How to sign digitally

The digital signature is a tool through which professionals, companies and individuals can give legal value to documents signed on the computer. It is the electronic equivalent of an electronic signature. It is based on three fundamental principles: authenticity, integrity and non-repudiation as the signed documents are intact – in the sense that they have not undergone changes after signing – and can be traced back to a specific person who cannot repudiate their authorship.

To obtain the digital signature, a special kit must be purchased from private companies, generally defined as certification bodies. The kit in question consists of one or more hardware devices, a digital signature certificate (generally provided via smart card and valid for three years) and software that allows you to apply the signature to electronic documents. The software can be supplied “as standard” with the kit or can be available for download on the website of the certifying body. The file types to which it is possible to apply the digital signature are many: ranging from classic PDFs to Word documents. Then, when applying the signature, it is possible to choose a file type to be obtained as output; but we will talk more about this in a bit.

Another important thing to know is that to use a digital signature kit you need to verify your identity (through a special procedure that provides for the recognition of the user de visu, i.e. in the first person) and you must activate the kit through the certification body. I know, this sounds like a very complicated operation, but in reality I assure you that things are different: everything is much simpler than it seems. If you don’t believe it, take five minutes of free time and find out how to put your digital signature on it thanks to the information I’m about to give you.

Index

• What is digital signature (differences with electronic signature)
• The digital signature kits
• How to obtain the digital signature
• How to use the digital signature

What is digital signature (differences with electronic signature)

Before getting to the heart of the tutorial and seeing in detail  how to apply the digital signature , it is good to clarify the technical definition of this tool and its difference with the electronic signature. Wanting to get straight to the gist of the matter, we can say that the digital signature is an electronic signature that has a certain legal value, but it is better to be more precise and emphasize the differences between the various types of electronic signature.

• Electronic signature– it is the simplest type of signature and has no intrinsic legal value (as it does not require the use of tools capable of guaranteeing the authenticity and integrity of the signed documents). It is up to a judge to assess, from case to case, the authenticity of a document signed with a simple electronic signature.
• Advanced electronic signature– is an electronic signature generated by means that allow to demonstrate the integrity of the document, over which the signer has direct and exclusive control (e.g. a tablet owned by the signatory). It has certain legal value, except in real estate contracts.
• Qualified electronic signature– is one of the most advanced forms of electronic signature. It is applied with qualified tools, such as the signature kits that are purchased from certification bodies, so it has full legal value and certifies both the originality and integrity of the signed documents.
• Digital electronic signature– is an advanced electronic signature that involves the use of asymmetric cryptographic systems, i.e. cryptographic systems in which a pair of keys (one public and one private) is used to verify the integrity and originality of documents signed. It has full legal value.

Many digital electronic signature kits (or qualified electronic signature) also include the  National Service Card (CNS) : a certificate that allows you to verify your identity in communications with the Public Administration, for example on the Revenue Agency website or on portals that some professionals, such as lawyers, must use for work.

Finally, one thing I care a lot about: the electronic signature should not be confused with the PEC , which does not allow you to sign individual documents, but rather allows you to assign legal value to messages that are exchanged via e-mail. I told you about it in more detail in my tutorial on how to register a PEC address .

The digital signature kits

As mentioned at the beginning of the post, to use the digital signature you need to purchase a special kit. There are various types of kits and their prices generally vary between 30 and 60 euros. The simplest kits to use are those in USB format, which can be divided into USB tokens and all-in-one keys : the former allow you to use smart cards in SIM format with small readers similar to USB sticks and provide the download the signature software separately; the all-in-one keys, on the other hand, act as USB tokens and include both the smart card with the signature certificate and the software for applying it. Alternatively there are the more traditional kits which consist of a credit card-sized smart card with the signature certificate and a  table smart card reader . In both cases, the signature certificate has an average validity of 3 years which must be renewed near the expiry date.

There are also remote digital signature systems   that allow you to sign documents from any device without using specific hardware components (based on the use of a virtual smart card). Usually they are supplied together with a key that generates temporary passwords (similar to those that many banks use for their online services) but, if desired, the passwords in question can also be generated via smartphone app or via SMS. It is up to you to choose which solution best suits your needs.

How to obtain the digital signature

To purchase a digital signature kit (digital electronic signature or qualified electronic signature), you must connect to the website of a certification body and choose the kit that seems to you best suited to your needs. The most expensive kits are those that include all-in-one USB sticks, while the cheapest ones are those consisting of smart cards and smart card readers. If you already have a smart card reader or a USB token, you can also buy the digital signature certificate alone, saving a lot of money.

Among the most popular certification bodies of the moment I point out Aruba , Poste Italiane and InfoCert which offer excellent solutions for digital signature at affordable prices, but there are also other companies you can contact: you can find the complete list on the Agency website for Digital Italy . And if you are the owner of a business, know that you can also request a digital signature kit from the Chamber of Commerce of your city. The steps required to purchase and activate a digital signature kit are basically three.

• Purchase of the kit– as already mentioned, the first step you must take is to connect to the website of a certification body and purchase the kit of your interest. To complete the operation you will need to create an account on the website of the certifying body and provide all your personal data plus a valid payment method (credit card, rechargeable card or PayPal).
• Verification of identity– to use the digital signature kit you must verify your identity. The check must be done face-to-face, therefore in person, by going to the Municipality (with the purchase of a stamp duty), in the headquarters of a courier, in a post office, or it can be done at home through the postman who delivers the kit.
• Activation of the kit– after providing all the necessary documentation and verifying your identity, you must connect again to the website of the certifying body and activate your kit by providing the serial number of the smart card, the social security number and other data obtained following the verification of identity.

