Digital ID (PKI Certificates)

A Digital ID (also called a digital certificate or PKI certificate) is the cornerstone of secure, legally binding electronic signatures. This page explains what Digital IDs are, why they matter, and how to configure them in WPsigner.

What is a Digital ID?

A Digital ID is a cryptographic certificate that:

Verifies your identity - Proves who signed the document
Seals the document - Creates a tamper-evident container
Establishes trust - Third-party validation of authenticity
Enables long-term validity - Signatures remain valid for years

Think of it as a digital passport or notary stamp for your electronic documents.

Why Digital IDs Matter

The Problem Without Digital IDs

Without a Digital ID, your signed PDF is essentially just an image of a signature placed on a document. Anyone could:

Modify the document after signing
Claim the signature was forged
Dispute when the document was signed
Question who actually signed

The Solution With Digital IDs

A Digital ID provides cryptographic proof:

Without Digital ID	With Digital ID
Signature is just an image	Signature is cryptographically bound
Document can be modified	Any modification breaks the seal
No identity verification	Identity verified by certificate
Easy to dispute	Legally defensible
Poor compliance	Full regulatory compliance

Legal Importance

Regulatory Compliance

Digital IDs enable compliance with major e-signature regulations:

Regulation	Region	Digital ID Role
ESIGN Act	USA	Provides intent attribution
UETA	USA (all states)	Establishes signer identity
eIDAS	European Union	Required for Advanced/Qualified signatures
ZertES	Switzerland	Required for qualified signatures
IT Act	India	Required for legally valid signatures

Court Admissibility

In legal disputes, digitally signed documents with valid certificates are:

Self-authenticating - No additional witness required
Tamper-evident - Any changes are detectable
Non-repudiable - Signer cannot deny signing
Time-bound - Timestamped for provenance

Industry Requirements

Certain industries require digital certificates:

Industry	Requirement	Reason
Healthcare	HIPAA compliance	PHI protection
Finance	SOX, PCI-DSS	Financial records integrity
Government	NIST, FedRAMP	Security standards
Legal	Bar association rules	Document authenticity
Pharma	FDA 21 CFR Part 11	Regulatory submissions

Types of Digital Certificates

Self-Signed Certificates

Created by you, for internal use.

Best For:

Internal company documents
Testing and development
Non-legal agreements
Team acknowledgments

Pros:

Free to create
Instant availability
Full control

Cons:

Not trusted by default in Adobe Reader
Recipients see “Unknown Signer” warning
Less credible for external parties

Commercially Issued Certificates

Purchased from a trusted Certificate Authority (CA).

Best For:

Client-facing contracts
Legal agreements
Regulatory filings
Any document requiring third-party validation

Pros:

Automatically trusted in Adobe Reader
CA verifies your identity
Higher legal weight
Green checkmark in Adobe

Cons:

Annual cost ($200-$500/year)
Identity verification process
Renewal required

Certificate Authority Comparison

Certificate Authority	Price Range	Verification Level
DigiCert	$300-500/yr	Organization validated
Sectigo (Comodo)	$150-300/yr	Organization validated
GlobalSign	$250-400/yr	Organization validated
SSL.com	$150-250/yr	Individual/Organization
Entrust	$300-500/yr	Enterprise grade

[!TIP] For most businesses, DigiCert or GlobalSign offer the best balance of trust and support. Their certificates are on Adobe’s Approved Trust List (AATL).

How Digital Signing Works

The Signing Process

When WPsigner finalizes a document with your Digital ID:

1. Document Hash Created
   └─ SHA-256 hash of entire PDF content

2. Hash Encrypted
   └─ Your private key encrypts the hash

3. Signature Embedded
   └─ Encrypted hash + your certificate added to PDF

4. Timestamp Applied
   └─ TSA server certifies the signing time

5. Sealed PDF Created
   └─ Final document with digital signature

Verification Process

When someone opens the signed PDF in Adobe Reader:

1. Extract Signature
   └─ Adobe reads the embedded signature

2. Verify Certificate
   └─ Checks if CA is trusted (AATL)

3. Validate Hash
   └─ Recalculates hash and compares

4. Check Timestamp
   └─ Verifies signing time

5. Display Status
   └─ ✅ Valid or ❌ Invalid

Configuring Your Digital ID

Accessing Digital ID Settings

Go to WPsigner → More → Digital ID
Or navigate to WPsigner → Settings → Security

Option 1: Generate Self-Signed Certificate

For testing or internal use:

Click Generate Self-Signed Certificate
Fill in the certificate details:

