Digitally signed PDF?

[vito]

Is it possible to have the PDF invoices digitally signed and timestamped through WHMCS (or PHP)?

 

In my country we have strict rules regarding e-invoices...

[Iceman]

Hi vito,

 

Can you give an example? That idea sounds like a good idea even if not required by my business. I've been customising our own PDF invoices quite a lot recently and may have a look at whether what you require can be done to ours as well. :-D

 

Cheers,

Paul

[s1rk3ls]

I don't think the timestamp option will work exactly as you need since the PDF is generated real-time. Everytime someone clicks on the "download pdf" link, it generates a file for them to download then discards it. This makes it much easier to go back and modify the invoice, cancel it, mark it as paid, etc. and download the pdf again to view the new status.

 

The point of digitally signing and timestamping (as I understand it) is to prove that an invoice existed at the given date/time. So the best possibility might be to download the PDF and sign/timestamp it yourself, then attach it in a ticket to a customer as a permanent legal document on their file. They can still download the generated invoice but for legal puposes you can refer to the signed/dated one in the ticket.

 

If this is a popular request, perhaps you can request it as a feature to sign/timestamp the initial invoice and attach it to a customers account automatically?

 

As for digitally signing, I'm not sure if the software supports it. I can't remember the name of the software used to generate the PDF files right now or I'd go look at their site

[Iceman]

At the time the Invoice is created a time stamp could be saved in the WHMCS database, linked to the Invoice number. I already have a date created which is "set" on an Invoice no matter how many times it is downloaded.

 

I'm interested in what the actual requirements would be to digitally sign the PDF.

 

Cheers,

Paul

[s1rk3ls]

I'm not sure on this, but I think the timestamp would be a part of the digital signature which is basically a third party validating not only the creator of the item but also the time it was created. Similar to a signed email which verifies you as the sender and when you sent it to prevent forgeries. In this case it would be impossible to "back-date" invoices if they are updated later - but you could potentially create a new signed invoice each time it is changed (i.e. Upon creation, and again when it is paid - proving when the initial invoice was created and again when it was paid)

[vito]

I was investigating this issue in the last days and it seems it is quite hard to digitally sign and timestamp a PDF automatically by a Linux server. Right now I'm looking for an alternate solution wich would work like this (I found a nice script wich digitally signs XML through PHP):

 

---> First of all I'm assuming that there could be an option to enable / disable e-invoices, so the client could choose between electronic and paper based invoices (this is required because an invoice should not exist in paper based format and electronic format, only one format can be used for one invoice according to the law).

 

1./a - WHMCS generates PDF invoice wich is not signed and only for personal purposes (if paper based invoices are not enabled for the client the process stops here)

1./b - If e-invoices are enabled for the client WHMCS generates an XML invoice too, wich is signed and timestamped, and it is for legal purposes

 

2. WHMCS sends the invoice to the client attached to the automatic email: only PDF or PDF + XML

 

3. Process ends here. If paper based invoices were enabled for the client I have to print the invoice and post it.

 

 

Do you think this could be done? Is there a part in the process wich can't be done by WHMCS if we have the technical requirements (PHP script for signing, etc.)?

[Iceman]

Have you looked at editing /includes/pdfconfig.php ?

 

As that file is simply php, you could get it to do the xml signing for you as well, if that is what you require.

 

Cheers,

Paul

[vito]

That file is for editing the PDF template, as far as I know there's no solution for signing PDF by PHP (I think it has to be different for XML and PDF).

[Iceman]

Yes. But as the file is pure php "perhaps" a background task of creating the xml, or whatever is required, can be done using that php file at the same time.

 

Cheers,

Paul

[vito]

Ok, now I'm getting your point. And yes you're right, good place to include your own code.

[vito]

I got an answer from the guy who wrote the script to digitally sign XML. He told me some useful infos to get started and he said it is quite easy to implement automatic digital signing and timestamping in PHP.

