prim: INTEGER           :01
 7700:d=13 hl=3 l= 135 cons: SEQUENCE          
 7703:d=14 hl=2 l= 111 cons: SEQUENCE          
 7705:d=15 hl=2 l=  11 cons: SET               
 7707:d=16 hl=2 l=   9 cons: SEQUENCE          
 7709:d=17 hl=2 l=   3 prim: OBJECT            :countryName
 7714:d=17 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 7718:d=15 hl=2 l=  29 cons: SET               
 7720:d=16 hl=2 l=  27 cons: SEQUENCE          
 7722:d=17 hl=2 l=   3 prim: OBJECT            :organizationName
 7727:d=17 hl=2 l=  20 prim: UTF8STRING        :Narodowy Bank Polski
 7749:d=15 hl=2 l=  38 cons: SET               
 7751:d=16 hl=2 l=  36 cons: SEQUENCE          
 7753:d=17 hl=2 l=   3 prim: OBJECT            :commonName
 7758:d=17 hl=2 l=  29 prim: UTF8STRING        :Narodowe Centrum Certyfikacji
 7789:d=15 hl=2 l=  25 cons: SET               
 7791:d=16 hl=2 l=  23 cons: SEQUENCE          
 7793:d=17 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 7798:d=17 hl=2 l=  16 prim: UTF8STRING        :VATPL-5250008198
 7816:d=14 hl=2 l=  20 prim: INTEGER           :1193735F17C17E144D3F928F619BBFD5027DB1E9
 7838:d=13 hl=2 l=  13 cons: SEQUENCE          
 7840:d=14 hl=2 l=   9 prim: OBJECT            :sha256
 7851:d=14 hl=2 l=   0 prim: NULL              
 7853:d=13 hl=4 l= 356 cons: cont [ 0 ]        
 7857:d=14 hl=2 l=  26 cons: SEQUENCE          
 7859:d=15 hl=2 l=   9 prim: OBJECT            :contentType
 7870:d=15 hl=2 l=  13 cons: SET               
 7872:d=16 hl=2 l=  11 prim: OBJECT            :id-smime-ct-TSTInfo
 7885:d=14 hl=2 l=  28 cons: SEQUENCE          
 7887:d=15 hl=2 l=   9 prim: OBJECT            :signingTime
 7898:d=15 hl=2 l=  15 cons: SET               
 7900:d=16 hl=2 l=  13 prim: UTCTIME           :220603125228Z
 7915:d=14 hl=2 l=  47 cons: SEQUENCE          
 7917:d=15 hl=2 l=   9 prim: OBJECT            :messageDigest
 7928:d=15 hl=2 l=  34 cons: SET               
 7930:d=16 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:D2F188F6D11416D409E9F4F8C16D1936D49357FEC25CFBF65C46AFE9346B28BA
 7964:d=14 hl=2 l=  55 cons: SEQUENCE          
 7966:d=15 hl=2 l=  11 prim: OBJECT            :1.2.840.113549.1.9.16.2.47
 7979:d=15 hl=2 l=  40 cons: SET               
 7981:d=16 hl=2 l=  38 cons: SEQUENCE          
 7983:d=17 hl=2 l=  36 cons: SEQUENCE          
 7985:d=18 hl=2 l=  34 cons: SEQUENCE          
 7987:d=19 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:673BE8A1DA927DB63CCAB7CB3E7AC352DC3AEB6A8DA3E2A359CA158D0A440DB8
 8021:d=14 hl=3 l= 189 cons: SEQUENCE          
 8024:d=15 hl=2 l=  11 prim: OBJECT            :id-smime-aa-signingCertificate
 8037:d=15 hl=3 l= 173 cons: SET               
 8040:d=16 hl=3 l= 170 cons: SEQUENCE          
 8043:d=17 hl=3 l= 167 cons: SEQUENCE          
 8046:d=18 hl=3 l= 164 cons: SEQUENCE          
 8049:d=19 hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:6E23CDB967F06D3FDA85316C5B47361CD55542AC
 8071:d=19 hl=3 l= 139 cons: SEQUENCE          
 8074:d=20 hl=2 l= 115 cons: SEQUENCE          
 8076:d=21 hl=2 l= 113 cons: cont [ 4 ]        
 8078:d=22 hl=2 l= 111 cons: SEQUENCE          
 8080:d=23 hl=2 l=  11 cons: SET               
 8082:d=24 hl=2 l=   9 cons: SEQUENCE          
 8084:d=25 hl=2 l=   3 prim: OBJECT            :countryName
 8089:d=25 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 8093:d=23 hl=2 l=  29 cons: SET               
 8095:d=24 hl=2 l=  27 cons: SEQUENCE          
 8097:d=25 hl=2 l=   3 prim: OBJECT            :organizationName
 8102:d=25 hl=2 l=  20 prim: UTF8STRING        :Narodowy Bank Polski
 8124:d=23 hl=2 l=  38 cons: SET               
 8126:d=24 hl=2 l=  36 cons: SEQUENCE          
 8128:d=25 hl=2 l=   3 prim: OBJECT            :commonName
 8133:d=25 hl=2 l=  29 prim: UTF8STRING        :Narodowe Centrum Certyfikacji
 8164:d=23 hl=2 l=  25 cons: SET               
 8166:d=24 hl=2 l=  23 cons: SEQUENCE          
 8168:d=25 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 8173:d=25 hl=2 l=  16 prim: UTF8STRING        :VATPL-5250008198
 8191:d=20 hl=2 l=  20 prim: INTEGER           :1193735F17C17E144D3F928F619BBFD5027DB1E9
 8213:d=13 hl=2 l=  13 cons: SEQUENCE          
 8215:d=14 hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 8226:d=14 hl=2 l=   0 prim: NULL              
 8228:d=13 hl=4 l= 512 prim: OCTET STRING      [HEX DUMP]:02E4D0B4A0B078C1254B32FC550B79E521CFF0538EC20940B2E89BAD75557B7270EB69C3A41DDCAE148E7C586F89EF638505093436F932AC1AC3D982382C8E1E9F04DC3A3ABA87E518E7DFB13A3239FADFE7FC9092BA0EB13203E758531CAB826B2FBF41AFE9CA94D33E06C46D3A5C09AE9D6E14B3F36914997C7B8D564508245E1F65EE14248A50FE868D21A4AFD0BDF64CB81BC371E6830A751D5C849AA6F7C1900DAE484C89763C8E5CD3D316FFFE225CE415B146488DC9044D967650163FE8667E53F5D2709DC351B34D9B4621D5732DB05A97967059EAB5E40FD227C953699CDE608F8CBB0A35271BEB716A389F9891B785DBC980779F4FDC83D05ED55F1552E7FE76F339D9351BFD512A177F21B04DA71F78B31C2EA6E1B2A2E249FCFA2A11C1699092F30EE0F616C156E0887FFB0F631A9516D490A6F72F94977BE49411951CB2752DCA8CBBAD5F290812754946C536575C45D4C998146CB5BAECE28AE03C2B406DB52EDFDECFF9151AD21A1C2B761A7FE353F4B6377B8C39D55AD3BAE513847DCBEF3C5CE55BD502FB1DE2B4EAF43EE061FF3BEF95BCF625227D410E366E578808AA6FB374D2461C1ED5DC130CF50A22DC4F1A6AD1FDF617A1B4E98897C393BEDC9C9C4F258A4E470CFC723A60F63437EFEADEBFEF00537DFBB5E4E8BAC431273018CA88C7E7D9509E9415F03053FC270ADE94DD7C10249C79FF53A6
 8744:d=13 hl=3 l= 137 cons: cont [ 1 ]        
 8747:d=14 hl=3 l= 134 cons: SEQUENCE          
 8750:d=15 hl=2 l=   7 prim: OBJECT            :0.4.0.19122.1.5
 8759:d=15 hl=2 l= 123 cons: SET               
 8761:d=16 hl=2 l= 121 cons: SEQUENCE          
 8763:d=17 hl=2 l=  11 cons: SEQUENCE          
 8765:d=18 hl=2 l=   9 prim: OBJECT            :sha256
 8776:d=17 hl=2 l=  68 cons: SEQUENCE          
 8778:d=18 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:C57B3CF43DC7FDAEE473122966509829D29AA07B911D46E54682C9E0DD9BBC7F
 8812:d=18 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:9D60CAD043EE1B4216B7B977946477DE997FC0F95BE422FDEABE42E51006F4DF
 8846:d=17 hl=2 l=   0 cons: SEQUENCE          
 8848:d=17 hl=2 l=  34 cons: SEQUENCE          
 8850:d=18 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:5314884A9C21F74D0D4057600D8C0425C48FD9FDE0A48DFE231C879F300C20EA

What has been signed (the transaction details) and the information related to the user certificate are containted in the CMS output. For more information regarding CMS, have a look on the rfc5652

Details of the certificate used for the previous transaction on the WebADM backend:

Found below, details of Transaction signed with a certificate issued RCDevs CA (SignScope = Global). A P7M file is returned by the API for each transaction. That file is a Cryptographic Message Syntax (CMS) and can be read with the following OpenSSL command :

