Cryptographic providers
With the Conversion Service, you can create digital signatures in PDF and PDF/A files. You can choose from local and online cryptographic providers to support your legal and regulatory requirements.
The cryptographic provider manages certificates and the associated private keys and implements cryptographic algorithms.
Before you start
Before you apply a digital signature to a document, configure a cryptographic provider. The cryptographic provider impacts the legal effect of your digital signatures and often depends on your local legal and regulatory requirements.
If you need clarification on your local legal and regulatory requirements about the legal effect of a digital signature, contact your local certificate authority (CA) for guidance.
Preparation before creating a digital signature
The following steps can help you identify which type of digital signature you need before you implement it in the Conversion Service:
Identify whether you require:
- Simple electronic signature
- Advanced electronic signature (AdES)
- Qualified electronic signature
- Timestamp signature
An advanced signature is sufficient for automated processes, like applying signatures on multiple documents at once.
Determine signature lifecycle regulations.
- Is a timestamp required to prove that the signature existed at a specific date and time?
- Is it necessary to embed validation information to allow the signature validation after the signature is generated?
- Is a specific signature encoding required?
These regulatory requirements define the signature level that you must use.
Acquire a corresponding certificate from a certificate authority. Use either:
- A hardware security module (HSM).
- An online signing service.
- Soft certificates.
- Other hardware, such as USB tokens or smart cards.
Set up and configure the certificate cryptographic provider.
- If the certificate is provided by hardware, install the required middleware (driver).
- If the certificate is a soft certificate, import it into the cryptographic provider's certificate store.
Optional: Acquire access to timestamp authority (TSA), preferably from a certificate authority of your signing certificate.
Optional: Sign documents in PDF/A format. Using files conforming to the PDF/A standard as an input has several benefits:
- PDF/A format ensures that the visual appearance of files can be reproduced in any environment.
- PDF/A conformance is required if the file is to be archived.
- Signatures can break when converting signed files to PDF/A. Convert files to PDF/A before signing them.
Supported digital signature types
Available signature providers in the Conversion Service are the following:
- GlobalSign (Online Service)
- PADES-B-LT/LTA
- PKCS#11 (Hardware Module)
- PADES-B-T
- PADES-B-LT/LTA
- Swisscom (Online Service)
- PADES-B-T
- PADES-B-LT/LTA
- On-Demand
- Windows (Soft certificate)
- PADES-B-B
- PADES-B-T
- PADES-B-LT/LTA
Types of cryptographic providers
The following sections explain the most common types of cryptographic providers. As stated previously, configure a cryptographic provider before applying a digital signature to a document.
Online signing services
Online signing services are cloud-based cryptographic providers that enable their customers to sign documents and provide them with time-stamps. These services provide a convenient alternative to storing certificates and private keys.
The Conversion Service supports the following online certificate providers:
- Swisscom All-in Signing Service
- GlobalSign Digital Signing Service
The GlobalSign and Swisscom cryptographic providers have their own TSA that lets you generate trusted time-stamp information.
Soft certificate
Soft certificates are files which contain certificates. These files are typically in PKCS#12 archive file format with .pfx or .p12 file extensions. Soft certificate files contain the signing certificate, as well as the private key and trust chain (issuer certificates).
In the Conversion Service, you cannot use soft certificate files directly. However, you can import them into the certificate store of a cryptographic provider. The recommended way of using soft certificates is to import them into a store that offers a PKCS#11 interface and use the PKCS#11 provider.
On Windows, if no PKCS#11 provider is available, you can import the soft certificates into the Windows certificate store, which you can then use as a cryptographic provider. Note that the Windows and PKCS#11 cryptographic providers can require a third-party TSA to be configured.
Hardware Security Module
Hardware Security Modules (HSMs) offer a good PKCS#11 support. For more information and installation instructions, see the separate document TechNotePKCS11.pdf. You might use other hardware, such as USB tokens or smart cards.
General settings of cryptographic providers
The following sections explain common settings of cryptographic providers in the Conversion Service.
Trust store
Trust store is a repository that holds digital certificates issued by the certificate authority (CA).
When the Conversion Service connects to a remote service (Swisscom, GlobalSign), the server certificate's trustworthiness has to be verified. The verification process requires a trust store, otherwise, verification always fails.
The Windows certificate store for Trusted Root Certification Authorities is used. You can install the root certificate of a private CA manually on a computer by using the 'CertMgr' tool. The certificate store is only available if the user profile has been loaded.
A server's certificate is considered trustworthy if it matches a certificate in the trust store or one of its issuer certificates.
Connections to untrusted servers are not established, as this could pose a security risk. Such attempts are treated as internal configuration errors and an error message like the following is logged:
"Failed to connect to the signing service: Cannot create a session: certificate verify failed."
Proxy settings
Some of the features of the Pdftools Conversion Service require access to a remote service. These features include:
- Connecting to a time-stamp authority (TSA) to retrieve a time-stamp
- Connecting to an online signing service to access document signing functions
- Connecting to a certificate authority to retrieve certificates and revocation information
If your software runs in a secured environment, it can be necessary to configure a proxy server to route requests to these remote services.
The default value for the Proxy server URI property is null, meaning that no proxy is used. Otherwise, you have to set the proxy.
Set it in the C:\Program Files\Pdftools\Conversion Service\bin\appsettings.json manually.
Signature level
Signature level (marked as Signature-level in the Conversion Service Configurator) specify levels of security that a digital signature provides.
PaDES-B-LT
By default long-term validation (LTV) information is added to the output document. The PaDES-B-LT embeds revocation information such as online certificate status (OCSP) response and certificate revocation lists (CRL). Revocation information is provided by a validation service at the time of signing and acts as proof that the certificate was valid at the time of signing.
LTV (Long-Term Validation) records the Certificate state at the time of signing. To validate a certificate, the time and date the PDF file was signed need to be known. To make this undisputable, the signature has to be digitally timestamped.
PaDES-B-LTA
To obtain a higher security level of a signature, choose PaDES-B-LTA instead of PaDES-B-LT. PaDES-B-LTA adds an additional time-stamp signature to the document.
Note that for PAdES-B-LTA signatures, enable the creation of Trusted Time-stamps in the corresponding account.