Signature Appliance Tech Note: Preventing a “Man in the Middle” Attack

SSL protects the communications between your app and your DocuSign Signature Appliance. But how does your app confirm that someone is not masquerading as the signature appliance? How do you guard against a “man in the middle” attack?

The answer is to verify that the SSL certificate of the server is trusted and that it is identifying the right server.

Getting Started: Download the CA Cert

The first step in identifying the server is to obtain the server’s Certificate Authority’s certificate, the CA Cert.

You don’t want the server’s SSL certificate, you want the certificate used to create the server’s certificate.

How the CA Cert is installed and trusted varies depending on the software platform you’re using. See the quick start guides for information on different platforms.

Download the CA Cert using FireFox

The following shows how to use the Firefox browser to download the CA Cert. Other browsers have similar commands. This example assumes that you are willing to trust the DocuSign Siganture Appliance that you’re currently connected to. If you might already be under attack, then you’ll need to obtain a copy of the CA’s cert using a secure, trusted procedure.

Step 1

Open your browser to the WSDL file location on your signature appliance.
URL: https://:8080/sapiws/dss.asmx?WSDL
The developer sandbox server: https://prime.cosigntrial.com:8080/sapiws/dss.asmx?WSDL

Click the Security Icon to see the SSL information:

Click the More Information… button

View the information about the SSL connection. Click the View Certificate button

Step 2

From the ‘Details’ tab, select the ‘COMODO High-Assurance Secure Server CA’ certificate, the CA certificate.

Then press the Export... button. The certificate is an X.509 certificate.
Save it on your local system in the Base 64 format (PEM format) with the crt or cer file extension.

Step 3

You now have the certificate as a local .crt or .cer file. The next step is to use it with your software platform to assure that you’re communicating with the right server. Please see the Quick Start articles for more information.