Signing & verification

DocsNG signs PDFs with PAdES digital signatures, including Long-Term Validation (LTV), using certificates you control — and lets anyone verify authenticity and integrity.

PAdES-LTV digital signatures

Signatures are based on the PAdES standard and support Long-Term Validation. Signatures are generated using a certificate stored in a password-protected PFX file: upload the PFX to your DocsNG profile, then enter its password at generation time to sign the output. DocsNG supports both advanced and qualified signatures, helping you meet the highest standards of integrity, authenticity and compliance.

How to add advanced signatures

The only requirement is a valid signing certificate in a password-protected PFX file (most certificate authorities issue signing certificates in this format).

Step 1 — Administrator: server settings

Sign in as an administrator, go to Settings → Server Settings and configure:

  • Timestamp server — used for all timestamping. You may use a public or commercial timestamp server:
    • http://timestamp.sectigo.com/qualified (EU Qualified)
    • http://timestamp.sectigo.com (Adobe Approved Trust List)
    • http://timestamp.digicert.com (Adobe Approved Trust List)
  • Signature visibility — whether signatures are visible. Visible signatures are placed on the first page; set the field Left, Bottom, Width and Height to position and size it.

Step 2 — User: account settings

Sign in as the user who owns the certificate, go to Settings → Account, then:

  1. Check Use Advanced Signature.
  2. Click + to upload the PFX file.
  3. Click Save.

Applying PAdES-LTV signatures

Enter the PFX password in the Advanced Signature Password field at generation time (GUI), or as the pfxPwd parameter via the API.

eIDAS signing tiers

Choose the assurance level your regulation requires:

TierUse
Advanced (AdES)Advanced electronic signatures with your certificate or a KMS/HSM key.
Qualified (QES)Qualified signatures using a qualified signature creation device (QSCD) via a QTSP remote-signing integration.
Electronic seal (QSeal)Organisational seals for documents issued by a legal entity.

Per-template or per-tenant policy can require a minimum tier; the achieved level is recorded in the document metadata and the audit trail.

Key custody: HSM, KMS & BYO-key

Keep signing keys where you want them — a local PFX, Google Cloud KMS, Azure Key Vault or a PKCS#11 HSM. Private keys never leave the provider. In multi-tenant deployments each tenant can bring its own key (BYOK/BYO-HSM), so one tenant's keys are never usable by another.

Qualified timestamping

Timestamps use a configurable RFC 3161 TSA, including qualified providers (QTSP), with optional fallback TSAs. Timestamp status and issuer are shown during verification.

Multi-party signing

Route a document to several signers in a defined order or in parallel, with roles and email invitations. Each signature is appended without invalidating earlier ones (incremental save), per-signer status is tracked, and external signers can sign via a secure, single-purpose link. Every action is recorded in the audit trail.

Encryption

When creating a PDF you can secure it with AES encryption and a password. Recipients enter this password to open the document. (Encryption and signatures do not apply to DOCX output.)

PDF permissions

An administrator can require a permissions password for restricted actions and allow certain actions without it — Print, Change Content, Copy Content, Comment and Fill Form, Fill Form, Copy Content for Accessibility, Assemble Document, Print High Resolution. See Administration.

Verifying a signed document

Anyone can confirm a signed PDF is genuine and unaltered. Programmatically: [HTTP POST] [URL of DocsNG]/api/Document/ValidatePdf with the PDF file. It reports whether the signature is valid and the document is intact.

Troubleshooting

  • Signature shows as untrusted: ensure the signing certificate chains to a CA trusted by the reader.
  • Timestamp missing: check the configured timestamp server URL is reachable.
  • Signing not applied: confirm the PFX is uploaded to the user profile and Use Advanced Signature is checked.

Need help? Contact us or try the live demo.