filter allows you to limit the number of certificates displayed to users when they are selecting a certificate. Users frequently have multiple digital certificates on their computers. While these certificates may contain identical user information, their issuer and certificate information may be completely different. By default, the signing ceremony displays all of a user's signing identities, but if those certificates have different purposes, it may be difficult for users to choose the appropriate one for signing a specific form.
Filtering the certificates limits the number of signing identities listed by the Viewer. This allows you to specify attributes or attribute values that the certificate must have. If a certificate does not have the listed attributes or values, it is not included in the list of signing identities. This creates a more manageable list, making it easier for users to select the correct certificate for signing the form.
The following code sample depicts a filteridentity filter that specifies the user's department (organizational unit) and designates it as IT.
In this case, the Viewer’s signing identity list only displays certificates that have an organizational unit parameter with a value of IT. If a certificate does not contain an attribute with this value, it is not included in this list.
Note: The value parameter may contain a value or remain blank. If you insert a value, the attribute value in the certificate must match. If it contains a value, the signature engine attempts to match that value with the value of the Subject: OU certificate attribute. If it is blank, the signature engine verifies that the attribute exists.
When creating filteridentity filters, you must ensure that the required attributes match an existing certificate. If you are overly explicit with your certificate filtering criteria, you may add a certificate attribute or value that does not exist in any user certificate. If no certificates match the specified certificate attributes, then the Viewer will display an empty signing identity list and the user will be unable to sign the form. For example, if your filteridentity filter specifies that users must use CryptoAPI certificates, then users with only Netscape-type certificates will be unable to sign your form.
Consider the following tips when creating a filteridentity filter:
- All of the listed attributes and values must exist in the user’s digital certificate.
- You cannot use "if", "or" or "not" statements unless you use a compute.
- Ensure that the spelling, case, and punctuation of you attribute list exactly match the user’s digital certificate.