openssl asn1parse -in output_global.p7m -inform der
    0:d=0  hl=4 l=10376 cons: SEQUENCE          
    4:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
   15:d=1  hl=4 l=10361 cons: cont [ 0 ]        
   19:d=2  hl=4 l=10357 cons: SEQUENCE          
   23:d=3  hl=2 l=   1 prim: INTEGER           :01
   26:d=3  hl=2 l=  15 cons: SET               
   28:d=4  hl=2 l=  13 cons: SEQUENCE          
   30:d=5  hl=2 l=   9 prim: OBJECT            :sha256
   41:d=5  hl=2 l=   0 prim: NULL              
   43:d=3  hl=3 l= 137 cons: SEQUENCE          
   46:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data
   57:d=4  hl=2 l= 124 cons: cont [ 0 ]        
   59:d=5  hl=2 l= 122 prim: OCTET STRING      :<html style="color:white">
<b>Sample Signature</b><br>
<br>
Dummy Information #1<br>
Dummy Information #2<br>
</html>
  183:d=3  hl=4 l=3201 cons: cont [ 0 ]        
  187:d=4  hl=4 l=1488 cons: SEQUENCE          
  191:d=5  hl=4 l= 952 cons: SEQUENCE          
  195:d=6  hl=2 l=   3 cons: cont [ 0 ]        
  197:d=7  hl=2 l=   1 prim: INTEGER           :02
  200:d=6  hl=2 l=  16 prim: INTEGER           :2931ADDC08407664F6FF6690A2514146
  218:d=6  hl=2 l=  13 cons: SEQUENCE          
  220:d=7  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
  231:d=7  hl=2 l=   0 prim: NULL              
  233:d=6  hl=3 l= 149 cons: SEQUENCE          
  236:d=7  hl=2 l=  11 cons: SET               
  238:d=8  hl=2 l=   9 cons: SEQUENCE          
  240:d=9  hl=2 l=   3 prim: OBJECT            :countryName
  245:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :LU
  249:d=7  hl=2 l=  27 cons: SET               
  251:d=8  hl=2 l=  25 cons: SEQUENCE          
  253:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
  258:d=9  hl=2 l=  18 prim: UTF8STRING        :RCDevs Security SA
  278:d=7  hl=2 l=  38 cons: SET               
  280:d=8  hl=2 l=  36 cons: SEQUENCE          
  282:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  287:d=9  hl=2 l=  29 prim: UTF8STRING        :Certificate Autority Services
  318:d=7  hl=2 l=  35 cons: SET               
  320:d=8  hl=2 l=  33 cons: SEQUENCE          
  322:d=9  hl=2 l=   3 prim: OBJECT            :commonName
  327:d=9  hl=2 l=  26 prim: UTF8STRING        :Enterprise Intermediate CA
  355:d=7  hl=2 l=  28 cons: SET               
  357:d=8  hl=2 l=  26 cons: SEQUENCE          
  359:d=9  hl=2 l=   9 prim: OBJECT            :emailAddress
  370:d=9  hl=2 l=  13 prim: IA5STRING         :ca@rcdevs.com
  385:d=6  hl=2 l=  30 cons: SEQUENCE          
  387:d=7  hl=2 l=  13 prim: UTCTIME           :220602105208Z
  402:d=7  hl=2 l=  13 prim: UTCTIME           :220702105208Z
  417:d=6  hl=3 l= 139 cons: SEQUENCE          
  420:d=7  hl=2 l=  23 cons: SET               
  422:d=8  hl=2 l=  21 cons: SEQUENCE          
  424:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
  429:d=9  hl=2 l=  14 prim: UTF8STRING        :RCDevs Support
  445:d=7  hl=2 l=  14 cons: SET               
  447:d=8  hl=2 l=  12 cons: SEQUENCE          
  449:d=9  hl=2 l=   3 prim: OBJECT            :givenName
  454:d=9  hl=2 l=   5 prim: UTF8STRING        :yoann
  461:d=7  hl=2 l=  20 cons: SET               
  463:d=8  hl=2 l=  18 cons: SEQUENCE          
  465:d=9  hl=2 l=   3 prim: OBJECT            :commonName
  470:d=9  hl=2 l=  11 prim: UTF8STRING        :yoann traut
  483:d=7  hl=2 l=  14 cons: SET               
  485:d=8  hl=2 l=  12 cons: SEQUENCE          
  487:d=9  hl=2 l=   3 prim: OBJECT            :surname
  492:d=9  hl=2 l=   5 prim: UTF8STRING        :traut
  499:d=7  hl=2 l=  33 cons: SET               
  501:d=8  hl=2 l=  31 cons: SEQUENCE          
  503:d=9  hl=2 l=   9 prim: OBJECT            :emailAddress
  514:d=9  hl=2 l=  18 prim: UTF8STRING        :support@rcdevs.com
  534:d=7  hl=2 l=  23 cons: SET               
  536:d=8  hl=2 l=  21 cons: SEQUENCE          
  538:d=9  hl=2 l=   3 prim: OBJECT            :2.5.4.97
  543:d=9  hl=2 l=  14 prim: UTF8STRING        :VATLU-00000000
  559:d=6  hl=4 l= 290 cons: SEQUENCE          
  563:d=7  hl=2 l=  13 cons: SEQUENCE          
  565:d=8  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  576:d=8  hl=2 l=   0 prim: NULL              
  578:d=7  hl=4 l= 271 prim: BIT STRING        
  853:d=6  hl=4 l= 290 cons: cont [ 3 ]        
  857:d=7  hl=4 l= 286 cons: SEQUENCE          
  861:d=8  hl=3 l= 169 cons: SEQUENCE          
  864:d=9  hl=2 l=   8 prim: OBJECT            :Authority Information Access
  874:d=9  hl=2 l=   1 prim: BOOLEAN           :255
  877:d=9  hl=3 l= 153 prim: OCTET STRING      [HEX DUMP]:308196306B06082B06010505073002865F687474703A2F2F636C6F75642E7263646576732E636F6D2F6361636572742F37643033613564343630373433646365373034306433303962633466356436373234623434656363643565353063636433383861626263633431353735666635302706082B06010505073001861B687474703A2F2F636C6F75642E7263646576732E636F6D2F63726C
 1033:d=8  hl=2 l= 112 cons: SEQUENCE          
 1035:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 CRL Distribution Points
 1040:d=9  hl=2 l=   1 prim: BOOLEAN           :255
 1043:d=9  hl=2 l= 102 prim: OCTET STRING      [HEX DUMP]:30643062A060A05E865C687474703A2F2F636C6F75642E7263646576732E636F6D2F63726C2F37643033613564343630373433646365373034306433303962633466356436373234623434656363643565353063636433383861626263633431353735666635
 1147:d=5  hl=2 l=  13 cons: SEQUENCE          
 1149:d=6  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 1160:d=6  hl=2 l=   0 prim: NULL              
 1162:d=5  hl=4 l= 513 prim: BIT STRING        
 1679:d=4  hl=4 l=1705 cons: SEQUENCE          
 1683:d=5  hl=4 l=1169 cons: SEQUENCE          
 1687:d=6  hl=2 l=   3 cons: cont [ 0 ]        
 1689:d=7  hl=2 l=   1 prim: INTEGER           :02
 1692:d=6  hl=2 l=  16 prim: INTEGER           :481F9E54FC957C9031F993E36F41B20F
 1710:d=6  hl=2 l=  13 cons: SEQUENCE          
 1712:d=7  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 1723:d=7  hl=2 l=   0 prim: NULL              
 1725:d=6  hl=3 l= 137 cons: SEQUENCE          
 1728:d=7  hl=2 l=  11 cons: SET               
 1730:d=8  hl=2 l=   9 cons: SEQUENCE          
 1732:d=9  hl=2 l=   3 prim: OBJECT            :countryName
 1737:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :LU
 1741:d=7  hl=2 l=  27 cons: SET               
 1743:d=8  hl=2 l=  25 cons: SEQUENCE          
 1745:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
 1750:d=9  hl=2 l=  18 prim: PRINTABLESTRING   :RCDevs Security SA
 1770:d=7  hl=2 l=  38 cons: SET               
 1772:d=8  hl=2 l=  36 cons: SEQUENCE          
 1774:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
 1779:d=9  hl=2 l=  29 prim: PRINTABLESTRING   :Certificate Autority Services
 1810:d=7  hl=2 l=  23 cons: SET               
 1812:d=8  hl=2 l=  21 cons: SEQUENCE          
 1814:d=9  hl=2 l=   3 prim: OBJECT            :commonName
 1819:d=9  hl=2 l=  14 prim: PRINTABLESTRING   :RCDevs Root CA
 1835:d=7  hl=2 l=  28 cons: SET               
 1837:d=8  hl=2 l=  26 cons: SEQUENCE          
 1839:d=9  hl=2 l=   9 prim: OBJECT            :emailAddress
 1850:d=9  hl=2 l=  13 prim: IA5STRING         :ca@rcdevs.com
 1865:d=6  hl=2 l=  30 cons: SEQUENCE          
 1867:d=7  hl=2 l=  13 prim: UTCTIME           :220316153029Z
 1882:d=7  hl=2 l=  13 prim: UTCTIME           :320313153029Z
 1897:d=6  hl=3 l= 149 cons: SEQUENCE          
 1900:d=7  hl=2 l=  11 cons: SET               
 1902:d=8  hl=2 l=   9 cons: SEQUENCE          
 1904:d=9  hl=2 l=   3 prim: OBJECT            :countryName
 1909:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :LU
 1913:d=7  hl=2 l=  27 cons: SET               
 1915:d=8  hl=2 l=  25 cons: SEQUENCE          
 1917:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
 1922:d=9  hl=2 l=  18 prim: UTF8STRING        :RCDevs Security SA
 1942:d=7  hl=2 l=  38 cons: SET               
 1944:d=8  hl=2 l=  36 cons: SEQUENCE          
 1946:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
 1951:d=9  hl=2 l=  29 prim: UTF8STRING        :Certificate Autority Services
 1982:d=7  hl=2 l=  35 cons: SET               
 1984:d=8  hl=2 l=  33 cons: SEQUENCE          
 1986:d=9  hl=2 l=   3 prim: OBJECT            :commonName
 1991:d=9  hl=2 l=  26 prim: UTF8STRING        :Enterprise Intermediate CA
 2019:d=7  hl=2 l=  28 cons: SET               
 2021:d=8  hl=2 l=  26 cons: SEQUENCE          
 2023:d=9  hl=2 l=   9 prim: OBJECT            :emailAddress
 2034:d=9  hl=2 l=  13 prim: IA5STRING         :ca@rcdevs.com
 2049:d=6  hl=4 l= 546 cons: SEQUENCE          
 2053:d=7  hl=2 l=  13 cons: SEQUENCE          
 2055:d=8  hl=2 l=   9 prim: OBJECT            :rsaEncryption
 2066:d=8  hl=2 l=   0 prim: NULL              
 2068:d=7  hl=4 l= 527 prim: BIT STRING        
 2599:d=6  hl=3 l= 254 cons: cont [ 3 ]        
 2602:d=7  hl=3 l= 251 cons: SEQUENCE          
 2605:d=8  hl=2 l=  12 cons: SEQUENCE          
 2607:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
 2612:d=9  hl=2 l=   5 prim: OCTET STRING      [HEX DUMP]:30030101FF
 2619:d=8  hl=2 l=  29 cons: SEQUENCE          
 2621:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
 2626:d=9  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:04146A850593B549D28E6D5A6C984B6C0FCF8D572963
 2650:d=8  hl=3 l= 190 cons: SEQUENCE          
 2653:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
 2658:d=9  hl=3 l= 182 prim: OCTET STRING      [HEX DUMP]:3081B380142AD61E5A3EA439A9660A485280D44948E70F453FA1818FA4818C308189310B3009060355040613024C55311B3019060355040A131252434465767320536563757269747920534131263024060355040B131D4365727469666963617465204175746F72697479205365727669636573311730150603550403130E52434465767320526F6F74204341311C301A06092A864886F70D010901160D6361407263646576732E636F6D820900A13A312587444085
 2843:d=8  hl=2 l=  11 cons: SEQUENCE          
 2845:d=9  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
 2850:d=9  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:03020106
 2856:d=5  hl=2 l=  13 cons: SEQUENCE          
 2858:d=6  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 2869:d=6  hl=2 l=   0 prim: NULL              
 2871:d=5  hl=4 l= 513 prim: BIT STRING        
 3388:d=3  hl=2 l=   0 cons: cont [ 1 ]        
 3390:d=3  hl=4 l=6986 cons: SET               
 3394:d=4  hl=4 l=6982 cons: SEQUENCE          
 3398:d=5  hl=2 l=   1 prim: INTEGER           :01
 3401:d=5  hl=3 l= 170 cons: SEQUENCE          
 3404:d=6  hl=3 l= 149 cons: SEQUENCE          
 3407:d=7  hl=2 l=  11 cons: SET               
 3409:d=8  hl=2 l=   9 cons: SEQUENCE          
 3411:d=9  hl=2 l=   3 prim: OBJECT            :countryName
 3416:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :LU
 3420:d=7  hl=2 l=  27 cons: SET               
 3422:d=8  hl=2 l=  25 cons: SEQUENCE          
 3424:d=9  hl=2 l=   3 prim: OBJECT            :organizationName
 3429:d=9  hl=2 l=  18 prim: UTF8STRING        :RCDevs Security SA
 3449:d=7  hl=2 l=  38 cons: SET               
 3451:d=8  hl=2 l=  36 cons: SEQUENCE          
 3453:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
 3458:d=9  hl=2 l=  29 prim: UTF8STRING        :Certificate Autority Services
 3489:d=7  hl=2 l=  35 cons: SET               
 3491:d=8  hl=2 l=  33 cons: SEQUENCE          
 3493:d=9  hl=2 l=   3 prim: OBJECT            :commonName
 3498:d=9  hl=2 l=  26 prim: UTF8STRING        :Enterprise Intermediate CA
 3526:d=7  hl=2 l=  28 cons: SET               
 3528:d=8  hl=2 l=  26 cons: SEQUENCE          
 3530:d=9  hl=2 l=   9 prim: OBJECT            :emailAddress
 3541:d=9  hl=2 l=  13 prim: IA5STRING         :ca@rcdevs.com
 3556:d=6  hl=2 l=  16 prim: INTEGER           :2931ADDC08407664F6FF6690A2514146
 3574:d=5  hl=2 l=  13 cons: SEQUENCE          
 3576:d=6  hl=2 l=   9 prim: OBJECT            :sha256
 3587:d=6  hl=2 l=   0 prim: NULL              
 3589:d=5  hl=3 l= 160 cons: cont [ 0 ]        
 3592:d=6  hl=2 l=  24 cons: SEQUENCE          
 3594:d=7  hl=2 l=   9 prim: OBJECT            :contentType
 3605:d=7  hl=2 l=  11 cons: SET               
 3607:d=8  hl=2 l=   9 prim: OBJECT            :pkcs7-data
 3618:d=6  hl=2 l=  47 cons: SEQUENCE          
 3620:d=7  hl=2 l=   9 prim: OBJECT            :messageDigest
 3631:d=7  hl=2 l=  34 cons: SET               
 3633:d=8  hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:AB66B49FBBC6F1A3B69A52E4018D530264E6C906C49F8059D28A79D1245E325D
 3667:d=6  hl=2 l=  55 cons: SEQUENCE          
 3669:d=7  hl=2 l=  11 prim: OBJECT            :1.2.840.113549.1.9.16.2.47
 3682:d=7  hl=2 l=  40 cons: SET               
 3684:d=8  hl=2 l=  38 cons: SEQUENCE          
 3686:d=9  hl=2 l=  36 cons: SEQUENCE          
 3688:d=10 hl=2 l=  34 cons: SEQUENCE          
