Signing PDFs in the cloud or through a browser would be straightforward if it weren't for the fact that the only certificates automatically trusted by Adobe Reader need to have physical support, i.e., they need to be in a smart card, USB token, HSM or other security device. This means, particularly in the cases where security or compliance reasons prevent the PDF to sign to leave the server where it is stored, that a hash of the PDF prepared for signature needs to be sent to the security device (since a private key cannot be extracted from a security device), signed there, and the resulting signature blob needs to be returned and embedded in the previously prepared PDF.
Two common use cases are the following: (a) a company wants to send signed PDF statements to their customers Bob and Alice and wants to run the signing application in the cloud; and (b) user Alice needs to use a browser to sign a PDF located in a remote server using the private key in the smart card connected to her computer.
In both use cases the approach is the same:
You can use MyPDFSigner for the three steps above. For the signing step there two options : a Java based solution and a PHP, Ruby or Python solution. The Java based solution can interface with PKCS#11, PKCS#12, Windows Certificate Store and Apple Keychain stores. THe PHP, Ruby or Python solution can only interface with PKCS#11 and PKCS#12 stores.
Cloud signing means the security device is somehow in the cloud. One option is to use cloud based HSM that many Certificate Authorities or other organizations provide. The other option is to host your own cloud connected computer and plug your security device to it. In this second option you can have your main application in the cloud and only host the signing server in the your premises or hosting facility.
The local part of the demo, which for now is only available for Windows and Mac OS X, is included as part of the desktop application installer. To run it, edit the configuration file, as shown below, and then start the MyPDFSigner-Tray application (see the Online Demo for more details). Note that the SSL entries of the configuration file are only needed if running the demo under HTTPS.
The hash signer service provided adds some extra entries to the configuration file:
remoteurl=https://www.kryptokoder.com localprotocol=https localhost=localhost.daplie.com localport=8443 ssljkstore=C\:\\Program Files\\MyPDFSigner\\tests\\mypdfsigner-ssl-hashsignerservice.jks sslkeystorepasswd=5c3d995123cd147c sslkeymanagerpasswd=7e9b9c6b42b85823
The localhost value should be (assuming the remote site runs under HTTPS) a 127.0.0.1 record on a public domain, and the ssljkstore is a Java KeyStore with the SSL certificates for that record. Note that although it is not possible to obtain an SSL certificate for localhost you can obtain one for, say, localhost.mydomain.com if you are the owner of mydomain.com. The sslkeystorepasswd and sslkeymanagerpasswd are the encrypted passwords of, respectively, the Java KeyStore and the private key in the Java KeyStore.
A second alternative, instead of running a local service, would be to run an applet in the browser and have the applet interface with the security device, but given the fact that applets are not very liked by browsers this is not a good option.