 

So time for a summary of my findings

 

 

As far as I know in the EU there are a number of rules for invoices, these are not the same in every country, but if you stick to the most secure way then your invoice will and can be accepted everywhere.

 

That means the invoice has to be:

-Digitally signed

-Timestamped

 

This makes sure the invoice is from you and it is created and not changed since the date of creation.

 

 

Steps to complete this project:

1. Find a coder who writes a script wich gathers the invoice info and creates the signed and timestamped XML invoice (the XML invoice has to be customizable to meet the requirements of each country)

 

2. Integrate it into WHMCS. As I'm not a coder I'm not sure if it can be implemented, I'm sure Matt has to do some changes to the code, but I don't know how hard could it be. I think this won't have a great impact on the logic of the system.

 

I think we need a tick box at the end of every order with the text: "I want to receive electronic invoice" and this would add a switch to the order, wich could be checked at every invoice generation so the XML generator script would "know" if it has to generate the XML or not (of course XML invoice should be generated only once, then it could be downloaded from the server, because we can't generate it a thousand times because of the timestamp). If the tick box is not checked then the client will receive only a PDF invoice, and he can receive a printed invoice as well if needed.

 

Who might find this useful:

1. Companies in the EU (it can be integrated into a lot of other applications as well!)

2. Who wants to have secure invoices

3. Who thinks this can have a positive impact on his reputation

 

 

If somebody is capable of doing this I would gladly work with him, or if there's somebody with the same requirements we could share the costs of the project, then make it avaible to everyone...

 

I hope Matt could do the integration part (the switch for the XML) and then there should be no problems .

[trine]

Vito, I think your are over complicating this.

 

First of all the invoice date/timestamp should be the timestamp of the PDF date too.

That date is already in the database and it is the actual creation date of the invoice.

 

Secondly, if you need digital signing or encryption, there are a few ways to do this with a PDF, but you may need to pass it through something other than FPDF which WHMCS uses. HTMLDOC can encrypt documents with password protection. We hired someone to do this for us.

 

Digitally encryption of documents with password protection should meet even EU laws.

 

When your official record is delivered with PDF, according to regulations in the US, the PDF must be archived, at the time of creation.

 

I am all for meeting with laws and regulations. This goes for the online account access too.

 

In the US we have the Sarbanes-Oxley Act which requires that documents are stored tamper proof.

 

We also have other laws regarding the very same thing called UETA (Uniform Electronic Transactions Act).

 

This act does vary from state to state slightly, but overall:

 

1. Click Agreements. The order process must include an "Click Agreement" accepting a contract online.

2. Digital Signature.. The order must store a digital signature, composed of either initials or the full name of who is entering the contract accepting the Click Agreement.

3. Non-modifiable Digitally Delivered Invoice. Digitally delivered invoices need to be encrypted or signed to meet with Sarbanes-Oxley Act and others

4. Client Access to Account. Client must be able to access his or her accounting records online, even after terminating the account, up to 18 months, when the sole or primary means of billing and record keeping is online. (I placed a feature suggestion about this).

4. Record Keeping Requirements. The business must keep a record of every client transaction for 7 to 10 years, depending on business type and jurisdiction.

[trine]

Vito, you can also take a look at Appligent and Ascertia. They also offer a product to sign and encrypt PDF documents.

[vito]

Thanks for the tips Trine. I would be the happiest if I could solve this by signing the PDF themselves, but it's not that simple. Believe me, I'm not the one who wants to complicate this...

 

First of all you should know that in the EU signed PDF invoices are not accepted everywhere. If you we use XML then there will be no problems for anybody.

 

Secondly signing PDFs server side is not the cheapest things in the world.

Appligent SecurSign: $2.495

 

We have everything to sign XMLs, we only need a coder who puts this together, wich is (I assume) much cheaper than developing an application from scratch or dealing with PDFs.

