Questions and answers

Electronic signature (ES) is electronic data that is added by the signer to other electronic data or is logically connected with them and is used by the signer as a signature.

Electronic signatures can be simple, advanced (AdES) and qualified (QES).

In contrast to simple signatures, advanced and qualified electronic signatures make it possible to certify the signer's agreement with the content of the electronic document, and identify the signer. Brsides AdES and QES are the basis for the emergence of legal facts and are а reliable evidence in court.

In addition, advanced and qualified electronic signatures are used to ensure the integrity of the electronic document.

The difference between them is that a qualified electronic signature provides higher level of protection, has a high level of trust as a means of electronic identification, and is equivalent to a handwritten signature. Advanced electronic signature has a medium level of trust. In the future, a qualified e-signature will be required for the recognition of Ukrainian electronic signatures in EU countries. One of its main features is that it is stored in a secure private key (SPK) token.

Since the qualified electronic signature has a high level of trust as a means of e-identification, it is mandatory for use in state and local self-government bodies, enterprises, state-owned institutions, as well as by state registrars and notaries.

Electronic seals are used to ensure the authenticity of the origin and integrity of the electronic document.

Electronic seals are reliable evidence in court. As with electronic signatures, there are advanced and qualified electronic seals that provide additional security guarantees compared to simple electronic seals.

A file medium is a special file that contains your private key. This file is usually called Key-6 with the extension *.dat (the extensions *.pfx, *.pk8, *.zs2, *.jks are also found). In order to use the file medium, you need to: 1. From the list choose your provider of electronic trust services - the entity to which you applied for obtaining an electronic signature. 2. Download the file with your personal key from an external medium or your own computer. 3. Specify the access personal key password to the in the corresponding field.

A secure private key token (Qualified Signature Creation Device) is a device for safe storage of QES. It can be in the form of a token, "cloud storage", Mobile ID or a smart card.

Secure private key token or Qualified Signature Creation Device is a device of qualified electronic signature or seal designed to store a personal key and has built-in hardware and software tools that ensure the protection of data recorded on it against unauthorized access, direct reading of the value of private key parameters, and their copying . The compliance of the qualified electronic signature or seal with the requirements of the Law of Ukraine "On electronic identification and electronic Trust Services" is confirmed by compliance documents or positive expert opinions based on the results of their state expertise in the field of cryptographic information protection.

A secure private key token is a tool designed for safe storage of QES, which is stored in a device and is under the sole control of the signer. SPKT is protected by an access password, and entering the wrong password a specified number of times in a row blocks the medium.

Secure private key tokens ( Qualified Signature Creation Device) are devices of qualified electronic signature or seal, the list of which can be placed at link.

However, please note that in the above list, not all means of cryptographic protection of information are QES means, but only those mentioned in the expert report.

A token is a special hardware and software device that protects private keys from being copied or changed by perpetrators. The token can be in the form of a USB device or in the form of a smart card (card with a chip). Examples of tokens, produced in Ukraine are devices Almaz-1K, Crystal-1, etc.
To use the token, you need to read the key by selecting the "Token" section:

  1. Connect your token via a USB port (if you have a token in the form of a USB device) or use a special information reader (if you have a token in the form of a smart card).
  2. Choose from your trust services provider from the list - the entity to which you contacted for obtaining an electronic signature.
  3. From the list of tokens, select the type of device you want to use.
  4. Specify the access password to the private key in the corresponding field.

A cloud storage, or simply a cloud, is one or more remote servers that securely store user’s data.
If your personal key is stored using a third-party service (preservation in a secure cloud storage), then to read the key, you have to select the "Cloud" section and your provider from the list at https://www.czo.gov.ua/sign and go through authorization in his system.

The electronic time stamp shows that the electronic signature or seal was applied exactly at the specified time.

