Having selected PDF (PAdES) within the Signing Profile configuration the following form is shown. Each option is discussed in the table below:



The configuration items are as follows:

Items

Description

Signature Settings

Select the signature format to be produced. For more details see the section Supported Signature types

Note: The ISO 32000-1 based PDF signatures are verifiable in Adobe Reader 7+ and PAdES signatures based on ETSI Standard are verifiable in Adobe Reader 10+. 

Document timestamp only

This setting requests the ADSS Signing Service to only add a new document timestamp to the PDF .

Timestamp (TSA) Settings

Select the required timestamp authorities from the list of registered TSAs.  

The configuration of TSA address(es) is described in this section: Configuring Time Stamp Authorities (TSA).  

Note: If the issuer CA of the signing certificate in Trust Manager has an associated TSA then this TSA (or TSAs) override any TSAs defined in this signing profile.

RevocationStatus InformationUnavailableError

If the following long-term signature formats are selected:

  • PDF Signature with embedded timestamp and revocation information
  • PAdES-LT (Long term availability of validation data)
  • PAdES-LTV (PAdES Part 4, PAdES-T Signature with embedded validation information)

Then an extra check box is offered to decide if ADSS Server should return an error if it cannot embed the revocation information when creating the Long-Term signature.

Such signatures  require embedded status/ revocation information for the signer's certificate chain. This is useful to stop basic signatures being created when a communication failure prevents revocation information being obtained from external resources.  If this check box is not selected then the signature will be produced but it may not contain the embedded revocation if this was unavailable at the time of signing, e.g. if the relevant OCSP is not responding or if the dynamic CRL is unavailable. ADSS Server is generally configured to cache CA CRLs locally and it also has a short-life cache for dynamic CRLs and OCSP responses.

Note: It is recommended you always tick this box.

Hashing Algorithm

The selected hashing algorithm is used within the signature generation process. These algorithms are supported:

  • SHA1
  • SHA2 (SHA224, SHA256, SHA384, SHA512)
  • RipeMD128, RipeMD160

Signature/Document Relationship

This defines how the signature and the document exist i.e. is one inside the other or do they exist separately. These options are available:

  • Enveloping (must be used for SHA-1 based signatures)
  • Detached (must be used for SHA-2 based signatures)

Visible Signature

This defines whether a visible or invisible signature will be created. If True is selected a further option is added below.

Apply Certify (author) signature

A Certify signature option is very useful to lock the document against further unauthorised changes. These options are presented:

  • No changes allowed (Useful for invoices, statements, etc)
  • Form fill-in and digital signatures (Useful when more than one person need to fill in a form and sign)
  • Annotations, form fill-in and digital signatures (Useful when users wish to comment & sign a document)


  1. This option is not available when signature type 'Document timestamp only' is selected.
  2. 'No changes allowed' certify signature option will not be available for PAdES-LT and PAdES-LTV signature types.


Use a PDF editor to draw signature field(s)

If this option is selected then signing location(s) can be defined by opening the target PDF in the PDF editor. 

The details of how this works is explained below.

Use a default signing field

If selected then following option are shown:

1. Default Signing Area

This option allows you to select a default location on the page where the signature appearance will be stamped. You have choices of:

  • Top Left corner
  • Top Right corner
  • Center
  • Bottom Right Corner
  • Bottom Left Corner

If this does not adequately position the signature field on a document (e.g. engineering drawings have specific requirements where the signature field should go) then use the precise locations option.


2. Signing Page

This defines which page of the document to sign on when using a default signing location. 


3. Signature Appearance

Select one of the PDF Signature Appearances already generated as mentioned in the section PDF Visible Signatures.


​Overrideable flag indicate whether the details configured in the signing profile can be amended by the client application by passing parameters in the signing service request message. Select the check boxes for those values that the client application is able to override in this signing profile. This provides a great deal of flexibility to the client application to override the signing profile settings at the time of sending the request to ADSS Server.


Use an existing blank signature field

If selected then following options are shown:

1. Signing Field

If the document already has a blank signature field, then the name of the signature field can be specified using this option. When ADSS Server signs a PDF document using this signing profile it will then search for this signing field and embed the signature details within that field. This is also a good way of positioning the signature in an exact location rather than just the default locations mentioned above. 

