August 2013 EMA/264709/2013 EMA esignature capabilities: frequently asked questions relating to practical and technical aspects of the implementation This question and answer document aims to address the frequently-asked questions and provide guidance regarding technical and practical aspects of the European Medicines Agency s electronic signature capabilities. 7 Westferry Circus Canary Wharf London E14 4HB United Kingdom Telephone +44 (0)20 7418 8400 Facsimile +44 (0)20 E-mail info@ema.europa.eu Website www.ema.europa.eu An agency of the European Union European Medicines Agency, 2013. Reproduction is authorised provided the source is acknowledged.
Objectives of the EMA esignature Capabilities... 3 Registration Process... 3 Business process... 3 Technical Questions... 4 Verification and Certificates... 5 How to digitally sign an EMA PDF Form... 21 General Questions... 23 Contact us... 23 EMA/264709/2013 Page 2/23
Objectives of the EMA esignature Capabilities 1. What are the European Medicines Agency s esignature capabilities? The EMA s esignature capabilities enable the EMA to send digitally signed electronic documents (PDF) to industry. The EMA also have the capacity to verify digital signatures embedded in digitally signed electronic documents (PDF). The EMA s capabilities are in line with the EMA s strategy for a future electronic only workflow. These capabilities enable the secure archiving of legally binding digitally signed documents in a more efficient manner and they reduce the requirement to sign and archive paper documents. 2. Which types of documents can be sent with a digital signature? The EMA accept digital signatures in portable document format (PDF) electronic documents. 3. Who is the esignature solution for? Currently, the EMA s esignature capabilities are restricted to electronic documents for Scientific Advice, Orphan Medicines and Paediatric submissions between EMA and the pharmaceutical industry. 4. How do I send a digitally signed document to the EMA? You should send digitally signed documents via your usual submission channel e.g. email or Eudralink. Registration Process 5. Do companies need to register to access EMA s esignature capabilities? There is no registration requirement to send or receive digitally signed documents. Business process 6. Who should digitally sign a document on behalf of a company? The signatory of a digitally signed document should be the person authorised to fulfil this role within the company. 7. Does the EMA accept only digitally signed documents? No, only specific digital signature enabled documents are accepted. EMA/264709/2013 Page 3/23
8. How do I know my digitally signed document has been successfully received? Digitally signed documents will be dealt with in accordance to existing business processes and therefore no additional notification of receipt will be provided. 9. Will digitally signed documents submitted to the EMA go through a different process? All digitally signed documents received by the EMA will be handled in line with current processes. Technical Questions 10. When should I involve my organisation s IT colleagues in the configuration of the esignature solution? Please engage with your technical colleagues from the outset. It is advisable to obtain technical support with the configuration. 11. Are all types of PDF software supported? We have successfully tested the solution using Adobe Reader, however the EMA s esignature solution is designed to be compatible with other PDF compliant applications. 12. Do we need an external software provider in order to send or receive documents containing an electronic signature? The use of a software provider is not necessary to digitally sign and receive documents. If your organisation does not currently have the facility to embed a digital signature, you may choose to seek technical guidance to acquire the appropriate technology. 13. How do I digitally sign a PDF? The EMA will provide PDF certified electronic documents that are reader extended. You may use a PDF compliant reader application, e.g. Adobe Reader Version 9.1 plus. 14. How do I know a PDF is digitally signed? There is normally a visual representation in the electronic document; however, the actual digital signature is embedded within the PDF file. When you open the PDF file your PDF reader application should notify you that the file contains digital signatures. Please look at the image below to see an example of a digital signature. EMA/264709/2013 Page 4/23
