The goal of a digital signature is to provide a way for the document's recipient to verify the identity of the one who signed it, and that nothing has changed since it was signed. To accomplish this, digitally signing a document means applying a digital certificate to the document. This certificate is the way to ensure the integrity and authenticity of the document once signed.
Integrity
Proves the document has not been altered. Nothing has been added, changed, or removed since the document was signed.
Authenticity
Proves the document originated from a specific individual or organization.
Digital Certificates
When you open a document that was digitally signed, Nitro PDF Pro will validate the digital certificate it was signed with and inform you whether the certificate is from a trusted source.
In order for you to digitally sign a document, you need to obtain a digital certificate from a certificate provider. This may involve purchasing a certificate and may involve installing software from the provider.
What is a Digital Certificate?
A digital certificate is a piece of data, typically stored in files or on an external device, such as a secure USB dongle, which contains:
- Identity information for a person or company, for example, a name, country, and location
- Public key used to sign documents
- Digital signature, typically of a trusted third party
Along with your digital certificate, you create a private key. Unlike the public key which helps make up the certificate, the private key is typically stored on your system keychain where other secure items, like passwords, are stored. Documents are signed using this private key. Your digital certificate, containing your public key, along with your identity information and the digital signature, is embedded in any documents you sign. It's safe to give your public key to others. You must keep your private key secure.
Security
Digital certificates have a "chain of trust", which begins with a root certificate, may include intermediary certificates, and ends with the certificate of a person or company.
Just because a certificate is verified as trusted does not mean it always must be so. For example, if you lose your laptop or your secure USB dongle someone else could gain access to your private key, which means the integrity of the certificate has been compromised. In an event such as this it's possible to revoke the digital certificate.
Issuers of digital certificates maintain systems to check whether a digital certificate has been revoked or remains valid. One system is called the Online Certificate Status Protocol (OSCP), and the other is Certificate Revocation Lists (CRLs). Nitro PDF Pro is capable of checking both, as necessary.
Validation
When you open a PDF with a digital signature using Nitro PDF Pro, the following steps occur to validate the signature:
- The signed content of the document is validated to ensure it hasn't changed
- The signature of the certificate is tested to ensure the certificate is valid
- The chain of trust of the certificate is validated
- The expiration date of the certificate is considered
- The certificate is checked against OSCP or CRLs to ensure it hasn't been revoked
States of Validation
When you view a signed document in Nitro PDF Pro the document will display one of three states:
Pass
You see a green badge in the upper right corner of the document. The document passed all of the above tests.
Conditional Pass
You see a yellow badge in the upper right corner of the document. The document passed all of the above tests, but the root certificate is not trusted.
Fail
You see a red badge in the upper right corner of the document. The document failed one or more of the above tests.
Hover your cursor over the validation icon badge for information about the validation. Click on it to see the certificate details.
Signing a PDF with a Digital Signature
- Add a signature field to the document. You can either select the Signature Field tool
- Double-click on the signature field and draw your signature.
- Click Apply Digital Signature and choose your digital certificate from the Select Signing Identity drop-down menu.
- You may see several options in the drop-down list, look for the issuer of your certificate.
- You may be prompted to allow Nitro PDF Pro to access your keychain. You must allow this to apply the digital signature.
Testing as of February 2016, suggests that only DigiCert and GlobalSign offer digital certificates compatible with use on macOS. Each requires special driver software from the certificate issuer.
Self-Signed Certificates
It's possible to create your own digital certificate, rather than obtaining one from an issuer. This is called a self-signed certificate. Self-signed certificates do not have a chain of trust and cannot be revoked. Therefore, they are not suitable for establishing the authenticity of a document. They're only suitable for verifying document integrity.
Create a Self-Signed Certificate
- Add a signature field to the document. You can either select the Signature Field tool
- Double-click on the signature field and draw your signature.
- Click Apply Digital Signature. In the menu which appears click Create A New Identity.
- Enter your Name and Email address and click Create.
- Select your new certificate from the list.