 3690:d=11 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:A2F1F421DED9D9786E1113345D8DA5272D8B247C6F87AB5568D3D88F5ACC9B14
 3724:d=6  hl=2 l=  26 cons: SEQUENCE          
 3726:d=7  hl=2 l=   9 prim: OBJECT            :signingTime
 3737:d=7  hl=2 l=  13 cons: SET               
 3739:d=8  hl=2 l=  11 prim: UTCTIME           :2206031328Z
 3752:d=5  hl=2 l=  13 cons: SEQUENCE          
 3754:d=6  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 3765:d=6  hl=2 l=   0 prim: NULL              
 3767:d=5  hl=4 l= 256 prim: OCTET STRING      [HEX DUMP]:2871DB1220E0A0E20D34D36560DA574D046723CFACE8613C276BA0157319508F7A9A01D4774370959BA939F20677C8098598DAA247F2B3C64417D572E082A94D784428FEEB17B045D3F204EF8BD8DAD9B994B495DB46A00565C0162A1F13A0B51BF98FBBA415F63A4887FB878653F08D0B02F837FE0FB5D1F43699ADA4C71E150512316B095A49A1395147AF862B8CCB1798587C6FE2F199DDFAE97F7616C544920AA36125CAFB33FB889A32AF0C607AFA0D34120E6900C0FA3FDAC9DC60042FA7E41E780235D328288601FAA6F3983DB45014C32F821FA56A286F7D3264A124D37DFE9B8F3329A477AFBCD82E826C61400CC2531B2D1F0496C099F0730E3232
 4027:d=5  hl=4 l=6349 cons: cont [ 1 ]        
 4031:d=6  hl=4 l=3103 cons: SEQUENCE          
 4035:d=7  hl=2 l=  11 prim: OBJECT            :id-smime-aa-timeStampToken
 4048:d=7  hl=4 l=3086 cons: SET               
 4052:d=8  hl=4 l=3082 cons: SEQUENCE          
 4056:d=9  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
 4067:d=9  hl=4 l=3067 cons: cont [ 0 ]        
 4071:d=10 hl=4 l=3063 cons: SEQUENCE          
 4075:d=11 hl=2 l=   1 prim: INTEGER           :03
 4078:d=11 hl=2 l=  13 cons: SET               
 4080:d=12 hl=2 l=  11 cons: SEQUENCE          
 4082:d=13 hl=2 l=   9 prim: OBJECT            :sha256
 4093:d=11 hl=4 l= 282 cons: SEQUENCE          
 4097:d=12 hl=2 l=  11 prim: OBJECT            :id-smime-ct-TSTInfo
 4110:d=12 hl=4 l= 265 cons: cont [ 0 ]        
 4114:d=13 hl=4 l= 261 prim: OCTET STRING      [HEX DUMP]:30820101020101060B2A84680186F6770204010E3031300D060960864801650304020105000420904D90BCBC6F70A0602F5607D013949E711D4338558F99090E7702267BFC4058020711C379A7041AAC180F32303232303630333133323833325A3003020101021100AA22F00AEAA7F79AE44959C773882C3EA06AA4683066310B300906035504061302504C3121301F060355040A0C1841737365636F20446174612053797374656D7320532E412E3119301706035504030C1043657274756D205154535420323031373119301706035504610C10564154504C2D35313730333539343538A11E301C06082B06010505070103010100040D300B30090607040081975E0101
 4379:d=11 hl=4 l=1700 cons: cont [ 0 ]        
 4383:d=12 hl=4 l=1696 cons: SEQUENCE          
 4387:d=13 hl=4 l=1160 cons: SEQUENCE          
 4391:d=14 hl=2 l=   3 cons: cont [ 0 ]        
 4393:d=15 hl=2 l=   1 prim: INTEGER           :02
 4396:d=14 hl=2 l=  20 prim: INTEGER           :1193735F17C17E144D3F928F619BBFD5027DB1E9
 4418:d=14 hl=2 l=  13 cons: SEQUENCE          
 4420:d=15 hl=2 l=   9 prim: OBJECT            :sha512WithRSAEncryption
 4431:d=15 hl=2 l=   0 prim: NULL              
 4433:d=14 hl=2 l= 111 cons: SEQUENCE          
 4435:d=15 hl=2 l=  11 cons: SET               
 4437:d=16 hl=2 l=   9 cons: SEQUENCE          
 4439:d=17 hl=2 l=   3 prim: OBJECT            :countryName
 4444:d=17 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 4448:d=15 hl=2 l=  29 cons: SET               
 4450:d=16 hl=2 l=  27 cons: SEQUENCE          
 4452:d=17 hl=2 l=   3 prim: OBJECT            :organizationName
 4457:d=17 hl=2 l=  20 prim: UTF8STRING        :Narodowy Bank Polski
 4479:d=15 hl=2 l=  38 cons: SET               
 4481:d=16 hl=2 l=  36 cons: SEQUENCE          
 4483:d=17 hl=2 l=   3 prim: OBJECT            :commonName
 4488:d=17 hl=2 l=  29 prim: UTF8STRING        :Narodowe Centrum Certyfikacji
 4519:d=15 hl=2 l=  25 cons: SET               
 4521:d=16 hl=2 l=  23 cons: SEQUENCE          
 4523:d=17 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 4528:d=17 hl=2 l=  16 prim: UTF8STRING        :VATPL-5250008198
 4546:d=14 hl=2 l=  30 cons: SEQUENCE          
 4548:d=15 hl=2 l=  13 prim: UTCTIME           :170315102318Z
 4563:d=15 hl=2 l=  13 prim: UTCTIME           :280315235959Z
 4578:d=14 hl=2 l= 102 cons: SEQUENCE          
 4580:d=15 hl=2 l=  11 cons: SET               
 4582:d=16 hl=2 l=   9 cons: SEQUENCE          
 4584:d=17 hl=2 l=   3 prim: OBJECT            :countryName
 4589:d=17 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 4593:d=15 hl=2 l=  33 cons: SET               
 4595:d=16 hl=2 l=  31 cons: SEQUENCE          
 4597:d=17 hl=2 l=   3 prim: OBJECT            :organizationName
 4602:d=17 hl=2 l=  24 prim: UTF8STRING        :Asseco Data Systems S.A.
 4628:d=15 hl=2 l=  25 cons: SET               
 4630:d=16 hl=2 l=  23 cons: SEQUENCE          
 4632:d=17 hl=2 l=   3 prim: OBJECT            :commonName
 4637:d=17 hl=2 l=  16 prim: UTF8STRING        :Certum QTST 2017
 4655:d=15 hl=2 l=  25 cons: SET               
 4657:d=16 hl=2 l=  23 cons: SEQUENCE          
 4659:d=17 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 4664:d=17 hl=2 l=  16 prim: UTF8STRING        :VATPL-5170359458
 4682:d=14 hl=4 l= 546 cons: SEQUENCE          
 4686:d=15 hl=2 l=  13 cons: SEQUENCE          
 4688:d=16 hl=2 l=   9 prim: OBJECT            :rsaEncryption
 4699:d=16 hl=2 l=   0 prim: NULL              
 4701:d=15 hl=4 l= 527 prim: BIT STRING        
 5232:d=14 hl=4 l= 315 cons: cont [ 3 ]        
 5236:d=15 hl=4 l= 311 cons: SEQUENCE          
 5240:d=16 hl=2 l=  22 cons: SEQUENCE          
 5242:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
 5247:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 5250:d=17 hl=2 l=  12 prim: OCTET STRING      [HEX DUMP]:300A06082B06010505070308
 5264:d=16 hl=2 l=  12 cons: SEQUENCE          
 5266:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
 5271:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 5274:d=17 hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
 5278:d=16 hl=3 l= 172 cons: SEQUENCE          
 5281:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
 5286:d=17 hl=3 l= 164 prim: OCTET STRING      [HEX DUMP]:3081A1801429B3C8C4DFA387F866051258FD462AB8980D7987A173A471306F310B300906035504061302504C311D301B060355040A0C144E61726F646F77792042616E6B20506F6C736B693126302406035504030C1D4E61726F646F77652043656E7472756D20436572747966696B61636A693119301706035504610C10564154504C2D35323530303038313938821440F8F78AB0E364105691C8D9E02CF8C1C6400A46
 5453:d=16 hl=2 l=  49 cons: SEQUENCE          
 5455:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Certificate Policies
 5460:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 5463:d=17 hl=2 l=  39 prim: OCTET STRING      [HEX DUMP]:302530230604551D2000301B301906082B06010505070201160D7777772E6E63636572742E706C
 5504:d=16 hl=2 l=  14 cons: SEQUENCE          
 5506:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
 5511:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 5514:d=17 hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030206C0
 5520:d=16 hl=2 l=  29 cons: SEQUENCE          
 5522:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
 5527:d=17 hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414B2BD12CB0781E27BA3B0611D4A4379A887F4D076
 5551:d=13 hl=2 l=  13 cons: SEQUENCE          
 5553:d=14 hl=2 l=   9 prim: OBJECT            :sha512WithRSAEncryption
 5564:d=14 hl=2 l=   0 prim: NULL              
 5566:d=13 hl=4 l= 513 prim: BIT STRING        
 6083:d=11 hl=4 l=1051 cons: SET               
 6087:d=12 hl=4 l=1047 cons: SEQUENCE          
 6091:d=13 hl=2 l=   1 prim: INTEGER           :01
 6094:d=13 hl=3 l= 135 cons: SEQUENCE          
 6097:d=14 hl=2 l= 111 cons: SEQUENCE          
 6099:d=15 hl=2 l=  11 cons: SET               
 6101:d=16 hl=2 l=   9 cons: SEQUENCE          
 6103:d=17 hl=2 l=   3 prim: OBJECT            :countryName
 6108:d=17 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 6112:d=15 hl=2 l=  29 cons: SET               
 6114:d=16 hl=2 l=  27 cons: SEQUENCE          
 6116:d=17 hl=2 l=   3 prim: OBJECT            :organizationName
 6121:d=17 hl=2 l=  20 prim: UTF8STRING        :Narodowy Bank Polski
 6143:d=15 hl=2 l=  38 cons: SET               
 6145:d=16 hl=2 l=  36 cons: SEQUENCE          
 6147:d=17 hl=2 l=   3 prim: OBJECT            :commonName
 6152:d=17 hl=2 l=  29 prim: UTF8STRING        :Narodowe Centrum Certyfikacji
 6183:d=15 hl=2 l=  25 cons: SET               
 6185:d=16 hl=2 l=  23 cons: SEQUENCE          
 6187:d=17 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 6192:d=17 hl=2 l=  16 prim: UTF8STRING        :VATPL-5250008198
 6210:d=14 hl=2 l=  20 prim: INTEGER           :1193735F17C17E144D3F928F619BBFD5027DB1E9
 6232:d=13 hl=2 l=  13 cons: SEQUENCE          
 6234:d=14 hl=2 l=   9 prim: OBJECT            :sha256
 6245:d=14 hl=2 l=   0 prim: NULL              
 6247:d=13 hl=4 l= 356 cons: cont [ 0 ]        
 6251:d=14 hl=2 l=  26 cons: SEQUENCE          
 6253:d=15 hl=2 l=   9 prim: OBJECT            :contentType
 6264:d=15 hl=2 l=  13 cons: SET               
 6266:d=16 hl=2 l=  11 prim: OBJECT            :id-smime-ct-TSTInfo
 6279:d=14 hl=2 l=  28 cons: SEQUENCE          
 6281:d=15 hl=2 l=   9 prim: OBJECT            :signingTime
 6292:d=15 hl=2 l=  15 cons: SET               
 6294:d=16 hl=2 l=  13 prim: UTCTIME           :220603132832Z
 6309:d=14 hl=2 l=  47 cons: SEQUENCE          
 6311:d=15 hl=2 l=   9 prim: OBJECT            :messageDigest
 6322:d=15 hl=2 l=  34 cons: SET               
 6324:d=16 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:2ABF6C698DCD284B060D2BE498A4144E9F42048F67589E74227D72075AF923C7
 6358:d=14 hl=2 l=  55 cons: SEQUENCE          
 6360:d=15 hl=2 l=  11 prim: OBJECT            :1.2.840.113549.1.9.16.2.47
 6373:d=15 hl=2 l=  40 cons: SET               
 6375:d=16 hl=2 l=  38 cons: SEQUENCE          
 6377:d=17 hl=2 l=  36 cons: SEQUENCE          
 6379:d=18 hl=2 l=  34 cons: SEQUENCE          
 6381:d=19 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:673BE8A1DA927DB63CCAB7CB3E7AC352DC3AEB6A8DA3E2A359CA158D0A440DB8
 6415:d=14 hl=3 l= 189 cons: SEQUENCE          
 6418:d=15 hl=2 l=  11 prim: OBJECT            :id-smime-aa-signingCertificate
 6431:d=15 hl=3 l= 173 cons: SET               
 6434:d=16 hl=3 l= 170 cons: SEQUENCE          
 6437:d=17 hl=3 l= 167 cons: SEQUENCE          
 6440:d=18 hl=3 l= 164 cons: SEQUENCE          
 6443:d=19 hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:6E23CDB967F06D3FDA85316C5B47361CD55542AC
 6465:d=19 hl=3 l= 139 cons: SEQUENCE          
 6468:d=20 hl=2 l= 115 cons: SEQUENCE          
 6470:d=21 hl=2 l= 113 cons: cont [ 4 ]        
 6472:d=22 hl=2 l= 111 cons: SEQUENCE          
 6474:d=23 hl=2 l=  11 cons: SET               
 6476:d=24 hl=2 l=   9 cons: SEQUENCE          
 6478:d=25 hl=2 l=   3 prim: OBJECT            :countryName
 6483:d=25 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 6487:d=23 hl=2 l=  29 cons: SET               
 6489:d=24 hl=2 l=  27 cons: SEQUENCE          
 6491:d=25 hl=2 l=   3 prim: OBJECT            :organizationName
 6496:d=25 hl=2 l=  20 prim: UTF8STRING        :Narodowy Bank Polski
 6518:d=23 hl=2 l=  38 cons: SET               
 6520:d=24 hl=2 l=  36 cons: SEQUENCE          
 6522:d=25 hl=2 l=   3 prim: OBJECT            :commonName
 6527:d=25 hl=2 l=  29 prim: UTF8STRING        :Narodowe Centrum Certyfikacji
 6558:d=23 hl=2 l=  25 cons: SET               
 6560:d=24 hl=2 l=  23 cons: SEQUENCE          
 6562:d=25 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 6567:d=25 hl=2 l=  16 prim: UTF8STRING        :VATPL-5250008198
 6585:d=20 hl=2 l=  20 prim: INTEGER           :1193735F17C17E144D3F928F619BBFD5027DB1E9
 6607:d=13 hl=2 l=  13 cons: SEQUENCE          
 6609:d=14 hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 6620:d=14 hl=2 l=   0 prim: NULL              
 6622:d=13 hl=4 l= 512 prim: OCTET STRING      [HEX DUMP]:9D82002012068C5AFCEE96E9609AE5204A5641947E46A84A57EAC5F29F30868B54F61CA652ABAE8582CF08853672E05F309EDBF0DFDC2632AE2B8318BEF6AAA2EAEB49456CEE5919FA38EA59F9965E5F2BAEEAA48C219A69B220B5555F47B2DB2BE4B545304CDD186224E564AF8AF7FA9860C003BDE432932436757CF0E901BF54E2B7EABE45B1D8D1E930CA16092AC5E778BE7DC5CB6289FF33979E93F7DA8943D11F4AA1DC4C911FEB6F53C597200EB5BAE9B28D6F6C947ECCD7D2FE3C9AAD5B753274AC2E7244852733F23D604F3A3C036750191C7CF2270AF9A172FE4E76623C54C249D4563CF91C61E0C90C62AEA720E117B2DF917F5C8219705A0F9F2B6AE17141014E313F9ACFE41D995F50C6F963C8E13F86ABA747B5A924512A875BB8C13568371C78601E4F52260C15FE26D21B10E6BCCC4666C54F6EB6F40FC2C166F7449EB7EADB0B4A8F3E3D5B1BA9C6F8BDA99051DC6DCA1E3B20D774113022118056B93A9BEFDB57A83CC2A64B31C24C4E29C549DFA968970541CF62A495372CB2C617D7FF4F1D692CB846C6BC65C12143005EF6C81C6986AB69BB5F21E4DE99AC229FE375ED3A93422F73108FF4E0FFD86E8214613301803FC555420DEB83FF402BA15FEA692AD186B1B664E42440B5FBF8BCE904DDC1118B87BB1B4C89EB24FF15798392D5827FFC24E084006823EBCCDC8685CB943B5686421A61E737B3
 7138:d=6  hl=4 l=3238 cons: SEQUENCE          
 7142:d=7  hl=2 l=   6 prim: OBJECT            :0.4.0.1733.2.4
 7150:d=7  hl=4 l=3226 cons: SET               
 7154:d=8  hl=4 l=3222 cons: SEQUENCE          
 7158:d=9  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
 7169:d=9  hl=4 l=3207 cons: cont [ 0 ]        
 7173:d=10 hl=4 l=3203 cons: SEQUENCE          
 7177:d=11 hl=2 l=   1 prim: INTEGER           :03
 7180:d=11 hl=2 l=  13 cons: SET               
 7182:d=12 hl=2 l=  11 cons: SEQUENCE          
 7184:d=13 hl=2 l=   9 prim: OBJECT            :sha256
 7195:d=11 hl=4 l= 282 cons: SEQUENCE          
 7199:d=12 hl=2 l=  11 prim: OBJECT            :id-smime-ct-TSTInfo
 7212:d=12 hl=4 l= 265 cons: cont [ 0 ]        
 7216:d=13 hl=4 l= 261 prim: OCTET STRING      [HEX DUMP]:30820101020101060B2A84680186F6770204010E3031300D060960864801650304020105000420A4B3E4741FC2CB36B36685B7FAC01A61BB638D45B93B36FFD95CFD3C4BC016C3020711C379A7036F1B180F32303232303630333133323833325A3003020101021100D944A59C55C4660D5A7FF6E98962AEB0A06AA4683066310B300906035504061302504C3121301F060355040A0C1841737365636F20446174612053797374656D7320532E412E3119301706035504030C1043657274756D205154535420323031373119301706035504610C10564154504C2D35313730333539343538A11E301C06082B06010505070103010100040D300B30090607040081975E0101
 7481:d=11 hl=4 l=1700 cons: cont [ 0 ]        
 7485:d=12 hl=4 l=1696 cons: SEQUENCE          
 7489:d=13 hl=4 l=1160 cons: SEQUENCE          
 7493:d=14 hl=2 l=   3 cons: cont [ 0 ]        
 7495:d=15 hl=2 l=   1 prim: INTEGER           :02
 7498:d=14 hl=2 l=  20 prim: INTEGER           :1193735F17C17E144D3F928F619BBFD5027DB1E9
 7520:d=14 hl=2 l=  13 cons: SEQUENCE          
 7522:d=15 hl=2 l=   9 prim: OBJECT            :sha512WithRSAEncryption
 7533:d=15 hl=2 l=   0 prim: NULL              
 7535:d=14 hl=2 l= 111 cons: SEQUENCE          
 7537:d=15 hl=2 l=  11 cons: SET               
 7539:d=16 hl=2 l=   9 cons: SEQUENCE          
 7541:d=17 hl=2 l=   3 prim: OBJECT            :countryName
 7546:d=17 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 7550:d=15 hl=2 l=  29 cons: SET               
 7552:d=16 hl=2 l=  27 cons: SEQUENCE          
 7554:d=17 hl=2 l=   3 prim: OBJECT            :organizationName
 7559:d=17 hl=2 l=  20 prim: UTF8STRING        :Narodowy Bank Polski
 7581:d=15 hl=2 l=  38 cons: SET               
 7583:d=16 hl=2 l=  36 cons: SEQUENCE          
 7585:d=17 hl=2 l=   3 prim: OBJECT            :commonName
 7590:d=17 hl=2 l=  29 prim: UTF8STRING        :Narodowe Centrum Certyfikacji
 7621:d=15 hl=2 l=  25 cons: SET               
 7623:d=16 hl=2 l=  23 cons: SEQUENCE          
 7625:d=17 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 7630:d=17 hl=2 l=  16 prim: UTF8STRING        :VATPL-5250008198
 7648:d=14 hl=2 l=  30 cons: SEQUENCE          
 7650:d=15 hl=2 l=  13 prim: UTCTIME           :170315102318Z
 7665:d=15 hl=2 l=  13 prim: UTCTIME           :280315235959Z
 7680:d=14 hl=2 l= 102 cons: SEQUENCE          
 7682:d=15 hl=2 l=  11 cons: SET               
 7684:d=16 hl=2 l=   9 cons: SEQUENCE          
 7686:d=17 hl=2 l=   3 prim: OBJECT            :countryName
 7691:d=17 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 7695:d=15 hl=2 l=  33 cons: SET               
 7697:d=16 hl=2 l=  31 cons: SEQUENCE          
 7699:d=17 hl=2 l=   3 prim: OBJECT            :organizationName
 7704:d=17 hl=2 l=  24 prim: UTF8STRING        :Asseco Data Systems S.A.
 7730:d=15 hl=2 l=  25 cons: SET               
 7732:d=16 hl=2 l=  23 cons: SEQUENCE          
 7734:d=17 hl=2 l=   3 prim: OBJECT            :commonName
 7739:d=17 hl=2 l=  16 prim: UTF8STRING        :Certum QTST 2017
 7757:d=15 hl=2 l=  25 cons: SET               
 7759:d=16 hl=2 l=  23 cons: SEQUENCE          
 7761:d=17 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 7766:d=17 hl=2 l=  16 prim: UTF8STRING        :VATPL-5170359458
 7784:d=14 hl=4 l= 546 cons: SEQUENCE          
 7788:d=15 hl=2 l=  13 cons: SEQUENCE          
 7790:d=16 hl=2 l=   9 prim: OBJECT            :rsaEncryption
 7801:d=16 hl=2 l=   0 prim: NULL              
 7803:d=15 hl=4 l= 527 prim: BIT STRING        
 8334:d=14 hl=4 l= 315 cons: cont [ 3 ]        
 8338:d=15 hl=4 l= 311 cons: SEQUENCE          
 8342:d=16 hl=2 l=  22 cons: SEQUENCE          
 8344:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
 8349:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 8352:d=17 hl=2 l=  12 prim: OCTET STRING      [HEX DUMP]:300A06082B06010505070308
 8366:d=16 hl=2 l=  12 cons: SEQUENCE          
 8368:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
 8373:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 8376:d=17 hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
 8380:d=16 hl=3 l= 172 cons: SEQUENCE          
 8383:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
 8388:d=17 hl=3 l= 164 prim: OCTET STRING      [HEX DUMP]:3081A1801429B3C8C4DFA387F866051258FD462AB8980D7987A173A471306F310B300906035504061302504C311D301B060355040A0C144E61726F646F77792042616E6B20506F6C736B693126302406035504030C1D4E61726F646F77652043656E7472756D20436572747966696B61636A693119301706035504610C10564154504C2D35323530303038313938821440F8F78AB0E364105691C8D9E02CF8C1C6400A46
 8555:d=16 hl=2 l=  49 cons: SEQUENCE          
 8557:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Certificate Policies
 8562:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 8565:d=17 hl=2 l=  39 prim: OCTET STRING      [HEX DUMP]:302530230604551D2000301B301906082B06010505070201160D7777772E6E63636572742E706C
 8606:d=16 hl=2 l=  14 cons: SEQUENCE          
 8608:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
 8613:d=17 hl=2 l=   1 prim: BOOLEAN           :255
 8616:d=17 hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030206C0
 8622:d=16 hl=2 l=  29 cons: SEQUENCE          
 8624:d=17 hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
 8629:d=17 hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414B2BD12CB0781E27BA3B0611D4A4379A887F4D076
 8653:d=13 hl=2 l=  13 cons: SEQUENCE          
 8655:d=14 hl=2 l=   9 prim: OBJECT            :sha512WithRSAEncryption
 8666:d=14 hl=2 l=   0 prim: NULL              
 8668:d=13 hl=4 l= 513 prim: BIT STRING        
 9185:d=11 hl=4 l=1191 cons: SET               
 9189:d=12 hl=4 l=1187 cons: SEQUENCE          
 9193:d=13 hl=2 l=   1 prim: INTEGER           :01
 9196:d=13 hl=3 l= 135 cons: SEQUENCE          
 9199:d=14 hl=2 l= 111 cons: SEQUENCE          
 9201:d=15 hl=2 l=  11 cons: SET               
 9203:d=16 hl=2 l=   9 cons: SEQUENCE          
 9205:d=17 hl=2 l=   3 prim: OBJECT            :countryName
 9210:d=17 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 9214:d=15 hl=2 l=  29 cons: SET               
 9216:d=16 hl=2 l=  27 cons: SEQUENCE          
 9218:d=17 hl=2 l=   3 prim: OBJECT            :organizationName
 9223:d=17 hl=2 l=  20 prim: UTF8STRING        :Narodowy Bank Polski
 9245:d=15 hl=2 l=  38 cons: SET               
 9247:d=16 hl=2 l=  36 cons: SEQUENCE          
 9249:d=17 hl=2 l=   3 prim: OBJECT            :commonName
 9254:d=17 hl=2 l=  29 prim: UTF8STRING        :Narodowe Centrum Certyfikacji
 9285:d=15 hl=2 l=  25 cons: SET               
 9287:d=16 hl=2 l=  23 cons: SEQUENCE          
 9289:d=17 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 9294:d=17 hl=2 l=  16 prim: UTF8STRING        :VATPL-5250008198
 9312:d=14 hl=2 l=  20 prim: INTEGER           :1193735F17C17E144D3F928F619BBFD5027DB1E9
 9334:d=13 hl=2 l=  13 cons: SEQUENCE          
 9336:d=14 hl=2 l=   9 prim: OBJECT            :sha256
 9347:d=14 hl=2 l=   0 prim: NULL              
 9349:d=13 hl=4 l= 356 cons: cont [ 0 ]        
 9353:d=14 hl=2 l=  26 cons: SEQUENCE          
 9355:d=15 hl=2 l=   9 prim: OBJECT            :contentType
 9366:d=15 hl=2 l=  13 cons: SET               
 9368:d=16 hl=2 l=  11 prim: OBJECT            :id-smime-ct-TSTInfo
 9381:d=14 hl=2 l=  28 cons: SEQUENCE          
 9383:d=15 hl=2 l=   9 prim: OBJECT            :signingTime
 9394:d=15 hl=2 l=  15 cons: SET               
 9396:d=16 hl=2 l=  13 prim: UTCTIME           :220603132832Z
 9411:d=14 hl=2 l=  47 cons: SEQUENCE          
 9413:d=15 hl=2 l=   9 prim: OBJECT            :messageDigest
 9424:d=15 hl=2 l=  34 cons: SET               
 9426:d=16 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:9CC19DC5360E7182C878E44C3B6A79FBEF819961AD8F8D852DBD4AA925503258
 9460:d=14 hl=2 l=  55 cons: SEQUENCE          
 9462:d=15 hl=2 l=  11 prim: OBJECT            :1.2.840.113549.1.9.16.2.47
 9475:d=15 hl=2 l=  40 cons: SET               
 9477:d=16 hl=2 l=  38 cons: SEQUENCE          
 9479:d=17 hl=2 l=  36 cons: SEQUENCE          
 9481:d=18 hl=2 l=  34 cons: SEQUENCE          
 9483:d=19 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:673BE8A1DA927DB63CCAB7CB3E7AC352DC3AEB6A8DA3E2A359CA158D0A440DB8
 9517:d=14 hl=3 l= 189 cons: SEQUENCE          
 9520:d=15 hl=2 l=  11 prim: OBJECT            :id-smime-aa-signingCertificate
 9533:d=15 hl=3 l= 173 cons: SET               
 9536:d=16 hl=3 l= 170 cons: SEQUENCE          
 9539:d=17 hl=3 l= 167 cons: SEQUENCE          
 9542:d=18 hl=3 l= 164 cons: SEQUENCE          
 9545:d=19 hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:6E23CDB967F06D3FDA85316C5B47361CD55542AC
 9567:d=19 hl=3 l= 139 cons: SEQUENCE          
 9570:d=20 hl=2 l= 115 cons: SEQUENCE          
 9572:d=21 hl=2 l= 113 cons: cont [ 4 ]        
 9574:d=22 hl=2 l= 111 cons: SEQUENCE          
 9576:d=23 hl=2 l=  11 cons: SET               
 9578:d=24 hl=2 l=   9 cons: SEQUENCE          
 9580:d=25 hl=2 l=   3 prim: OBJECT            :countryName
 9585:d=25 hl=2 l=   2 prim: PRINTABLESTRING   :PL
 9589:d=23 hl=2 l=  29 cons: SET               
 9591:d=24 hl=2 l=  27 cons: SEQUENCE          
 9593:d=25 hl=2 l=   3 prim: OBJECT            :organizationName
 9598:d=25 hl=2 l=  20 prim: UTF8STRING        :Narodowy Bank Polski
 9620:d=23 hl=2 l=  38 cons: SET               
 9622:d=24 hl=2 l=  36 cons: SEQUENCE          
 9624:d=25 hl=2 l=   3 prim: OBJECT            :commonName
 9629:d=25 hl=2 l=  29 prim: UTF8STRING        :Narodowe Centrum Certyfikacji
 9660:d=23 hl=2 l=  25 cons: SET               
 9662:d=24 hl=2 l=  23 cons: SEQUENCE          
 9664:d=25 hl=2 l=   3 prim: OBJECT            :2.5.4.97
 9669:d=25 hl=2 l=  16 prim: UTF8STRING        :VATPL-5250008198
 9687:d=20 hl=2 l=  20 prim: INTEGER           :1193735F17C17E144D3F928F619BBFD5027DB1E9
 9709:d=13 hl=2 l=  13 cons: SEQUENCE          
 9711:d=14 hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
 9722:d=14 hl=2 l=   0 prim: NULL              
 9724:d=13 hl=4 l= 512 prim: OCTET STRING      [HEX DUMP]:2FA7848088B2C73BB0E2D89DCD51875A2E195DA21A19A33C6443872DC725480F7616744CA2197FBDBD84135998C37FB4D53A8CC0BF03E9D4A881EC6C47B752CF6596E458610E8D646385100BC3C01565D7EC7A1B4C818EC4DE459F98DB0490D631C220CF041999F2D76D09C19429E85919363787A25590052124CFF2974CD2019071915EEA1D3D2FF62C1EC5B7EEE97CCFDEAF8F1C2E4E14C50F29C774B5F2A2B832F13BC3A27D8F28772945D3CFD7B20C6948B2B67ABA92AE8E9CE72D52529881727B27D1F7B1404E7D7AD0F30E50894C35189E22C708394FBED6B4DDD2FEFCDEEC099814673D291E643EF0682FC21485040C4BF02B9F846B63CB7DA691537FC35B29A1E645A2BB15F90857AA39CE33271305B5B1B0B2ED5CE6D0962EC5121D94E1051677C7FE68EAA54C46C3BFBE05BEB0868EA833CEE1FB583888B5F6E8335F423A54BAD4B621C183C67B33623BCFEFFB00E258434987CC4279889C6778A3FDDC2CEAD316793CD85F93B5A782EC4F2DA0F8F7126F6B8AA8D3F8DEF367F7C4C476C0DC9720B3C0BA82BF72B8D82214D2F51BE285E7D77B1E940D0CD128105B2B1E3A9C1176F548CDA46EA0EF49669B9338A6524E3F35BF9F9650418BF0937AD6651E20D003FD40808B993FFE830077DC74D28F9D087EECD7C88063CEA66F3A7B6E36D9FDB76181322622FD8177214AF57C09C360CFC91BAF8A8BC662E93AF7
10240:d=13 hl=3 l= 137 cons: cont [ 1 ]        
10243:d=14 hl=3 l= 134 cons: SEQUENCE          
10246:d=15 hl=2 l=   7 prim: OBJECT            :0.4.0.19122.1.5
10255:d=15 hl=2 l= 123 cons: SET               
10257:d=16 hl=2 l= 121 cons: SEQUENCE          
10259:d=17 hl=2 l=  11 cons: SEQUENCE          
10261:d=18 hl=2 l=   9 prim: OBJECT            :sha256
10272:d=17 hl=2 l=  68 cons: SEQUENCE          
10274:d=18 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:A2F1F421DED9D9786E1113345D8DA5272D8B247C6F87AB5568D3D88F5ACC9B14
10308:d=18 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:18E09DAD90ADFF8E86BB286CED830265228D99EF55EC95F591BC44CB5799E19C
10342:d=17 hl=2 l=   0 cons: SEQUENCE          
10344:d=17 hl=2 l=  34 cons: SEQUENCE          
10346:d=18 hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:F7F16BB6C200530F8C5C8AB5B90A3774BD0FB343F07373A7F404ED589274DBD0