  1. Determine which type of e-signature you chose to sign the file from the proposed - "Electronic signature", Diia. Signature - UA (for work within Ukraine), Diia. Signature - EU (signature for cross-border recognition)
  2. If your choice is one of the Diia.Signature options. Signature, follow the step-by-step instructions that appear on your monitor.
  3. If you choose is "Electronic signature", select your key media: file media, token, cloud,
  4. Select a provider from the appeared list.
  5. Read the private key.
  6. Enter the password.
  7. Choose how you want to save the data and signature: according to the recommendation - in the archive - in the ASiC-S format (archive) or choose - "another format from the list that appeared on your monitor.
  8. Drag and drop into the browser or select on your media the file you want to sign. Click the "Continue" button.
  9. Check the file name and click the "Sign file" button.
    Everything is ready! You see a signed file, an unsigned file, and a protocol that contains signature information. By default, the file is saved in the “Downloads” directory. If this did not happen, click the "Save file" button on the electronic media you need.

The signed document can be downloaded in p7s format (CAdES data storage and signature format) or ZIP archive (ASiC-S or ASiC-E) data storage and signature format). These files contain the original document and the signature file.

When validating e-signature, it is necessary to separate the signatures into those contained in one data file (one file with the extension .p7s or .zip) and those contained in separate files (one is the original file, the other is the QES with the extension .p7s ). In the latter case, the service will also ask for the original file for verification.

  1. The case of validation of the signature, which is contained in one file with data in CAdES format in one file (one file with p7s extension):
    a. Press the "Select" key.
    b. A file selection window from the computer's file system will appear, in which you need to select the necessary file for signature verification (one file with the extension p7s).
    c. The service will provide the signature validation results.
    d. Press the "Save" key, after which the viewer downloads the original file on which a qualified electronic signature was created. The principle of saving occurs in the same way as in the usual case of downloading a file by a viewer.

  2. The case of validation of the signature contained in a separate file in the CAdES format for individual files (the original file is separated from the signature file with the extension p7s):
    a. Press the "Select" key.
    b. A file selection window from the computer's file system will appear, in which you need to select the necessary file for signature verification (one file with the extension p7s).
    c. In the next step, the system informs the user about the need to add the file for which the signature was created.
    d. Click the "Choose" button and in the file selection window from the computer's file system, select the required file for signature verification (one file for which a signature was created).
    e. Press the "Save" key.
    f. The viewer downloads the original file on which the signature was created. The principle of saving occurs in the same way as in the usual case of downloading a file by a viewer.
    The method of adding two files at the same time also works (the external signature is a file with the extension p7s, and the file on which the signature was created).
  3. The case of validation of the signature contained in one data file in ASiC-S or ASIC-E format (one container of a qualified electronic signature with the extension .zip):

a. Press the "Select" key.
b. A window for selecting a file from the computer's file system will appear. In it, you need to select the necessary file for signature verification (one container of a qualified electronic signature with the extension .zip).
c. The next step is is a provision of the signature validation result.

A qualified electronic signature container with a .zip extension has a "META-INF" folder that directly contains the electronic document signature.

An electronic copy of a document with mandatory details, including an electronic signature of the author or a signature equivalent to a handwritten signature, is considered the original of an electronic document. In the case of sending an electronic document to several recipients or storing it on several electronic media, each of the electronic copies is considered the original of the electronic document. An electronic document can be created, transferred, stored and transformed by electronic means into a visual form. The visual form of presentation of an electronic document is the display of the data it contains by electronic means or on paper in a form suitable for the acceptance of its content by a person.

To become the owner of an e-signature, contact any qualified trust service provider:
• fill out the registration form;
• provide passport data;
• provide the registration number of the taxpayer's account card;
• you will also need additional documents that are established by the provider in accordance with its certification practices/regulations.
The list of providers is at the link.

It is necessary to register a legal entity or register as an individual entrepreneur. Next, you need to submit documents to the central certification authority or certification center for inclusion in the trusted list in accordance to the Art. 30 of the Law of Ukraine "On Electronic Identification and Electronic Trust Services". For more details, see the link.

How to provide services through a separate registration point
The trust services provider must:
To issue an appropriate order or enter into an agreement with a legal entity or individual — SRP;
To submit to the Central Certification Authority or Certification Center information about separate registration points and their employees, whose duties will be directly related to the provision of qualified electronic trust services, in accordance with the third part of Article 30 of the Law of Ukraine "On Electronic identification and electronic Trust Services".

Use the online service for creating a qualified electronic signature or seal at the link czo.gov.ua/sign. At step "Step 4 of 4" select "Detached files. CAdES format"

Note: This method allows you to sign files larger than 25 MB, but it has its inconveniences. You need to save 2 files (the signature file and the signed file). Any changes in the signed file will make it impossible to validate the signature.

Usually, a barcode or QR code is displayed on the document itself, if the document is signed as a document of the electronic document management system (for example, SED ASKOD)

The presence of an electronic signature or bar code or QR code is not displayed on a document that is not signed in the SED. If the document is signed correctly, you can verify the electronic signature by using the signature verification service on the websites of the Central Certification Authority or the provider "Diia" at the following links: czo.gov.ua/verify or ca.diia.gov.ua/verify. As a result of the file verification, you will receive three files: a document with a signature, a document without a signature and a "protocol of creation and verification of a qualified electronic signature" in a PDF file. Also, on the monitor you will immediately see the result of the signature check with all the data of the signatory.

The file "protocol of creation and validation a qualified electronic signature" will display: information on confirming the integrity of the signature data, the name of the signatory, data on the legal entity of the signatory (if available), the registration number of the qualified key certificate, the name of the trust servises provider that issued this certificate, date of creation of qualified signature.

To save the protocol file to your device, just click the "Save" button.

The answer is yes. We do as follows:

  1. We sign the file according to the instruction given in the question “How to sign a file on CZO site” (for example, 1.pdf) with the first key. Download the signed document (it will be 1.pdf.p7s).
  2. We sign this file 1.pdf.p7s with the second key. Download the signed document (it will be 1.pdf.p7s.p7s).
  3. Sign this file 1.pdf.p7s.p7s with the third key. Download the signed document (it will be 1.pdf.p7s.p7s.p7s).
    Thus, we have 1.pdf.p7s.p7s.p7s — this will be a file signed by three signatures.

What function does the QES fulfill?
1.To identify the author of the signature (name, natural or legal person, TIN or EDRPOU).

  1. Determine whether the document was changed after it was signed.
  2. Protect the document from forgery.
  3. Record the time stamp, which is a very important parameter for an electronic document, because it allows you to confirm the authenticity of the signature even after the validity period of the certificate has expired or it has been canceled or revoked (only for QES) with a complete set of data for long-term verification (Signature with Long-Term Validation Data).

The password for a qualified electronic signature or seal cannot be recovered, as it is known only to the user. In case of loss, damage of the personal key or loss of the password for it, it is necessary to contact the provider where you received the QES, at the same time submitting an application for changing the status of the qualified certificate and a new package of documents for receiving the new service of QES issuing.

Revoking a qualified key certificate is an early termination of its validity. Revoked key certificates cannot be renewed.

Temporary suspension of public key certificate validity.

After the procedure of puttting on hold of a certificate, its renewal is possible within thirty calendar days. At the end of this time, the qualified certificate will be automatically revoked by the provider.

Renewal of the validity period of a qualified certificate is possible only for blocked qualified certificates, the blocking period of which has not expired.

To renew the term of validity of a qualified certificate, the applicant submits a written application of the prescribed format to the provider.

