DotNet Development, SharePoint Customizing, Silverlight, MS Infrastructure and other tips and tricks

How to apply Digital Signature in a InfoPath formular?

Posted by PANVEGA on March 3, 2009

When creating a InfoPath template you can trust with Digital Signature in 2 ways.

  1. When developing an IP template you can add a certificate to your XSN template and publish and apply it on your server. So that every client knows that the formular comes from a trusted location.
  2. The other Certification procedure is a client site created certificate which should be send to the  server CA (Certificate Authority). This is very usefully when many e.g. employees travel and work remotely, the forms must be available to be completed and signed in a Web browser or IP CLient form.

1. Deploy a certificate to your XSN template on the Server

In the InfoPath  you can create a fully trusted server site form template by signing the XSN with a code signing certificate.  Here’s what you do:

  • While in the InfoPath designer, select Tools | Form Options | Security
  • Uncheck the “Automatically determine security level based on form’s design
  • Select Full Trust
  • Click the Sign this form button

The first time your users fill out the form that you have signed with a certain certificate, they will see a Security Warning dialog that notifies them that the form template is digitally signed and asks if they trust the publisher.  Once they have checked the box to trust the publisher, they will be able to open any form template that asks for full trust and is signed with that same certificate.

If users find that the option to trust the publisher is disabled, that means that the root of the certificate used is not trusted on the user’s machine.

When you received your code-signing certificate, you asked the CA (Certificate Authority) for it. What the CA delivered to you is a certificate that is now in your personal folder that is trusted by you and by anybody who trusts the CA that issued it.  So, for example, if you get a code signing certificate from Verisign, any user will have the option to trust you as a publisher as long as they also have Verisign in the list of Trusted Root Certification Authorities on their machine.  Once a user has trusted the root of a certificate, the option to trust the publisher will be enabled in the Security Warning dialog that is displayed when they fill out a fully-trusted, signed form.

2. Client site digital signatures

I gonna show in a few steps how to enable digital signatures in an InfoPath form so that users can sign the form in Microsoft Office InfoPath 2007 or in Internet Explorer.

You can enable digital signatures when designing a form so that users can add digital signature when filling it out. This digital signature proves that the form originated from the signer and has not been changed. Also the signature can include some comments from the author. After signing, the data in the form cannot be changed without cancellation digital signature.

When adding a digital signature, the user must use a digital certificate. Digital certificate is an attachment for a file, macro project, or e-mail message that assures authenticity, provides secure encryption, or supplies a verifiable signature. Digital certificates, which you can get through commercial certification authorities or from your internal security administrator, establish the authenticity of the signature.

you need the following things:

  • A digital certificate  CA (Certificate Authority) with which to sign the form. You can obtain from VeriSign. In this case, VeriSign is the certification authority.
  • Access to a Microsoft Office SharePoint Server site on a server that is running InfoPath Forms Services.

For the user’s certificate to be trusted, the certificate of the certification authority must be installed in the Trusted Root certificate folder on the server. When you use a VeriSign certificate, it is installed with Windows Server 2003. If you are using a different certification authority, install the certificate in the Trusted Root folder on the server.

You can use different Web browsers to open InfoPath forms from a server running InfoPath Forms Services; however, you can only use Internet Explorer to digitally sign InfoPath forms.


InfoPath lets you show digital signature UI (“click here to sign this form”) under a signable section; however, this section doesn’t have to include any controls! This means that you can have your signable section with controls at the top of the form, some extra content in the middle, and then another section bound to the same nodes in the data source without any controls in it.

When you enable digital signatures for an entire form, the form users must enter all the data they require before they sign the form. After the first signature is added, all controls in the form and the form’s XML Document Object Model (DOM) become read-only, and the text [Signed] appears in the title bar. Other users who open the form cannot enter data; they can only add, remove, or verify counter-signatures.

Creating and Signing the Form Template

You will first create a form template that can be signed, and then sign it with a digital certificate in Internet Explorer.