What has been signed (the transaction details) and the information related to the user certificate are containted in the CMS output. For more information regarding CMS, have a look on the rfc5652 Details of the certificate issued by RCDevs CA on the WebADM backend:



  • Qualified Transaction Signing: This integration can be deployed for corporate signatories only. It allows collaborators to submit transaction requests to anybody part of the company. That kind of transation requires a qualified signature/seal creation device (QSCD) like electronic ID cards, passport… from the signatories. Please, refer to European Commission website for more information about QSCD. Transaction will then be signed by the users’ QSCD. Signing and Login certificates of the QSCD can be stored on the LDAP user account for login purposes in other integrations.

4.2 Electonic Signature

  • Standard Signature: This integration can be deployed for corporate signatories. The user beforehand registered a Token on his LDAP account and his mobile.Manual signature and paraph can be alternatively asked, in that case the user will be prompted to draw his signature and paraphs from his mobile after the document review. These metadata will be added to the final document by RCDevs microservices. This kind of signature method can be used to meet Simple Electronic Signature of European Commission regulation (it is even much more secure than what European Commission qualified as “Simple Signature”).

Found below, a document signed in Standard mode.

Here, you can see that the paraphs has been added at the bottom of the first page. On the top, you can found the watermark which include the VAT number of the company .

At the end of the document, you can found the signatory information, the date, location of the user during the signature and the manual signature drawed from the mobile.

RCDevs provides the seal functionality in Signature processes in order to prevent document alteration after signature.



  • Advanced signature: This integration can be deployed for corporate and external signatories. Corporate signatories (users part of your LDAP backends connected to your OpenOTP suite), can use WebADM or Corporate user certificates (WebADM can be configured as Standalone CA or Subordinate CA of your existing entreprise CA). External users will use certificate issued by RCDevs root CA through YumiSign platform Signatures with users not part of your LDAP servers will always require YumiSign as bridge between your integrations and the signatories. Technically, this level of signature is equivalent to Qualified signature in terms of cryptography operations. The difference is that Advanced Signature do not use Qualified Signature/Seal Creation Device, it uses a company user certificate or a certificate issued by RCDevs root CA. If the user do not has any certificate registered on his mobile issued by WebADM PKI or RCDevs root CA for signing purposes, then during the first Advanced Signature request sent to that user, he will be prompted on his mobile to create a new certificate (user-friendly CSR prompt). The CSR and the key will be generated on the mobile based on information provided by WebADM PKI service (RSignd). Once generated, the CSR will be sent to your WebADM PKI service (Rsignd) and signed by the WebADM CA or by RCDevs Root CA according to the chosen scope. That certificate will be then sent back to the mobile and registered in the SQL database of WebADM. The certificate will be stored on the mobile. Document will then be signed by the freshly generated key that never left the mobile and sent back to the OpenOTP/Yumisign backend once signature is completed. Certificates issued by WebADM for signing purpose are valid for 1 month. After 1 month, the certificate is expired and will needs to be renewed. This is done automatically. Certificate issued on mobiles can be revoked at any time through WebADM Admin GUI > Databases > Client, Server and Mobile Certificates.

Found below, a document signed with a Corporate issued certificate (SignScope = Local) :





Found below, the certificate issued for that user in the Client, Server and Mobile Certificates database :



Found below, a document signed by a certificate issued by RCDevs Root CA (SignScope = Global) :







  • Qualified Signatures: This integration can be deployed for corporate and external signatories. It allows collaborators to submit signature requests of any documents to anybody part of the company or involve external signatories through YumiSign platform. It requires a qualified signature/seal creation device (QSCD) like electornic ID cards, passport… from the signatorie(s). Please, refer to European Commission website for more information about QSCD. The certificate used for the signatiure can be optionally registered on the user account for login purpose in other integrations. Found below, an example of Qualified signed document.