Note: Signature field names are case-sensitive so ensure you enter a valid field name as used in your documents, e.g. field1 and Field1 are not the same. 


2. Signature Appearance

Select one of the PDF Signature Appearances already generated as mentioned in the section PDF Visible Signatures.

Overrideable flag indicate whether the details configured in the signing profile can be amended by the client application by passing parameters in the signing service request message. Select the check boxes for those values that the client application is able to override in this signing profile. This provides a great deal of flexibility to the client application to override the signing profile settings at the time of sending the request to ADSS Server.


Embed font to be used for PDF signature appearance text objects

Select the fonts used in the signature appearance to be embedded in the signed PDF document. Using this option, PDF/A compliant documents will retain PDF/A compliancy after signing. Supported PDF/A documents are:

  • PDF/A-1a
  • PDF/A-1b
  • PDF/A-2a
  • PDF/A-2b
  • PDF/A-2u
  • PDF/A-3a
  • PDF/A-3b
  • PDF/A-3u

EPES signature

Explicit Policy Based Electronic (EPES) signature settings are only available for the PAdES signature types. By enabling the check box Add Signature Policy Identifier, the signing profile can be used to produce (EPES) signatures where a signature policy OID, URI and user notice are added in the digital signature as specified below.

1. Signature Policy Object ID

A Mandatory field

Provide the Signature Policy OID to be added for EPES signatures.


2. Signature Policy URI

An Optional field.

Provide the Signature Policy URI to be added for EPES signatures.

If there is no Policy URI defined inside the signing profile then EPES configurations should be made in policy.properties file located at: [ADSS Installation Directory]/service/

Open this file in any text editor and enter policy OID and path to the policy document 

e.g. 1.2.3.4.5 = "F:/Policy_File"


The ADSS Signing Service can retrieve the signature policy document in either one of the following ways:


  • Using Policy URI defined in signing profile. The ADSS Signing Service will use this policy URI to retrieve the online available policy document and its hash value will be calculated and embedded in the signed properties of the signature.
  • Using locally configured signature policy document. The ADSS Signing Service will use this text file pointer to retrieve the locally-saved policy document, hash and embed it in the signed properties of the signature


3. Signature Policy User Notice

Provide the user notice to be added to the EPES signatures.


Use a PDF editor to draw signature field(s) as required

Going back to how to define a precise signing location for your documents, enabling the radio button "Use a PDF editor to draw signature field(s) as required" shows the following screen:



PDF Signature Location drop down will list all configured preferred signature locations. For more details please see the PDF Sig. Locations sub-module, you can also create new signature appearance(s) there if none of the already available signature appearances meets user needs. Multiple signature fields can be created in this way. ADSS Server will sign all fields with the associated signature appearance when this signature profile is referenced by client applications.


Use a default signing field location

Enabling the radio button "Use an existing blank signature field in the target document" shows the following screen:



The configuration items are as follows:

Items

Description

Signing Field

If the document already has a blank signature field, then the name of the signature field can be specified using this option. When ADSS Server signs a PDF document using this signing profile it will then search for this signing field and embed the signature details within that field. This is also a good way of positioning the signature in an exact location rather than just the default locations mentioned above. 

Note: Signature field names are case-sensitive so ensure you enter a valid field name as used in your documents, e.g. field1 and Field1 are not the same.

Signature Appearance

Select one of the PDF Signature Appearances already generated as mentioned in the section PDF Visible Signatures.

Overrideable

This flag indicate whether the details configured in the signing profile can be amended by the client application by passing parameters in the signing service request message. Select the check boxes for those values that the client application is able to override in this signing profile. This provides a great deal of flexibility to the client application to override the signing profile settings at the time of sending the request to ADSS Server.



Configuring Signature Visibility


Selecting "False" in the the Visible Signature shows the following screen:



Configure the Signing Reason, Location and Contact info to be included in the signature.


Overrideable flag indicate whether the details configured in the signing profile can be amended by the client application by passing parameters in the signing service request message. Select the check boxes for those values that the client application is able to override in this signing profile. This provides a great deal of flexibility to the client application to override the signing profile settings at the time of sending the request to ADSS Server.


See also

PDF/PAdES Hash Signing Attributes
Microsoft Office Signing Attributes
PKCS7 Signing Attributes
CMS/CAdES Signing Attributes
XML/XAdES Signing Attributes
S/MIME Signing Attributes