Setting Up Electronic Signatures for Documents in Bitrix24
A manager creates an invoice in the CRM, prints it, carries it to the director for signature, scans it, attaches the scan to the deal, and sends it to the client. Fifteen minutes per document. With 30–50 documents flowing daily, that's an entire work shift spent on paperwork. Electronic signatures in Bitrix24 reduce this operation to a few clicks from within the deal card itself.
Types of Signatures and Where Each Is Used
| Type | Tool | When to Apply |
|---|---|---|
| Simple Signature (PEP) | Bitrix24 login/password | Internal approvals, office memos |
| Enhanced Non-Qualified (UNEP) | Software certificate | Inter-party document exchange by agreement (263-FZ) |
| Enhanced Qualified (QES) | CryptoPro CSP + accredited CA certificate | Legally significant documents, exchange with tax authority, contractors (63-FZ) |
For invoices and acts sent to external contractors, QES is required. For internal sign-offs, PEP or UNEP (if parties have agreed to recognize such signature) is sufficient.
CryptoPro Configuration and Signing from CRM
Three components are involved, and each must function correctly—otherwise the chain breaks.
CryptoPro CSP 5.0 is installed on the signer's workstation. The license is perpetual or annual per seat. Without it, the crypto provider operates in demo mode for 90 days, then stops working.
CryptoPro Digital Signature Browser plug-in is an extension for Chrome, Firefox, Edge, and Yandex Browser. Through the JavaScript API cadesplugin, the web application communicates with the local crypto provider. The plug-in is finicky: after a browser update, compatibility is sometimes lost. In a corporate environment, browser versions should be pinned.
QES certificate is stored on a USB token (Rutoken, JaCarta) or in the Windows registry. Installation: CryptoPro CSP -> Service tab -> Install Personal Certificate. To verify, use the test page at cryptopro.ru/sites/default/files/products/cades/demopage/cades_bes_sample.html.
Document signing process:
- User opens a document in a deal card (document generator
crm.documentgenerator) - Clicks "Sign" — Bitrix24 calls
cadespluginvia JavaScript - The plug-in prompts to select a certificate and enter PIN
- A detached CAdES-BES or CAdES-XLT1 signature is created
- The signature is saved with the document in the CRM
For cloud Bitrix24, the browser communicates with the local crypto provider through the Browser plug-in. In the boxed version, server-side signing is available via CryptoPro JCP or .NET—the document is signed on the server without the workstation's involvement.
Pitfalls to Watch For
Binding to a workstation. The token and CryptoPro CSP must be on the signer's computer. Signing from a phone without CryptoPro DSS (cloud signature) is impossible. For mobile employees, this is a critical limitation.
Signature format. CAdES-BES is a simple format that does not contain data about certificate validity at the moment of signing. For long-term document storage (over 1 year), use CAdES-XLT1—it includes a time stamp and OCSP response. The difference becomes apparent in litigation: CAdES-BES can be contested if the certificate was revoked after signing.
Batch signing. Bitrix24's standard interface signs documents one at a time. With 50+ documents daily, this is inconvenient. Batch signing is implemented through customization: REST API to retrieve documents + a loop of cadesplugin calls on the client side.
Setting up electronic signatures is a one-day task if certificates and licenses are in place. Most time goes into verifying the Browser plug-in's compatibility with specific browser versions and configuring the server side for boxed installations.