Other options provided by RCDevs using RCDevs cloud services are :

  • Timestamping: RCDevs provides timestamping functionnality. In all signature workflow including a document and involving RCDevs micro-services, a timestamping is applied to the document which is signed and prepared by RCDevs micro-services. The timestamping of documents is done by a Certum QTST 2017 Certificate which can be visualized through Adobe Reader. Trusted timestamping is the process of securely keeping track of the creation and modification time of a document. The owner of the document should not be able to change it once it has been recorded.



  • Seal: RCDevs provides electronic sealing functionnality. That functionnality is a stamp linked to a legal person like a firm. It guarantees the identity of the issuer and the integrity of the document. Sealing performed by RCDevs are done by a Seal certificate issued by RCDevs Certificate Authority. You need to Trust the CA certificate of RCDevs in order to see the sealing without any trust issue in Adobe Reader (green status). If you do not trust it, then it will appears in orange in Adobe Reader.



5. Issued Identities Trusts and Know Your Customer (KYC)

There is different level of Trust according to the kind of signature your are going to implement/use because different third parties can be involved. As you probably understood, digital certificates can be issued by your Organization CA (WebADM CA/SignScope=local), by RCDevs Root CA (SignScope=Global) and by Public CAs issuing QSCD identitie.

5.1 Simple signature Trust

For mobile, no user certificate is involved in the signature processes. When a document is attached to the request, handwritten signature and optionally the paraphs (when multiple pages are contained in the document) are asked to the signatory when the signature request is prompted on their mobile. Paraphs and Handwritten signature are afterward added to the document (if any) through RCDevs Micro Services. Once the handwritten signature and paraphs has been added, a seal is applied by RCDevs with a Seal certificate issued by RCDevs CA. RCDevs CA in that scenario needs to be Trusted.

Then, a timestamping is applied by a Certum timestamping certificate by RCDevs Micro Services.

5.2 Advanced signature Trust

If the SignScope is Global, then identities are issued by RCDevs Root CA. From RCDevs point of view, an issued certificate is always linked to a company. Information of the company like VAT number, will always be attached to every certificates issued for users of that company in order to identify the user and the company. The KYC of the company is then done by RCDevs each time a new customer choose RCDevs solutions. A dedicated page will be available soon to explain how new customers are onboaded by RCDevs, discribing identity validation process of the company made by RCDevs.

5.3 Qualified signature Trust

If the SignScope is eidas, then you have to trust the public CAs that issues QSCD identities. It is the highest level of Trust and this method must be used for any legal document. The KYC here is achieved by public CAs, governments, QSCD issuers.

6. Signatures and Transactions Requests Delivery methods

With RCDevs solutions, the end-users mobiles are the key point to achieve an electronic signature or transaction. We deported this feature to the mobiles because the phones goes with your users wherever they are. That way they can sign any document at anytime from anywhere with their mobile and OpenOTP Token application without login on a third party system to review and sign a document. The user’s mobile must be beforehand linked to the user account through a Token enrollment. This is the RCDevs philosophy applied to electronic signature world. The request delivery are then linked to an OATH Token registered on the user account and mobile.

RCDevs provides 2 differents ways to deliver a signature/transation request which needs to be signed or approved:

  • By a push notification: With that method, the user is instantaneously notified when a transaction or a signature request is in pending by receiving a push notification on his mobile. Once the request is arrived on the mobile, the user can press the notification and then the signature workflow is starting from end-user/signatory perspective. Document attached to a signature request are not transiting in the push notification. The Push request received is a Signature ticket which refer to a transaction on the OpenOTP backend. The OpenOTP Token application will then contact the Mobile Endpoint URL of your WebADM/OpenOTP infrastructure and fetch the document.

  • By scanning a QRCode: With that method, the signing request/transaction is fetched by scanning a transaction QRCode with OpenOTP Token. Only the user for whom the signature transaction QRCode has been generated can scan the QRCode with his mobile and fetch the signature request from the server. All exchanges between OpenOTP backend and OpenOTP Tokens applications are 2 ways signed. If signatures mismatch with one of them, the transactions can not be decrypted or proceeded.

Both methods are very secure and are based on OTP validations, asymmetric encryption/decryption processes in background to proceed any requests. On top of that, each exchange between OpenOTP backends and mobiles are signed. If one condition mismatch, the request can not be proceeded or completed.

In both scenario, when a document is attached, the document is downloaded on mobiles from your OpenOTP backend. Documents are never transiting through push notification.

These 2 delivery methods can be synchronous or asynchronous.

The difference between these both delivery methods is the fact that the third party system that triggered the signature request will actively wait the response of the signatory in synchronous mode. In asynchronous mode, the third party system (initiator of the signature request) will regularly pull the status of pending transactions on the backend. Once the transaction is done on the backend, the third party system will be notify and the workflow can continu from third party system perspective.

In synchronous mode, the third party system initiator of the signature request is actively waiting the end of the transaction previously initiated. The maximum timeout of synchronous requests is 5 minutes. This mode is more relevant for short delay transaction like a payment, secure approval to access a ressource or to immediately sign a document which has been already reviewed. Once the 5 minutes timeout is exceeded, the transaction is cancelled on the backend and the initiator of the signature request is notified. If you choose that methods, please configure the timeout of third party integrations accordingly.

The asynchronous mode is the prefered one for document signing and long time transactions. Third party system initiator of the signature/transaction request is not actively waiting for the response. Instead, a record is maintained and the tird party system will regularly pull the OpenOTP signature system to be notified when a transaction has been done by the user. If a the 3rd party system is notified that a transaction/signature process is done, then it will ask to the signature system to return the data related to a transaction/signature (the signed document/transaction). The maximum timeout of asynchronous requests is up to 30 days. Once the timeout is exceeded, the transaction is cancelled and the initiator of the signature request is notified.

Signature/Transaction requests are stored in the Redis database of WebADM

If you clear the WebADM Session Data from WebADM GUI > Admin tab, all pending transaction/signature requests will be destoy on the backend and will not be recoverable!!

7. API Methods

7.1 API Settings description

Found below, descriptions of parameters of the different methods and possible values:

7.1.3 Requests parameters

  • username: To which user you want to send the signature request. Can be a username, UPN, email address according to your WebADM configuration.
  • domain: WebADM domain name where the user/signatory must be searched.
  • recipient: email address of an external user where YumiSign platform will be involved.
  • data: Can contain a description of the coming operation prompted to the user on the mobile:
  • file: base64 encoded of the file going to be signed.
  • mode: auto, CaDES, PaDES or XaDES (beta).
  • async: true or false -> asynchrone or synchrone request.
  • settings: e.g CaDESMode=embedded or CaDESMode=detached.
  • issuer: Who issued the signature request.
  • client: Who triggered the signature request.
  • source: User IP which can be retrieve and passed to the API.
  • setting: Can be used to pilote the API calls on the fly to change various settings. E.g : CaDESMode=embedded
  • Virtual: Allow to override a user attribut value by another. E.g: mail=user_other_mail@mail.com.
  • qrFormat: Format of the QRCode containing the request. Can be PNG or JPEG.
  • QrSizing: Define the size of the generated QRcode. Default value is 5.
  • QrMarging: Define the size of the QRcode margin. Default value is 3.
  • addCert: 1, 2 or 3.

    1=Register the signing certificate only. When signing certificate will be used or generated through OpenOTP Token Application, it will be registered on the LDAP user account in userCertificate attribut. That certificate will be flagged by OpenOTP backend as signing certificate in WebADM User Data and will afterward be required for next signature requests. (Applicable to Advanced and Qualified Signature).

    2=Register Login certificate. This is usefull for PKI logins. You can register the authentication certificates of electronic ID card for example to use it for login purpose in other integrations.

    3=Register Signin and Login certificates. Many signature devices like electronic ID card comes up with 2 certificates. One is for signature purpose and the other for authentication.

For signature or PKI authentication works with OpenOTP suite, the user certificate must be set on the user account in your LDAP backend and valid. We provide an easy way to achieve the certificate enrollment by API piloting. By default, 1 will be requested. Also note that the Certificate Authorities that issued the user signing certifiate must be trusted by OpenOTP. To check or add a CA trust, login on your WebADM Admin portal, click Admin tab > Trusted CA Certificates. Import the CA certificate(s) you need for signing or Trust the public eiDas list fetched from RCDevs cloud services on your OpenOTP backend. That way, you limit the perimeter of allowed certificates/country used for signature purposes.


  • timeout: Define the timeout of the confirm/signature requests. For async=true, max value is 5min. For async=false, the maximum value is 1 month.
  • scan: Trigger the camera of the user for a picture of him before confirm/signing request/document.
  • form: Attach a HTML form which must be completed by the user before he can continues the confirm/signature workflow. Form reponses is returned in the response.

7.1.2 Responses parameters

  • session: ID of a session started on the backend.
  • sendPush: True of False. Send a push or not.
  • code: Status code returned for a request. 0=error, 1=success, 2=session started and in pending,
  • error: Details of the error if any
  • message: Details of the code returned.
  • comment: If request refused by the user, a reject message can be asked to the end user and the reponse is returned in that parameter.
  • file: Return the signed file in base64 binary.
  • jsonData: Return the jsonData of pending transactions.
  • cert: Return the certificate which has been used for signature purposes.

7.2 Standard Signature/Transactions approval (PSD2)

Transactionnal confirmation (PSD2) and mobile signature are using the same API methods of OpenOTP. The difference between both is the fact that a document is attached to the request or not. If a document is attached, then you will enter in mobile signature scenario. If no document is attached, then yo will enter in Transactions approval (PSD2) scenario. Found below, the different API methods and an example.

7.2.1 Mobile signature methods

Mobile signature API methods are called CONFIRM and the related API methods are the following one:

Build Mobile signature with the 2 folowing methods :

  • openotpNormalConfirmRequest (Internal user signatory) :
<message name="openotpNormalConfirmRequest">
    <part name="username" type="xsd:string"/>
    <part name="domain" type="xsd:string"/>
    <part name="data" type="xsd:string"/>
    <part name="file" type="xsd:base64Binary"/>
    <part name="form" type="xsd:base64Binary"/>
    <part name="scan" type="xsd:boolean"/>
    <part name="async" type="xsd:boolean"/>
    <part name="timeout" type="xsd:integer"/>
    <part name="issuer" type="xsd:string"/>
    <part name="client" type="xsd:string"/>
    <part name="source" type="xsd:string"/>
    <part name="settings" type="xsd:string"/>
    <part name="virtual" type="xsd:string"/>
</message>
  • openotpExternConfirmRequest (External user signatory). This request requires YumiSign platform. Communications between OpenOTP and YumiSign require a YumiSign API key that must be configured under OpenOTP configuration.
<message name="openotpExternConfirmRequest">
    <part name="recipient" type="xsd:string"/>
    <part name="file" type="xsd:base64Binary"/>
    <part name="scan" type="xsd:boolean"/>
    <part name="async" type="xsd:boolean"/>
    <part name="timeout" type="xsd:integer"/>
    <part name="issuer" type="xsd:string"/>
    <part name="client" type="xsd:string"/>
    <part name="source" type="xsd:string"/>
    <part name="settings" type="xsd:string"/>
</message>

Method use for the response of the 2 previous methods:

  • openotpConfirmResponse (Response to previous request, that kind of request is done by the mobile to OpenOTP) :
<message name="openotpConfirmResponse">
    <part name="code" type="xsd:integer"/>
    <part name="error" type="xsd:string"/>
    <part name="message" type="xsd:string"/>
    <part name="session" type="xsd:string"/>
    <part name="timeout" type="xsd:integer"/>
    <part name="comment" type="xsd:string"/>
    <part name="file" type="xsd:base64Binary"/>
    <part name="form" type="xsd:base64Binary"/>
</message>
  • openotpCheckConfirmRequest

In order to check the status of a confirmation request, a Check method is available. You can check the status of any transactions by providing the session ID returned in the API response for a transaction you are looking for the result.

<message name="openotpCheckConfirmRequest">
    <part name="session" type="xsd:string"/>
</message>
  • openotpOfflineConfirmRequest

This method generates a QRCode for an associated transaction and is only available for corporate usage. It is not available for external signatories because for the external signatory, the signature workflow will be initiated on YumiSign and the signatory will have the choice to receive the transaction/signature request by Push notification or by QRCode through YumiSign.