To create a form template that can be signed in Internet Explorer

  1. Start Office InfoPath 2007.
  2. In the Getting Started dialog box, click Design a Form Template.
  3. In the Design a Form Template dialog box, click the Form Template option, and then select Blank.
  4. Check the Enable browser-compatible features only check box, and then click OK.
  5. On the Design Tasks task pane, click the Controls link.
  6. On the Controls task pane, drag a section into the view.This will be the main section for your form.
  7. Drag controls into this section to customize the employee review form.
  8. Right-click the tab at the bottom of the main section labeled Section and select Section Properties.
  9. In the Section Properties dialog box, select the Digital Signatures tab.
  10. Select the Allow users to digitally sign this section check box.
  11. In the Sign the following data in the form when this section is signed list, select Add data that can be signed.
  12. In the Set of Signable Data dialog box, select the Allow only one signature option, and then click OK.
  13. On the File menu, click Save, and save the form to the computer desktop.
  14. On the File menu, click Publish.
  15. In the Publishing Wizard, select To a SharePoint server with or without InfoPath Forms Services, and then click Next.
  16. Type the URL of your SharePoint Server site, and click Next.
  17. Click the Document Library option, select the Enable this form to be filled out by using a browser option, and then click Next.
  18. Click the Create a new document library option, and click Next.
  19. In the Name text box, type EmployeeReview as the name for your document library, and then click Next.
  20. You are not promoting any properties in the form, so click Next to skip this screen. Then click Publish.
  21. Click the Open this form in a browser link.The form is displayed in an Internet Explorer window.
  22. Switch back to InfoPath and select the Open this document library check box.
  23. On the last page of the Publishing Wizard, click Close.


To digitally sign the InfoPath form in Internet Explorer

  1. Navigate to your form by entering the following URL. Replace <ServerName> with the name of your SharePoint server.http://<ServerName>/_layouts/FormServer.aspx?xsnlocation=http:// <ServerName>/EmployeeReview/forms/template.xsn&OpenIn=browser
  2. A License Agreement dialog box appears.
  3. Select the I accept check box, and click Next.
  4. Click Install to install the digital signature control software.
  5. Fill out the Signing Web page dialog box, and click Sign when you are finished.To enable the I have verified this content before signing check box, you must select the digital certificate that you obtained from the certificate authority.
  6. The signature is now visible on the form.
InfoPath digital signatures are appended to form XML, just like form data. For example, in the form above, nodes under signature1 will store the digital signature when the user adds it:
Note: You can  signature a whole form only to InfoPath Client templates. On Webbased forms you have to apply to your created section.

Using this fact, we can enforce business rules in our form: for example, what if we don’t want to allow form submissions for cases when form is not signed? Let’s go to Tools | Submit Options and create two rules:

1) Show must-sign warning:

– condition: signatures2 node is blank (this will evaluate to true when no signature was added)

– action: show a dialog box message “you must sign the form before submitting it”

– check “stop processing rules when this rule finishes”

2) Submit to main data source:

– condition: always applies (unless the first rule fired – we wouldn’t get to this execution point then)

– actions: submit to main data source + show dialog box message “submission was successful”


You saw how users can interact with the form in Internet Explorer or IP CLient forms to digitally sign it.

More Information:


3 Responses to “How to apply Digital Signature in a InfoPath formular?”

  1. Wow Nice description i was really searching such a blog you describe it very clearly it is best for security. I also like Digital signature pad.

  2. Raj said

    This blog is very informative and very much useful for me, this is an excellent feature in infopath and also it was explained too good by you in this blog.

    Since I am new to this, i was recently working on infopath and i am facing a problem and I hope that I could definitely get reply from you and probably an answer too.


    In SharePoint I have a list which has “Name” and “Role” as its Fields and I have filled in with some rows with Name and Role. So I am creating a data connection to get those list items (rows) into Infopath’s repeating Table.

    Now in Infopath I have to maintain four things, Name, Role, Digital Signature and Four Checkboxes

    Digital Signature: I want many people to sign this document.

    CheckBoxes: I have four checkboxes which is the Resposibilties A,B,C,D any thing can be checked and unchecked in each of the row’s which indicates that a particular person with name and role can have any of these resposibilities.

    Name and Role anyway will be filled from the data connections and I could able to successfully create all the rows that which are present in the Sharepoint list.

    HOWEVER — Since the other items are not part of the same data source, I am having the same identical controls in each row of my table. I.e. If I click on one check box and they all are selected. Sign on column, and they all are signed because all are the same control across each row of the table.

    For each row I should able to have new digital signature and four checkboxes, is this possible through programming? Please Help me PANVEGA. Thank You In Advance…

    With Regards,

  3. Hector said

    What if you are using form services. I have done this solution but the forms disappears after submitting. However the data is not saved on the server.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: