Creating Digital IDs for use with AutoCAD

With AutoCAD 2004 and newer, including LT, you can use digital certificates to "sign" dwg files. We plan to use it to protect ourselves from drawings that might be used on site that have been modified without our knowledge. While it will not prevent modifications we can use the fact that the absence of our signature, along with the PDF file that was sent, to prove that whatever the changes caused was not our doing. [Note: consult your own lawyer about a situation like this and use of digital signing before relying on it.]

When most people hear about certificates or digital IDs they assume they must use someone like VeriSign to obtain them. This is not true. If your company makes their own they can save lots of money and there is nothing wrong with it. When you shell out money to the commercial companies you are paying them to guarantee to the world who you are in your digital communications. When an employee types his or her name on a drawing the company is taking responsibility for what that employee turns out. So why shouldn't that same company be able to vouch for that same employee's digital signature?

Quick steps:

  1. Setup and create root certificate.
  2. Create the PCKS12 certificate.
  3. Distribute and install the files.
  4. Use in AutoCAD.
  5. Tips.

The following covers the command-line way of doing it. If you are using a GUI, it should be fairly simple to follow along.

1) Setup and create root certificate

See Setting up OpenSSL to Create Certificates

Note: The author of this page, and owner of this web site, is not to be held liable for any damage or trouble arrising from following these directions. You are responsible for your own security, use, and creation of certificates.

Note: If all you are going to be creating is certificates to sign drawings, and possibly emails, and have an old box around I highly recommend loading it up with Apache, PHP, OpenSSL. Install PHPki and use it to create and manage your certificates. However, make sure this computer is not accessable over the internet.

2) Create the PCKS12 certificate

See Creating PKCS12 certificates.

3) Distribute and install the files

The name-cert.p12 file is the one to give the person. They will need to know the export password used when creating the file.

Don't forget the root certificate - cacert.pem. While I've found the receiver of a signed file does not have to have it installed, you will need it on the ID owner's machine to rid them of some otherwise annoying dialog boxes. The receiver will also need the root certificate if you use these digital IDs to sign and/or encrypt email. It is possible to do without in some programs, but they will "complain". Tip: rename the cacert.pem to cacert.crt for easier import.

With Internet Explorer, go to Tools, Options, Content tab, Certificates, Import and follow the steps. Do this first for the root certificate and then for the personal certificate. Let it choose where to place the certificate. With the personal certificate you will have two options, where you are prompted to input the password, which are to always ask for the password when an app uses it and to allow it to be exported. I leave these options up to you. Once installed in IE it is available to all applications that use the MS certificate store. (Note that Mozilla and Netscape apps use a separate certificate store).

To make it easy for clients to install your root certificate, cacert.crt, place it on your web site with a URL to it. When they click on it in IE, they can choose to "Open" and it will walk them through the install steps.

4) Use in AutoCAD

Once the personal certificate is installed AutoCAD will immediately be able to use it. In Options, on the Open and Save tab, you should see a button at the bottom that says "Security Options". When you click on it you should see the personal certificate. If you want to always sign drawings that you save, check the "Attach digital signature after saving drawing" box. If you only want to sign specific drawings do this with a Save As. In the Save Drawing As dialog use the Tools menu and select Security Options...

Now if someone saves changes to a drawing you have signed your certificate will be removed. If they have a certificate and have set their software to always sign, then their certificate will be used. Remember that even a zoom and then a save counts as a change in AutoCAD's terms.

The neat thing, IMO, is when someone attempts to save changes to a signed drawing a little warning pops up:
The saved version of this drawing has a digital signature attached.
Saving a new version will invalidate the signature.
That ought to give a few non-CAD folk pause, eh?

In Options, on the Open and Save tab, you may want to uncheck the "Display digital signature information" if you plan to always sign drawings. Otherwise a dialog will appear each time a signed file is opened, and that can get annoying. You can view this information anytime by using the little rubber stamp icon that will appear in the lower-right corner of the status bar.

5) Tips

The certificate created via the example is only good for 365 days. When it expires a warning message may display and/or the certificate may be unusable. Don't forget to remake the certificate.