<message name="openotpConfirmQRCodeRequest">
    <part name="username" type="xsd:string"/>
    <part name="domain" type="xsd:string"/>
    <part name="data" type="xsd:string"/>
    <part name="file" type="xsd:base64Binary"/>
    <part name="form" type="xsd:base64Binary"/>
    <part name="scan" type="xsd:boolean"/>
    <part name="async" type="xsd:boolean"/>
    <part name="timeout" type="xsd:integer"/>
    <part name="issuer" type="xsd:string"/>
    <part name="client" type="xsd:string"/>
    <part name="source" type="xsd:string"/>
    <part name="settings" type="xsd:string"/>
    <part name="qrFormat" type="xsd:string"/>
    <part name="qrSizing" type="xsd:integer"/>
    <part name="qrMargin" type="xsd:integer"/>
    <part name="virtual" type="xsd:string"/>
</message>
  • openotpConfirmQRCodeResponse

Return related information to previous request.

The response for the previous request is the following

<message name="openotpConfirmQRCodeResponse">
   <part name="code" type="xsd:integer"/>
   <part name="error" type="xsd:string"/>
   <part name="message" type="xsd:string"/>
   <part name="session" type="xsd:string"/>
   <part name="timeout" type="xsd:integer"/>
   <part name="qrImage" type="xsd:base64Binary"/>
</message>
  • openotpTouchConfirmRequest

This methods can be use to re-send or convert (Push to QRCOde or QRCode to Push) a request base on the session number :

  • openotpTouchConfirmResponse

This provide the response of the previous request.

7.2.2 Transaction Confirmation/Mobile Signature example

7.2.2.1 Request

OpenOTP will build a transaction request based on information provided to the API.

The hash of this transaction will be calculated. A random nonce is generated per transaction and then added to the previous hash. We then have a “Hash Data” containing hashed Nonce and Data.

Found on next section, an example of a transaction and the report generate by the system when transaction has been completed by the end user.

Transaction request built through OpenOTP signature tester:

7.2.2.2 Request prompted on the mobile

Found below, the details and mobile view of the transaction previously built and started:



Request approved by the user:

Response has been successfully submitted to the signature backend.

7.2.2.4 Cryptographic report of the transaction

Once the transaction has been completed successfully, a report of that transaction is generated by OpenOTP signature system. Below, the report details:

Secure Transaction

Started: 2022-02-10 16:51:55
Stopped: 2022-02-10 16:52:04
User DN: CN=John Doe,CN=Users,DC=support,DC=rcdevs,DC=com
User IP: 84.12.76.106
Client ID: RCBank
Client IP: 192.168.4.20

Hash Data: d5ec3a4660de1ebc429ed8f7f4e946e706b76cd3 (Nonce + Data)
OTP Token: Token #1 (TOTP)
OTP Algo: SHA1
OTP Key: 1015170774 (CRC32)
OTP Nonce: 46a4feffcad38af3c972521c4c3d0d61995e7d7a
OTP Result: 4660DE1E (OATH)

Transaction Details (Base64)
PGh0bWwgc3R5bGU9ImNvbG9yOndoaXRlIj4NCjxiPlBsZWFzZSwgY29uZmlybSBw
YXltZW50IG9uIFJDRGV2cyBzdG9yZTwvYj48YnI+DQo8YnI+DQpBY2NvdW50OiBM
VVhDRVlYMjM0ODdYWFhYWFhYWFhYWFg8YnI+DQpBbW91bnQ6IDQ5OTkuMzYgRXVy
b3M8YnI+DQo8L2h0bWw+

Details of data report:

Date of transaction start:

Started: 2022-02-10 16:51:55

Date of transaction stop:

Stopped:2022-02-10 16:52:04

Who perform the transaction:

User DN: CN=John Doe,CN=Users,DC=support,DC=rcdevs,DC=com

User IP Address retrieved by a third party system:

User IP: 84.12.76.106

Client system identifier. Allow WebADM administrator to identify which client system perfomed the signature request.

Client ID: RCBank

Client system IP which performed the confirmation request.

Client IP: 192.168.4.20

Concatenation of Nonce and data hashes.

Hash Data: d5ec3a4660de1ebc429ed8f7f4e946e706b76cd3 (Nonce + Data)

Token ID and type of OATH token used for that transaction.

OTP Token: Token #1 (TOTP)

OTP algorithm used for that transaction:

OTP Algo: SHA1

OTP key (CR32) used for the transaction. (Hash of the real key)

OTP Key: 1015170774 (CRC32)

Nonce generated and used in Hash Data. Mandatory to make any transaction unique. Even if the “same” transaction is replayed on the server, the nonce will change.

OTP Nonce: 46a4feffcad38af3c972521c4c3d0d61995e7d7a

Important to verify the transaction afterward.

OTP Result: 4660DE1E (OATH)

Base64 encoded of content retrieved by OpenOTP sent by API client in data parameter.

Transaction Details (Base64)
PGh0bWwgc3R5bGU9ImNvbG9yOndoaXRlIj4NCjxiPlBsZWFzZSwgY29uZmlybSBw
YXltZW50IG9uIFJDRGV2cyBzdG9yZTwvYj48YnI+DQo8YnI+DQpBY2NvdW50OiBM
VVhDRVlYMjM0ODdYWFhYWFhYWFhYWFg8YnI+DQpBbW91bnQ6IDQ5OTkuMzYgRXVy
b3M8YnI+DQo8L2h0bWw+

7.2.2.5 Report validation

The following PHP algorithm allows you to verify the cryptographic report generated by the signature system. To check a report, you need to provide 3 input data:

  • the base64_decode value: it refers to the Transaction Details.
  • the nonce value: it refers to the OTP Nonce value.
  • the key value: it refers to the user TokenKey value available in the WebADM user’s data on the user account:

Based on input data and if everything is correct and has not been altered, the algorithm should return you the OTP Result available in the transaction details. If it returns the same value, then everything is correct.

<?php

$data = base64_decode("PGh0bWwgc3R5bGU9ImNvbG9yOndoaXRlIj4NCjxiPlBsZWFzZSwgY29uZmlybSBw
YXltZW50IG9uIFJDRGV2cyBzdG9yZTwvYj48YnI+DQo8YnI+DQpBY2NvdW50OiBM
VVhDRVlYMjM0ODdYWFhYWFhYWFhYWFg8YnI+DQpBbW91bnQ6IDQ5OTkuMzYgRXVy
b3M8YnI+DQo8L2h0bWw+");
$nonce = hex2bin("46a4feffcad38af3c972521c4c3d0d61995e7d7a");
$key = hex2bin("3b552d82189668c37621eb5ae7dd7db28e4a21a6");

echo push_check_otp($nonce.$data, $key);


function push_check_otp ($xxx, $key) {
    if (strlen($xxx) < 20 || $key == NULL) return -1;

    switch (strlen($key)) {
     case 32:
        $algo = 'SHA256';
        break;
     case 64:
        $algo = 'SHA512';
        break;
     default:
        $algo = 'SHA1';
        break;
    }

    // HMAC
    if (!$hash = hash_hmac($algo, $xxx, $key)) return -1;

    // convert to dec
    $hmac_result = array();
    foreach (str_split($hash, 2) as $hex) $hmac_result[] = hexdec($hex);

    // find offset
    if ($algo == 'SHA1') $offset = $hmac_result[19] & 0xf;
    elseif ($algo == 'SHA256') $offset = $hmac_result[31] & 0xf;
    elseif ($algo == 'SHA512') $offset = $hmac_result[63] & 0xf;
    else return -1;

    // algorithm from RFC
    $otp = ((($hmac_result[$offset] & 0x7f) << 24) |
            (($hmac_result[$offset+1] & 0xff) << 16) |
            (($hmac_result[$offset+2] & 0xff) << 8) |
            ($hmac_result[$offset+3] & 0xff));

    $otp = strval(base_convert($otp, 10, 16));
    $otp = str_pad($otp, 8, '0', STR_PAD_LEFT);
    return $otp;
}

Result returned:

[root@webadm1 ~]# php confirmation_validator.php 
4660de1e
[root@webadm1 ~]# 

It is a match.

If a document is attached to the request, then the document will be prompted on the user mobile. The final document can optionally be prepared by RCDevs micro-services in order to add handwritten signature, paraphs, timestamp and document sealing.

7.3 Advanced and Qualified Signatures

Advanced and Qualified signatures are using the same API methods described below. The fact that an Advanced signature or a Qualified signature is requested is related to an OpenOTP to a SOAP setting named “Signature Validity scope (SignScope)”. That setting is controllable by the client system sending the signature request to OpenOTP SOAP API or by client policy and can have 3 values:

  • Local: Advanced signature with user certificates issued by internal WebADM CA. This should be used for internal signatories.
  • Global: Advanced signature with user certificates issued by RCDevs Root CA. This should be used when external users are involved in a signature workflow with Yumisign.
  • eIDAS: Qualified signature with external eIDAS signing devices (ex. eID Cards).

The SignScope must be passed in settings parameter of the SOAP request as the below example:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:openotp">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:openotpNormalSign>
         <username>John</username>
         <domain>support</domain>
         <data>Payement approval requested for 9999,99€
         Please, sign the following contract with your electronic ID card.
         </data>
         <file>XXXXXXXXXXXXXX</file>
         <mode>cades</mode>
         <async>true</async>
         <timeout>2000000</timeout>
         <issuer>Bank XXXX</issuer>
         <client>RCDevs online store</client>
         <source>x.x.x.x</source>
         <settings>SignScope=eIDAS</settings>
         <virtual></virtual>
    	 <addCert>1</addCert>
      </urn:openotpNormalSign>
   </soapenv:Body>
</soapenv:Envelope>

This will result to the following logs on the backend :

[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] New openotpNormalSign SOAP request
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Username: john
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Domain: support
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Client ID: RCDevs online store
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Source IP: x.x.x.x

[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Settings: SignScope=eIDAS

[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Data: 127 Bytes
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > File: 1130303 Bytes
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Add Cert: Yes
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Async Mode: Yes
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Mode: CADES
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Timeout: 2000000
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Issuer: Bank XXXX
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Enforcing client policy: RCDevs online store (matched client ID)
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Registered openotpNormalSign request
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Resolved LDAP user: CN=yoann traut,OU=SUPAdmins,DC=support,DC=rcdevs,DC=com (cached)
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Resolved LDAP groups: otp,wifi_users (cached)
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Resolved source location: US
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Found user language: EN
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Found 1 user mobiles: +33 658506140
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Found 1 user emails: john@xxx.com
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Found 26 user settings: MaxTries=3,BlockNotify=MAIL,ExpireNotify=MAIL,GeoFence=Yes,MobileTimeout=30,EnableConfirm=Yes,ChallengeTimeout=90,SelfRegister=Yes,PasswordReset=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,RejectComment=Yes,FileUpload=Yes,ConfirmOffline=Yes,SignVerify=No,SignScope=Local,CaDESMode=Embedded
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Found 5 user data: TokenType,TokenKey,TokenState,TokenID,TokenSerial
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Found 1 registered OTP token (TOTP)
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Signature session required
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Sent push notification for token #1 (session e0AwDDtHqGcFLEn9)
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Started Push signature session of ID e0AwDDtHqGcFLEn9 valid for 2000000 seconds
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Sent pending session response

7.3.1 Corporate Signatories requests

7.3.1.1 Push Delivery

Allow you to submit a signature request through Push notification.

<message name="openotpNormalSignRequest">
    <part name="username" type="xsd:string"/>
    <part name="domain" type="xsd:string"/>
    <part name="data" type="xsd:string"/>
    <part name="file" type="xsd:base64Binary"/>
    <part name="mode" type="xsd:string"/>
    <part name="async" type="xsd:boolean"/>
    <part name="timeout" type="xsd:integer"/>
    <part name="issuer" type="xsd:string"/>
    <part name="client" type="xsd:string"/>
    <part name="source" type="xsd:string"/>
    <part name="settings" type="xsd:string"/>
    <part name="virtual" type="xsd:string"/>
    <part name="addCert" type="xsd:integer"/>
</message>

7.3.1.2 QRCode delivery

Allow you to submit a signature request through QRCode.