Figure 1 15. Which PDF standards do the EMA conform to? All electronic documents to be digitally signed will conform to the portable document format file (PDF) version 1.7 ISO 32000-1:2008 standard. It should be noted that ISO/IEC 32000-2 may further clarify the use of digital signatures. This standard is currently under development. Verification and Certificates 16. Where do I obtain a Qualified Certificate? In order to obtain a Qualified Certificate you will need to select a Certificate Provider from the EC trusted list of certificate authorities https://ec.europa.eu/information_society/policy/esignature/trusted-list/ You will need to ensure you specifically look for providers of Qualified Certificates. 17. Who is the EMA s Qualified Certificate Provider? The EMA shall be using the certification services provided by the Spanish Royal Mint (Fábrica Nacional de Moneda y Timbre (FNMT) Real Casa de la Moneda) under Contract EC Framework Contract No DI/06750-0 PKI Services. 18. How do I ensure our certificates are compliant with the EMA s requirements? The Directive of the European Parliament and of the Council on a Community framework for electronic signatures (1999/93/EC) defines requirements on a specific type of certificate named `Qualified Certificates, which are given a specific relevance for the acceptance of electronic signatures and their legal effects Article 5. The Directive s ANNEX I describes the Requirements for qualified certificates and ANNEX II describes the Requirements for certification-service-providers issuing qualified certificates The link below provides specific details for those that require the profile specifications on Qualified Certificates. EMA/264709/2013 Page 5/23
19. Who is the EMA s PDF Certify Certificate Provider? The EMA is using a certificate from GlobalSign as part of the Adobe Certified Document Services Scheme for Certifying EMA documents. 20. How do I verify an EMA digital signature? In order to verify an EMA digital signature you must make sure your system is configured to trust the root certification authority certificates used by EMA, see question "Who is the EMA's Qualified Certificate Provider?" Please refer to your organisation's security policies. 21. How do I ensure that Certification Authority Root certificates, associated with EMA digital signatures, are available to my PDF application? You need to ensure that Certification Authority Root certificates, associated with EMA digital signatures, are available to your PDF application. The points below describe the steps to follow in order to import those certificates to your local Windows environment and Adobe Reader as an example. A. This capability is achieved by downloading the three certificates from the EMA esignatures web pages, as shown in Figure 2. Figure 2 B. Download each certificate and use the open option and the install option, as shown in Figure 3, to import the FNMT Root CA Certificates, using the certificate import wizard. EMA/264709/2013 Page 6/23
Figure 3 C. When you have installed all three FNMT certificates click on the file to open the EMA PDF Form in your PDF application. D. You now need to accept these installed certificates into your PDF applications trusted certificate store. An example of this task is shown in Figure 3, using PDF reader application. This task is required to be complete once only for all EMA digitally signed EMA PDFs. Click on the signature tab, with the green tick in the side bar. Then click on signature details to expand the attributes to show certificate details. Then highlight FNMT-RCM and then click on the trust tab. Then click on the add to Trusted Identities button, as shown in Figure 4. Figure 4 In the next dialogue box, as shown in Figure 5, click OK to accept these FNMT Root CA certificates. EMA/264709/2013 Page 7/23
Figure 5 In the next pop-up dialogue box, as shown in Figure 6, ensure that the accept root certificate box is checked and then press OK. Figure 6 E. Now verify all the digital signatures by clicking the Validate All button. Figure 7 shows the result of verifying the digital signatures in an EMA PDF. EMA/264709/2013 Page 8/23
Figure 7 22. How do I confirm if I have the required certificates in the trust store? If you are using Adobe software you can start by Checking the Adobe Certificate Authority Root Certificate Trust Configuration in Adobe Reader / Adobe Acrobat: 1. Open the PDF in Adobe Reader or Acrobat. 2. Open the signature tab. 3. Right click on the Certification signature named Certified by EMA Certify. 4. Select Show signature properties EMA/264709/2013 Page 9/23
Figure 8 5. Click Show Signer s Certificate Figure 9 6. From the List on the left select the top most certificate called Adobe Root CA. 7. Select the Trust tab. 8. You should now see that this certificate is trusted for Signing documents or data and Certifying documents. The Add to Trusted Certificates button should be greyed out and disabled. EMA/264709/2013 Page 10/23
Figure 10 9. Without changing the Tab click on the second certificate name from the top in the left panel called GlobalSign Primary SHA256 CA for Adobe. 10. You should see in the trust tab that the permissions are inherited from the parent certificate granting Sign documents or data and Certify documents. This time however the Add to Trusted Certificates button is not disabled. You don t need to do anything here. EMA/264709/2013 Page 11/23
Figure 11 11. Without changing the Tab click on the third certificate name from the top in the left panel called EMA Certify <i-op-dcsecurity@ema.europa.eu>. 12. You should see in the trust tab that the permissions are inherited from the parent certificate granting Sign documents or data and Certify documents. Again the Add to Trusted Certificates button is not disabled. You don t need to do anything here. EMA/264709/2013 Page 12/23
Figure 12 13. Click OK. 14. Click Validate Signature. 15. You should then see the following: EMA/264709/2013 Page 13/23