Field	Description	Example
Common Name	Your name or company	Acme Corporation
Organization	Company name	Acme Corp
Department	Optional department	Legal Department
City	Your city	San Francisco
State/Province	Your state	California
Country	Two-letter code	US
Email	Contact email	legal@acme.com
Valid Years	Certificate lifetime	3 years

Click Generate Certificate
Certificate is created and activated immediately

Option 2: Upload Commercial Certificate

For production use with purchased certificate:

Obtain a .p12 or .pfx file from your CA
Click Upload Certificate
Select your .p12/.pfx file
Enter the certificate password
Click Upload and Activate

Certificate File Formats

Format	Extension	Description
PKCS#12	.p12, .pfx	Contains private key + certificate
PEM	.pem, .crt	Certificate only (convert to .p12)
DER	.der, .cer	Binary format (convert to .p12)

WPsigner accepts .p12 and .pfx files directly.

Adobe Trust List (AATL)

What is AATL?

The Adobe Approved Trust List is a list of Certificate Authorities that Adobe automatically trusts. When you sign with an AATL certificate:

Adobe Reader shows a green checkmark ✅
Recipients see “Signature is VALID”
No manual trust configuration needed
Maximum legal credibility

AATL Members Include:

DigiCert
GlobalSign
Sectigo
Entrust
IdenTrust
DocuSign (certificate program)
SwissSign

Non-AATL Certificates

Self-signed certificates show:

Yellow warning triangle ⚠️
“Signature validity is UNKNOWN”
Recipient must manually trust your certificate

This is still legally valid but requires recipient action to verify.

Certificate Best Practices

Security

Practice	Why
Strong password	Protect your private key
Secure storage	Store .p12 file safely
Limited access	Only authorized staff should access
Backup	Keep secure backup of certificate
Regular rotation	Replace before expiration

Organizational

Practice	Why
Centralized management	One certificate for all documents
Document policy	Define which docs need signing
Training	Educate staff on certificate importance
Audit logging	Track certificate usage

Renewal Planning

Certificates expire. Plan ahead:

Set calendar reminder - 60 days before expiration
Budget annually - Include in IT budget
Test new certificate - Verify before old expires
Update WPsigner - Upload new certificate

Troubleshooting

”Certificate password incorrect”

Verify the password provided by your CA
Passwords are case-sensitive
No spaces before/after password

”Certificate format not supported”

Convert to .p12 format using OpenSSL:

openssl pkcs12 -export -out certificate.p12 -inkey private.key -in certificate.crt

“Certificate has expired”

Purchase a renewal from your CA
Generate a new self-signed certificate
Upload the new certificate to WPsigner

Adobe shows “Signature validity unknown”

For self-signed certificates, recipients must:

Click on the signature
Click “Validate Signature”
Choose “Trust this certificate”

Certificate vs No Certificate

Documents Signed Without Digital ID

┌─────────────────────────────────┐
│ Signed PDF                      │
│ ┌─────────────────────────────┐ │
│ │ [Signature Image]           │ │
│ │  - Just a PNG image         │ │
│ │  - No cryptographic seal    │ │
│ │  - Can be modified          │ │
│ └─────────────────────────────┘ │
│ ⚠️ No verification available    │
└─────────────────────────────────┘

Documents Signed With Digital ID

┌─────────────────────────────────┐
│ Digitally Signed PDF           │
│ ┌─────────────────────────────┐ │
│ │ [Signature + Certificate]   │ │
│ │ ┌───────────────────────┐   │ │
│ │ │ SHA-256 Hash          │   │ │
│ │ │ Private Key Signature │   │ │
│ │ │ X.509 Certificate     │   │ │
│ │ │ RFC 3161 Timestamp    │   │ │
│ │ └───────────────────────┘   │ │
│ └─────────────────────────────┘ │
│ ✅ Signature valid. Document    │
│    has not been modified.       │
└─────────────────────────────────┘

Frequently Asked Questions

Do I need a Digital ID for legal signatures?

For basic contracts in the US under ESIGN/UETA, a signature without Digital ID can be legally valid. However, a Digital ID provides much stronger legal protection and is recommended for:

High-value contracts
Regulated industries
International agreements
Long-term records

Can I use one certificate for multiple documents?

Yes. Your certificate is reused for all documents you sign. There’s no per-document cost or limit.

What happens if my certificate expires?

Previously signed documents remain valid (signature was valid at signing time)
New documents cannot be signed until you upload a new certificate
Consider timestamping to extend long-term validity

Is self-signed certificate legally valid?

Yes, self-signed certificates create legally valid signatures. The difference is trust establishment - recipients must manually trust your certificate rather than relying on a third-party CA.

Next Steps

Audit Trails - Understand the legal record
Timestamping (TSA) - Prove when documents were signed
Compliance - Regulatory requirements