<message name="openotpSignQRCodeRequest">
    <part name="username" type="xsd:string"/>
    <part name="domain" type="xsd:string"/>
    <part name="data" type="xsd:string"/>
    <part name="file" type="xsd:base64Binary"/>
    <part name="mode" type="xsd:string"/>
    <part name="async" type="xsd:boolean"/>
    <part name="timeout" type="xsd:integer"/>
    <part name="issuer" type="xsd:string"/>
    <part name="client" type="xsd:string"/>
    <part name="source" type="xsd:string"/>
    <part name="settings" type="xsd:string"/>
    <part name="qrFormat" type="xsd:string"/>
    <part name="qrSizing" type="xsd:integer"/>
    <part name="qrMargin" type="xsd:integer"/>
    <part name="virtual" type="xsd:string"/>
    <part name="addCert" type="xsd:boolean"/>
</message>

7.3.2 External Signatories request

Allow you to involve an external signatory though YumiSign.

<message name="openotpExternSignRequest">
    <part name="recipient" type="xsd:string"/>
    <part name="file" type="xsd:base64Binary"/>
    <part name="mode" type="xsd:string"/>
    <part name="async" type="xsd:boolean"/>
    <part name="timeout" type="xsd:integer"/>
    <part name="issuer" type="xsd:string"/>
    <part name="client" type="xsd:string"/>
    <part name="source" type="xsd:string"/>
    <part name="settings" type="xsd:string"/>
</message>

7.3.3 Signature Response

<message name="openotpSignResponse">
    <part name="code" type="xsd:integer"/>
    <part name="error" type="xsd:string"/>
    <part name="message" type="xsd:string"/>
    <part name="session" type="xsd:string"/>
    <part name="timeout" type="xsd:integer"/>
    <part name="comment" type="xsd:string"/>
    <part name="file" type="xsd:base64Binary"/>
    <part name="cert" type="xsd:base64Binary"/>
</message>

7.4 Relaunch transaction/signature invitation

For asynchronous transactions, it is possible to relaunch a transaction/signing request based on the transaction session’s id. This will have the effect of send a new push notification on the user’s phone if you perform this call to resend a push. It also allow you to generate the QRCode related to a specific transaction if you want to fallback to QRCode method once the transaction flow is already started. The QRcode can afterward be provided to the concerned user.

7.4.1 Request

<message name="openotpTouchConfirmRequest">
    <part name="session" type="xsd:string"/>
    <part name="sendPush" type="xsd:boolean"/>
    <part name="qrFormat" type="xsd:string"/>
    <part name="qrSizing" type="xsd:integer"/>
    <part name="qrMargin" type="xsd:integer"/>
</message>

7.4.2 Response

<message name="openotpTouchConfirmResponse">
    <part name="code" type="xsd:integer"/>
    <part name="error" type="xsd:string"/>
    <part name="message" type="xsd:string"/>
    <part name="timeout" type="xsd:integer"/>
    <part name="qrImage" type="xsd:base64Binary"/>
</message>

7.5 Sealing

Allow you to seal a document.

7.5.1 Request

<message name="openotpSealRequest">
    <part name="file" type="xsd:base64Binary"/>
    <part name="mode" type="xsd:string"/>
    <part name="client" type="xsd:string"/>
    <part name="source" type="xsd:string"/>
    <part name="settings" type="xsd:string"/>
</message>

7.5.2 Response

<message name="openotpSealResponse">
    <part name="code" type="xsd:integer"/>
    <part name="error" type="xsd:string"/>
    <part name="message" type="xsd:string"/>
    <part name="file" type="xsd:base64Binary"/>
</message>

7.6 List requests

Allow you to list all pending (confirmation and sign) requests.

7.6.1 Request

<message name="openotpListRequest" />

7.6.2 Response

<message name="openotpListResponse">
    <part name="code" type="xsd:string"/>
    <part name="error" type="xsd:string"/>
    <part name="message" type="xsd:string"/>
    <part name="jsonData" type="tns:string"/>
</message>

8. OpenOTP Signature server configuration

There is only few settings under OpenOTP configuration which allow you to cutomize your signature and confirmation workflow. Found settings and explanation below:

  • Offline confirmation: Only usable for Advanced signatures;

  • Reject comment: Ask the signatory to provide a comment if he rejects the signature request. The reject comment appears on the mobile after clicking Reject button when signature request is received on the mobile.

  • Upload Signed Files: The signed file is uploaded afterwards at its original place (share, redis, Couchbase…)

  • Qualified Signature check: The device used to sign must be issued by eIDAS/EUTL trusted identity provider. If not, then the signature is rejected.

  • Require Trusted Certificate: If enabled, the certificate used for signature purpose must be registered on the user account. Enrollment of the user certificate can be requested to the user through the API and is automatically enrolled on the user account if requested. Registered signing certificates are stored on user account in attribut used for WebADM data storage.

  • Qualified CaDES mode: Embedded or Detached. Please, refer to european regulation for more information regarding CaDES modes.

  • YumiSign API Key: Required to involve external signatories.

That is all for OpenOTP Signature settings, most of settings are controlled by the requests performed to the API.

9. End-users enrollments needed to achieve a signature

In every scenarios, a push Token needs to be registered on the user’s account and mobile with OpenOTP Token application.

9.1 Mobile signatures

For mobile signatures, only a Push Token needs to be registered on the user’s account and mobile.

9.2 Advanced Signatures

For Advanced Signatures, a Push Token and a user certificate is involved in the signature process. If the user do not has any certificate registered on his LDAP account and mobile which can be used for this purpose, then during the first Advanced Signature request, he will be prompted on his mobile to create it (user-friendly CSR prompt). The CSR will be sent to your WebADM Rsignd service (PKI service) and signed by the WebADM CA. That certificate will be then sent back to the mobile and registered on the user LDAP account. Document will then be signed by the freshly generated key that never left the mobile and sent back to the OpenOTP/Yumisign backend once signature is completed. Found below, few screenshot of automatic certificate enrollement when no certificate is registered on OpenOTP Token application:

Signature request prompted on the mobile:

Document attached to the request prompted on the mobile:

No certificate registered on the mobile, user is prompted to generate one :

The user must click on Generate button, the CSR is going to be submitted to your WebADM-RSignd service.

Then, the certificate is used to signed the previous document after a biometric verification:

Document signed and submitted to the backend.

The certificate is generated for a short period. When certificate is expired it will be automatically renewed. The mobile certificate are stored in the SQL database. You can access the certificates database by accessing WebADM Admin portal > Databases tab > Client, Server and Mobile Certificates menu.

9.3 Qualified Signatures

When qualified signature is requested, the user must use a QSCD device to perform the signature. The user will be invited on his mobile to plug a card reader in order to insert his eID card. RCDevs also provides the possibility to use NFC which do not require any external reader. In that case, the user will be prompted to put his eID card close to the NFC reader of his phone.

See below, screenshots from the mobile application for a qualified signature:

Signature request prompted on the mobile:

User must click Next.

Document attached to the request prompted on the mobile:

User must click Sign.

User is prompted to plug his eID reader on the phone:

Reader is detected, user is invited to plug is electronic ID card in the reader:

Once the card in inserted, the card is readed by OpenOTP Token application and user is prompted to provide the PIN code protecting the electronic ID card:

eID card is unlocked, signing certificate is going to be used to sign the document attached to the request. Once the document is signed from the mobile, the document is sent to OpenOTP backend for certificate revocation checks. The QSCD validity is checked by the OpenOTP backend with the revocation methods provided in the certificate used for the signature (OSCP/CRL checks). Once the validity checks has been passed successfully, the document is finalized and ready to be repatriated on the third party system. If the OCSP/CRL checks failed, the signed document is rejected and dropped and the transaction is terminiated on the backend.

Signature submitted to the backend :

The WebADM administrators have the control on which QSCD is allowed. This is done by trusting the CA certificate of the QSCD certificate issuer. From WebADM admin GUI, click Admin tab, then Trusted CA certificates:

If the CA that issued the QSCD certificate is not in the trusted list, then the signature process will fail. RCDevs micro-services maintains the public CA certificates list which where each CA certificate can be installed manually or automatically fetched when a CA certificate has expired and needs to be renewed.

10. Integration examples

10.1 Postfix Milter

With that mail integration, RCDevs covers the corporate scenarios described in the part 2 of that documentation. External signatories can not be involved through this integration for security reasons.

User’s accounts must be activated in WebADM and must have a push token registered on their account.
If your mail domain is company.com, then the postfix server that will run the RCDevs scripts to trigger signature workflow can be configured with an MX domain in sign.company.com for example.

The postfix milter will parses the email addresses and the subject of email received on the sign.company.com MX domain. Based on information configured on the postfix server, the postfix Milter will detect the patern added in the email address (in our example it is sign) which will indicate that it is a signature request and the correct user’s email is without the pattern configured in the milter configuration. Then it sends the signature request and the document to OpenOTP servers.

The workflow of that integration is the following:

Consider a main MX Domain as rcdevs.com. Postfix server is configured with RCDevs Milter with a 2nd MX domain : sign.rcdevs.com

  • Send a email to user@sign.rcdevs.com containing the document that needs to be signed

  • Email arrives on the postfix server,

  • Email parsed by RCDevs postfix milter in order to :

    • Identify the sender;
    • Identify the recipient;
    • Identify the level of signature requested (advanced or qualified);
  • Signature request built (according to information retrieved in the email) by RCDevs postfix scripts and submitted to OpenOTP server.

  • OpenOTP server notifies the user by mail that a signature request is pending and the push request is submitted to the user’s phone. A QRcode of the transaction is attached to the mail sent in order to fetch the pending transaction in case the notification has not been received or is not available anymore on the mobile.

  • The user has now to press the push notification received or scan the QRCode attached to the email with OpenOTP Token application.

  • The signature request is now prompted on the user’s phone through OpenOTP Token.

  • User reviews the document he is going to sign from his mobile and once the document is reviewed, he can sign it.

  • Once the signature is done, the document is prepared by RCDevs micro-services. Timestamping and Seals are applied to the document once signature has been done.

  • Once the document is signed, timestamped and selead, it is sent to the original sender.

10.1.1 Submit a document for signature to yourself

Submit a document for signature to yourself is very simple once this integration is configured. The process is the same as explained before, but instead sending a signature request to someone else, you can just send the request to self@sign.rcdevs.com. Then the postfix milter will parse the mail request, identify the sender of that mail and submit the request to the sender (you).

10.1.2 Submit a document for signature to an internal collaborator

Submit a document for signature to a collaborator is very simple once this integration is configured.

The process is the same as explained before, but instead sending a signature request to yourself, you can just send the request to that user email address by using the sign MX domain configured. For e.g, I want to send a signature request to john.doe@rcdevs.com user. You just have to attach the document to your email and send the email to john.doe@sign.rcdevs.com. The email will be relayed to the postfix milter servers and be parsed. The postfix milter will prepare the signature request and submit it to OpenOTP. The signature workflow is started and sender and recipient(s) are notified. Once the signature process is done by the recipient, the signed document is sent back to the different signatories.

10.1.3 Level of signature requested

The level of the signature requested must be putted in the email subject field. You have the choice between :

  • Standard,
  • Advanced,
  • Qualified

In advanced mode, local scope or global scope is under the control of the WebADM Administrator.

10.2 RCDevs Plugins

RCDevs is developing and providing multiple integration plugins for signature purposes for different products. We started with Nextcloud and Sharepoint. We will continue with Git, CRMs and more… Do not hesitate to share with us the signature plugins you would need in order to make developments move forward and prioritize the ones needed first.

10.2.1 Nextcloud

Nexcloud signature integration is covered by a plugin installable on Nextcloud servers. All Nextcloud servers part of the same cluster must have the plugin installed and configured. Have a look on the Nextcloud Integration documentation

10.2.2 Sharepoint

Plugin under development.

10.2.3 Signature portal

RCDevs is also developing an easy to use end-user web-application portal like other web applications provided by RCDevs and hosted on WebADM backend (selfdesk, selfreg…) but dedicated to elecronic signatures for your end-users. From that portal, corporate users will be able to send signature request to anybody part the company but also to external users involving YumiSign. That portal is not downloadable at the moment as it is under development.

10.3 Custom integrations

Custom integrations offer a very high flexibility in signature workflow and treatments. It is achieved through API calls and API piloting. Integration and configuration can be complex, do not hesitate to contact RCDevs Service team for that kind of integration.

10.4 SelfDesk Integration (Self Signature only)

Self-Service Desk application allow you to submit a document for signature to yourself. Have a look on the following Self-Service Desk documentation for more information.