 

And lastly we need to know if a client wants e-invoices or paper based ones, because an invoice must exist in only one format. If we sign every invoice and some of them are printed as well then it's forgery according to the law, so only those can be signed where the client wants e-invoices. That's why we need that small setting for the type of the invoice.

[trine]

This whole thread really interests me a great deal, and I would like to see WHMCS be able to be compliant in the EU, US and Canada.

 

Believe me, I'm not the one who wants to complicate this...

 

I was vague, and meant the Invoice creation date when using WHMCS is the same regardless of the manner in which it was based.

 

I would think that since WHMCS would be your primary billing program and is online, it would entail that your invoices are e-invoices.

 

The fact that you print the invoice and send it, doesn't change the fact that it is an e-invoice to start with. But you do need to archive it, resulting in 2x the work You'd need to check with your lawyer to make sure you comply. We set our contracts and company policy to e-invoice, regardless of delivery method.

 

First of all you should know that in the EU signed PDF invoices are not accepted everywhere.

 

Doesn't the EU go by country where the business is located in, much like the US and Canada have state or provincial laws that may differ from federal UETA or similar?

 

If you we use XML then there will be no problems for anybody.

 

I'd like to understand the logic why an encrypted PDF is not valid everywhere, whilst the XML is. Just curious.

 

And, what if your user cannot access XML (old browser or something). Technically that would invalidate it according to UETA, I think. I think this could also be accomplished without the XML.

 

Why couldn't the PDF simply be encrypted as we have done? we merge it with a signed pdf before sending.

 

Secondly signing PDFs server side is not the cheapest things in the world. Appligent SecurSign: $2.495

Yep, this stuff isn't cheap, but you can't do it with FPDF which WHMCS uses. The only "free" thing was HTMLDOC.

 

We have everything to sign XMLs, we only need a coder who puts this together, wich is (I assume) much cheaper than developing an application from scratch or dealing with PDFs.

 

I can refer you to the person that did this for us. I send you a PM tomorrow.

 

And lastly we need to know if a client wants e-invoices or paper based ones, because an invoice must exist in only one format. If we sign every invoice and some of them are printed as well then it's forgery according to the law, so only those can be signed where the client wants e-invoices. That's why we need that small setting for the type of the invoice.

 

Without changing the WHMCS core, you could add a custom field on the signup form. If checked, use e-invoices, if not snailmail. I suppose there would be some core files which would need changing, but I also think that you could get around this in some manner too. We have opted to turn off automatic sending of PDFs for the very purpose of encrypting them first.

 

Ideally, it would be best to have WHMCS be compliant.

[vito]

Right now I'm gathering some info on the topic, I will report back if I have some time and I know enough to continue.

[vito]

This whole thread really interests me a great deal, and I would like to see WHMCS be able to be compliant in the EU, US and Canada.

 

Good to know that there's someone else like me.

 

 

I'd like to understand the logic why an encrypted PDF is not valid everywhere, whilst the XML is. Just curious.

 

That's only because some idiots in some governments thought that they can ban one of the most popular formats, because they are so smart. No real reason. I'm quite mad sometimes because of this.

 

 

Ideally, it would be best to have WHMCS be compliant.

 

Right now I'm working on this, as you can see . Unfortunately I'm not going to benefit a lot from it (at least others and WHMCS will), because my main target is my own country wich has the most idiotic rules regarding invoicing. I'm going to ask Matt if he could do some small changes for me in the invoicing system (I don't want to change the logic of the system, just a few additions), or else I have to find a software for invoicing instead of using WHMCS for everything.

 

 

 

I made some progress finding the universal rules for EU countries, this is what we know:

 

-XML format is universal

-Digital signing and timestamping is accepted everywhere

-There's a nice little thing called 6th council directive, wich covers the minimal content of the invoice in the EU. The only problem that there's about 79 docs (rules, etc.) / versions regarding this, and the whole pack of docs needs to be treated as one single document. I've found a summary about this and I'm going to translate it into English soon.

 

 

Oh yes, and I found a developer who is capable of doing the XML signing script, but he is quite expensive, so please send your contact if you can.

[trine]

I am still not clear with one thing ... Is digital signing with a certificate a prerequisite? or can it be encrypted with a user password?

 

Here in the US, the laws state that it needs to be only modifiable by the author, but also has weird wording as if a certificate is required, not simply encryption.

 

And, what country are you in?

[vito]

Yes, digital signing wit a certificate is a prerequisite.

[drtduarte]

Hello dear friends,

 

I'm already using pdf invoices with digital signature for almost one year. I was doing this manually with whmap, the invoices where created as pdf then signed on the pc and where then uploaded to the server, and the client could download them from the client area.

 

I know sounds complicated, but a lot cheaper then send them by post.

 

The point of giving to the costumer the possibility to choose between paper or electronic invoice, creates a new problem, according to Portuguese law, if you have two different types of invoice, these must have different number series.

 

So in my case all costumers must agree to have electronic invoices, I don't use paper invoices.

 

I was now trying to have the invoices signed on the server and sent to the client by email.

 

This can be done with http://www.sybrex.com/products/development/versypdf/

 

It's not so expensive as other solutions, it works with php it is a php lib and It can be integrated on whmcs, but this is a custom coding work for Matt.

 

I have already a quote from him to do this, maybe if we split the cost by several users this could be a cheap solution, and very professional.

[com2]

I would like the invoiced to be digitally signed by certificate as well and would probably contribute financially. I would however not do this with an expensive library like versypdf. (See pricing here: http://www.sybrex.com/products/development/versypdf/order.php?language=PHP&edition=Professional&platform=Linux Other versions don't include digital signature abilities)

 

I have seen larger companies that offer their on-line invoices with separate signature file, that timestamps and proofs that the invoice is unchanged with a separate signature test tool. Apparently that is legally sufficient. Likewise you could digitally sign an email with the invoice directly as HTML or attached as PDF. Both could be done with standard OpenSSL and from PHP. If you do that only with the paid invoices and add a function to "cancel" an already issued and "PAID" invoice, then there should not be a legal problems that could be considered forgery. In Spanish you call an cancelled Invoice Abono (NOT FERTILIZER!!):

*It is the opposite of a paid invoice

*It has its own numbering

*It carries the name Abono (What is that in English?) instead of Factura (Invoice)

*It cancels or partially cancels a Paid invoice

*It includes the invoice number that was fully or partially cancelled for reference.

 

This is a legally correcter system then just changing and issuing new invoices, especially when it was already paid and appears booked in bank or credit card account records.

[drtduarte]

would however not do this with an expensive library like versypdf. (See pricing here: http://www.sybrex.com/products/development/versypdf/order.php?language=PHP&edition=Professional&platform=Linux

 

I understand, but it is the cheapest pdf server signing solution that I've found, and it will easily be integrated with automation within whmcs

 

Anyway I'm open to other solutions...

[com2]

Best would be when Matt compares prices. It is possible that his programming cost for an OpenSSL solution would outweight the license cost of the library, but to be honest, I really doubt that. From the information it is not even clear if you would need to pay license cost for each sold copy of WHMCS or that one of the licenses would cover the cost of all.

[newbie]

Is it possible to have the PDF invoices digitally signed and timestamped through WHMCS (or PHP)?

 

In my country we have strict rules regarding e-invoices...

 

In whole Europe it's mandatory to use signed documents if the customer only gets a digital invoice, it has to do with that is has to be tamper proof, to prevent fraud.

 

In almost all countries there are similar laws, in most countries you can find "Wet company STAMP + signature" on paper invoice as proof that it issued by that company.

[com2]

In whole Europe it's mandatory to use signed documents if the customer only gets a digital invoice, it has to do with that is has to be tamper proof, to prevent fraud.

 

You are so right. That's why it surprises me that no billing system that I know supports this and a wider Google search on this brings very little. Looks like only larger companies are abiding these laws and they have their own programmers for a custom made solution.