In accordance with part 2 of Article 22 of the Law of Ukraine dated October 5, 2017 No. 2155-VIII "On Electronic Identification and Electronic Trust Services"
the identification of the person who applied for the service of creation a qualified public key certificate is carried out in one of the following ways:
1) in the personal presence of a natural person, a natural person - an entrepreneur or an authorized representative of a legal entity - based on the results of checking the information (data) about the person obtained in accordance with the procedure established by law from the Unified State Demographic Register, according to the passport of a citizen of Ukraine or other documents issued in accordance with legislation on the Unified State Demographic Register and on documents certifying a person, confirming the citizenship of Ukraine or the special status of a person;
2) remotely (without the person's personal presence), with the simultaneous use of a means of electronic identification with a high or medium level of trust, previously issued to an individual, an individual entrepreneur or an authorized representative of a legal entity in person, and multi-factor authentication;
3) according to the identification data of the person contained in the qualified certificate of electronic signature or seal, previously formed (formed) and issued (issued) in accordance with clause 1 or 2 of this part, provided that such certificate is valid;
4) using other methods of identification defined by law, the reliability of which is equivalent to personal presence and confirmed by the conformity assessment body.
In this way, it is impossible to obtain services for the creation of qualified public key certificates by power of attorney (including notarized)

If you apply for an electronic signature for the first time, in this case, personal presence is required to identify your person in accordance with Article 22 of the Law of Ukraine "On Electronic Trust Services".

No, changes to the certificate are not allowed. To do this, you need to contact the provider for a new key (KEP).

A qualified public key certificate is a public key certificate that is issued by a qualified provider of electronic trust services, a certification center or a central certification body and meets the requirements of the Law of Ukraine "On Electronic Trust Services".

Such a certificate is used to identify the signer of an electronic document. It is worth noting that a qualified certificate is not a private key and can be transferred between subjects of electronic document circulation. It is not possible to impose a qualified electronic signature using only a qualified public key certificate.

One person can have several KEP — for personal needs and professional activities. The electronic signature issued to the employee by the company contains his name and the organization's EDRPOU code. In the personal KEP, instead of the organization code, the person's individual tax number is written. You cannot use your personal KEP to sign documents on behalf of the company.

A certificate is a means of confirming the ownership of the open (public) key to its owner.
A certificate is issued by a qualified trust services provider and is used to verify that the public key belongs to the owner whose data is specified in it. The certificate file has the extension ".cer", usually these files can be opened by the built-in tools of the operating system.
A certificate file contains identification data that uniquely identify the qualified provider and user of electronic trust services, the validity period of the certificate, etc.

If your personal key is stored using a third-party service (storage in a secure cloud storage), then in order to read the key, you must select your provider from the list and carry out authorization in their system.

Diia. Signature is an electronic identification service for users who received a personal key remotely with a mobile application Diia.
Diia. Signature contains two parts. One part is stored in your smartphone and the other is in a special protected module of portal Diia.
Citizens of Ukraine who are holders of an ID card or a biometric international passport can receive a personal key remotely using the Diia mobile application
To be authorized on the site with the help of Diia you should: 1. Choose the section «Diia. Signature» 2. Scan the QR code. 3. Read a personal key by scanning your face (photo check) and password entering a personal key. 4. In case of successful authentication in a mobile application, the system transmits your personal data, which will allow you to identify yourself.

ASiC is a structured container that allows you to store a set of file objects with associated e-signatures and/or e-timestamps that conform to the ZIP specification.

ASiC-E allows you to store one or more file objects with associated e-signatures and subsequently add file objects, e-signature files and e-timestamps.

ASiC-S allows you to save one file object with an associated e-signature and add new ones later. Also allows you to add files to protect e-timestamps.

XAdES is a unified e-signature that allows e-data of any format to be signed. Also stores e-signature in XML format, separately from or together with e-data. Supports parallel and sequential signing of one or more e-documents.

PAdES is a unified e-signature that allows you to sign e-data in PDF format thanks to the security program for PDF files. Does not support parallel signing of e-data.

CAdES is a unified e-signature that allows you to sign e-data in any format, as well as save e-data and e-signature in separate files. For further verification of CAdES e-signature, two files will be needed: original (without signature) and signed.