to select ↑↓ to navigate
Digital Signing

Digital Signing

eInvoicing eInvoicing ERPNext ERPNext Frappe Ecosystem Frappe Ecosystem Frappe Framework Frappe Framework Wiki Digital Signing Digital Signing
Edit
Open in ChatGPT
Ask ChatGPT about this page
Open in Claude
Ask Claude about this page

Getting Started

Getting Started

Admin setup to get digital signing live. Most steps run once during installation; signer onboarding is in Signers & Certificates.

Step 1 — Create your Certificate Authority

Generate a CA key pair using OpenSSL:

openssl ecparam -genkey -name prime256v1 -out ca.key
openssl req -new -x509 -key ca.key -out ca.crt -days 3650 \
    -subj "/CN=Your Company Signing CA/O=Your Company"

You get two files:

  • ca.crt — public certificate (share with parties verifying signatures)
  • ca.key — private key (keep secret)

The CA is valid for 10 years (3650 days). Plan a rotation procedure before that.

Step 2 — Configure Signing Settings

Open Signing Settings in the desk:

Field Value Notes
CA Certificate Upload ca.crt Public — shared with verifiers
CA Private Key (PEM) Paste contents of ca.key Encrypted in database
Organization Name Your company name Embedded in signer certificates
Timestamp Authority URL http://timestamp.sectigo.com Pre-filled, free, no registration
Signer Role Signer Role required to sign
Signature Level PAdES-B-T Recommended default
CRL Distribution URL Auto-filled on save Where verifiers check for revoked certs

Step 3 — Register signable DocTypes

In the Signable DocTypes table on Signing Settings, add each document type you want signable:

Field Example Notes
Document Type Sales Order Any submittable DocType
Print Format Prescription Optional — uses default if blank
Require 2FA Yes Recommended
Prompt Sign on Submit Yes Auto-prompts signer after submission
Signature Position Bottom Right Where the visible signature appears (if no anchor tag)
Signature Page Last Which page receives the signature

Saving Signing Settings automatically adds signature-tracking fields (status, signed PDF, signed by, signed on) to each registered DocType.

Step 4 — Enable Two-Factor Authentication

System Settings → Two Factor Authentication:

  1. Enable Two Factor Authentication = Yes
  2. OTP Method = OTP App (TOTP)
  3. Bypass Two Factor Authentication for roles = add all roles except Signer

On first login, every Signer will be required to set up an authenticator app. The same app is used for signing.

Step 5 — Share the CA certificate with verifiers

External parties need your CA certificate to validate signatures. Two ways:

  • Manual — click Download CA Certificate on Signing Settings and email the file
  • URL — share https://[your-site]/api/method/digital_signing.api.signing.download_ca_certificate

Verifiers install it once in their PDF reader's trust store. See Verifying a Signature for instructions.

Next

Last updated 2 days ago
Was this helpful?
Thanks!