Figure 13 16. Please Repeat steps 3 15 for the second signature field, In Step 8 you should see the following: EMA/264709/2013 Page 14/23
Figure 14 17. In this case the permissions on each certificate should be Sign documents or data only. If the first certificate in the certificate list does not have any permissions set or the Add to Trusted Certificates button is not disabled please email ITServiceDesk@ema.europa.eu. 23. How do I change certificate permissions? 1. Open Adobe Reader or Acrobat. 2. Select Edit -> Preferences EMA/264709/2013 Page 15/23
Figure 15 3. Scroll down the list in the left hand panel and select Signatures. 4. Under the section Identities & Trusted Certificates click More. EMA/264709/2013 Page 16/23
Figure 16 5. Click Trusted Certificates. 6. Sort by Certificate Issuer. 7. Look down the list for Adobe Root CA. Select it. EMA/264709/2013 Page 17/23
Figure 17 8. Confirm that the details in the bottom panel match the following: Adobe Root CA Adobe Systems Incorporated Issued by: Adobe Root CA Adobe Systems Incorporated Valid from: 2003.01.08 23:37:23 Z Valid to: 2023.01.09 00:07:23 Z Intended usage: Sign certificate (CA), Sign CRL 9. If the settings match click close. If not continue to Step 10. 10. Click Edit Trust. EMA/264709/2013 Page 18/23
Figure 18 11. Make sure the following options are ticked on this screen: a. Use this certificate as a trusted root b. Signed document or data c. Certified documents 12. Click OK. 13. You have now completed the steps to update an imported certificate s trust permissions. 24. How do I know if there is a problem with the verification of a digital signature? 1. Look out for alerts in the Blue Certification notification bar across the top of the PDF display panel. The alerts that indicate a problem are shown below: a. User action required to validate a signature field on the form b. The form Certification is valid but the recipient signature cannot be validated EMA/264709/2013 Page 19/23
c. The recipient signature field on the form is valid but the Certification is not valid d. The document Certification and recipient signature are not valid /cannot be validated. e. Either the document Certification or Recipient Signature Field is Invalid. f. All signatures on the form are valid 2. Signature Panel - Certification Field a. Status unknown b. Invalid c. Valid 3. Signature Panel Recipient Signature Field a. Status Unknown b. Signature has Problems c. Invalid d. Valid 25. What do I do if I cannot verify a digital signature that is embedded in an EMA document? Please contact ITServiceDesk@ema.europa.eu 26. Are digital signatures in Adobe products compatible with PDF/A? PDF/A-1 FULLY supports Digital Signatures. Reader, Acrobat and LiveCycle all fully support signing a PDF/A according the requirements for same. EMA/264709/2013 Page 20/23
How to digitally sign an EMA PDF Form This section is included for those individuals that may not be familiar with digitally signing PDF Forms using a PDF reader application. A. Click on the file to open the EMA PDF Form in your PDF reader application. B. The EMA Form is authenticated automatically, as shown by the blue ribbon and blue rosette and the statement Certified by EMA in Figure 19. Figure 19 C. Enter the pertinent information of the scenario into the form s fields. Figure 20 EMA/264709/2013 Page 21/23
D. Place your cursor over the "Signature of sponsor s representative" digital signature box, as shown in Figure 21, and right click. E. Proceed through the dialogue to digitally sign the electronic document (save the file in a new name) Figure 21 F. The representation of your digital signature is displayed in the digital signature box as shown in Figure 22. This representation is configurable in your PDF reader application; however, the digital signature is embedded into the PDF file. Your PDF application should provide you with the option to save the file in a new filename; however, if this facility is not provided then save the form using the Save Form button. Figure 22 EMA/264709/2013 Page 22/23
General Questions 27. When will the esignature solution go live? The esignature solution will go live in September 2013. 28. Are EMA digital signatures legally binding? EMA digital signatures are supported by Qualified Certificates which make them legally binding in all EU Member States. 29. What is the cost of the esignature solution? The cost of the esignature solution is free for users already in receipt of qualified certificates. For organisations that do not yet have the capability to sign documents electronically, we advise that you seek a quotation from a suitable provider with expertise in this area. 30. How do the EMA ensure that digitally signed PDFs submitted by industry cannot be tampered with? These electronic forms are certified, using the EMA Entity Keys, to ensure that industry users complete the specific permitted fields and do not add further fields. By certifying the PDF file, the electronic forms are being locked down to detect unauthorised manipulation. Contact us For queries concerning the EMA s esignature solution please contact ITServiceDesk@ema.europa.eu EMA/264709/2013 Page 23/23