For more detailed information on all three steps listed above, check out my guide on how to get a digital signature .

How to use the digital signature

After verifying your identity and activating the kit, you can start digitally signing your documents. To digitally sign, however, you may need to download the drivers and signing software from the certification body’s website. These are the links to the download pages of the main certification bodies.

• Aruba digital signature driver and software
• Postecert digital signature driver and software
• InfoCert digital signature driver and software

Once the download is complete, to install drivers and signature software, all you have to do is extract them from the zip packages in which they are contained, start their executables (eg setup.exe if you are using Windows or filename.pkg if you are using macOS) and follow the on-screen indications. Generally just click on Next / Continue and that’s it.

Downloading of drivers and signing software is required for smart card readers, USB tokens but not for all-in-one USB sticks, which also include signing software and do not need drivers to function . If you have purchased a kit of the latter type, please skip this step and move on.

Sign a document

When you are ready to sign an electronic document, start the signature software included in your kit (or that you downloaded separately from the certifying body’s website), click on the signature button and select the file on which to digitally sign. As mentioned earlier, you can select a PDF file, a Word document or other documents.

In the window that opens, then enter the PIN of the smart card that contains your digital signature certificate (or your password if you have purchased a remote signature kit) and select the type of output file you wish to obtain. You can choose between various types of files.

• P7M Encryption Envelope (CAdES)– selecting this option will result in a P7M format file containing the original document and digital signature files.
• PDF– by selecting this option, which as easy to understand is only available for files in PDF format, you will get a PDF file with the digital signature included. The signature can be invisible or graphic, i.e. visible.
• XML (XAdES)– this option also creates a file in P7M format.

After selecting the type of output file, you can directly start the digital signature application by clicking on the appropriate button or you can choose to apply a timestamp or a password to encrypt the file. The timestamp is a certification that allows you to verify the date and time in which a document was signed, extends the legal value of the latter, keeping it valid even in the event of the signature certificate expiring. Encryption, on the other hand, allows you to limit access to the document, allowing it to be opened only by using a public key by selected recipients.

If you want more information on how the signature kit you have purchased works, I highly recommend you take a look at the certification body’s website: there you will surely find detailed documentation that illustrates all the software features. Below you will find the links to access the official guides of the main digital signature kits: Aruba , Postecert and InfoCert .

Note: If you have purchased a remote signature kit, you will need to access the signature software settings and enter your certificate authentication data before signing your documents. For example, in the Aruba signature software you need to go to Options and parameters and enter your username in the Remote Signature tab .

Use the signing certificate in third-party applications

The digital signature kits in USB key format, those that work without drivers and also include the signature software, work in HID (Human Interface Device) mode but if necessary it is possible to convert them into CCID devices , i.e. common smart card readers that allow you to sign documents with alternative software to those included in the kit, such as Adobe Acrobat , LibreOffice or Microsoft Office .

If you want to convert a USB signature kit into a CCID device, you must start the management software of the latter and call up the appropriate option. For example, if you are using an Aruba USB key you must click on the Utilities item and select the “Import” Certificate option from the screen that opens, while if you are using a Postecert signature kit you must go to Chip Management and select the HID < > CCID . After selecting the option to convert the signature kit into a CCID device, you must follow the instructions on the screen and the operation will be completed within a few clicks.

Now you have to configure the digital signature certificate in the “alternative” software with which you intend to sign your documents. If you want to use Adobe Acrobat , open it, go to the Edit> Preferences menu and select the Signatures item from the left sidebar.

Next, click on the More … button located in the Identity and trusted certificates field , expand the item Digital IDs , go to Modules and PKCS tokens , press the Add module button and select the file to use the signature kit in mode CCID (called PKCS module): depending on the kit you have, it should be C: \ Windows \ System32 \ bit4ipki.dll , C: \ Windows \ System32 \ bit4opki.dll or X: \ System \ Firma4NG_Windows \ Firma4 .

Finally, select the PKCS module from the PKCS modules and tokens field , log in by entering the PIN of your signature certificate and sign your documents using the appropriate Acrobat function. More info here .

If you prefer to use LibreOffice or OpenOffice , you can call up the function dedicated to digital signatures in the File menu (top left), while if you want to use Microsoft Word you have to go to the File menu and select the Add digital signature item from the Protect document menu .

To use digitally signed certificates in applications such as LibreOffice, OpenOffice, and Microsoft Office, you may need to import them into web browsers first; an operation which among other things also enables the signing of online forms.

To import a certificate into Firefox, click on the ≡ button located at the top right, select the Options item from the menu that appears and go to Advanced> Certificates and then click on the Security devices button . To perform the same operation in Internet Explorer, connect to the web page provided by the certifying body and follow the instructions on the screen. You may need to download and install a small piece of software. For more information, consult the official guides of  Aruba , Postecert and InfoCert .

When you’re done signing your documents with Acrobat, LibreOffice, or Microsoft Office, remove the digitally signed USB stick from your computer and the kit should work again in HID mode the next time you use it. If this is not the case, go to the Windows control panel or macOS application menu and delete the software that was installed when you activated the kit’s CCID mode (eg Ak Switcher for Aruba keys).

If at this point of the tutorial you have not yet been able to apply the digital signature, try to contact the technical support of the certifying body. There could be problems with your kit or configuration errors that you left out when installing the device or certificate.