How to Digitally Sign

La digital signature it is a tool through which professionals, companies and individuals can give legal value to documents signed on the computer. It is the electronic equivalent of an electronic signature. It is based on three fundamental principles: authenticity, integrity and non-repudiation as the signed documents are intact - in the sense that they have not undergone changes after their signature - and can be traced back to a specific person who cannot repudiate their paternity.

To obtain the digital signature, a special kit must be purchased from private companies, generally defined as certification bodies. The kit in question consists of one or more hardware devices, a digital signature certificate (generally provided via smart card and valid for three years) and software that allows you to apply the signature to electronic documents. The software can be supplied "as standard" with the kit or can be available for download on the website of the certification body. The file types to which it is possible to apply the digital signature are many: ranging from classic PDFs to Word documents. When applying the signature, it is possible to choose a file type to be obtained as output; but we will talk more about this in a bit.

Another important thing to know is that to use a digital signature kit you must verify your identity (through a special procedure that involves the recognition of the user de visu, i.e. in first person) and you must activate the kit through the website of the certification body. I know, it sounds like a very complicated operation, but in reality I assure you that things are different: everything is much simpler than it seems. If you don't believe it, take five minutes of free time and find out how to digitally sign thanks to the indications of this per darti.

What is Digital Signature (differences with Electronic Signature)

Before we get to the heart of the tutorial and see it in detail how to digitally sign, it is good to clarify the technical definition of this tool and its difference with the electronic signature. Wanting to get straight to the gist of the matter, we can say that the digital signature is an electronic signature that has a certain legal value, but it is better to be more precise and emphasize the differences between the various types of electronic signature.

  • Electronic signature - it is the simplest type of signature and has no intrinsic legal value (as it does not require the use of tools capable of guaranteeing the authenticity and integrity of the signed documents). It is up to a judge to assess, from case to case, the authenticity of a document signed with a simple electronic signature.
  • Advanced electronic signature - it is an electronic signature generated with means that allow to demonstrate the integrity of the document, over which the signer has direct and exclusive control (eg a tablet owned by the signatory). It has certain legal value, except in real estate contracts.
  • Qualified electronic signature - is one of the most advanced forms of electronic signature. It is applied with qualified tools, such as the signature kits that are purchased from certification bodies, so it has full legal value and certifies both the originality and integrity of the signed documents.
  • Digital electronic signature - is an advanced electronic signature that involves the use of asymmetric cryptographic systems, i.e. cryptographic systems in which a pair of keys (one public and one private) is used to verify the integrity and originality of the signed documents. It has full legal value.

Many digital electronic signature (or qualified electronic signature) kits also include the National Service Card (CNS): a certificate that allows you to verify your identity in communications with the Public Administration, for example on the website of the Revenue Agency or on the portals that some professionals, such as lawyers, must use for work.

Finally, one thing I really care about: the electronic signature should not be confused with the PEC, which does not allow you to sign individual documents, but rather allows you to assign legal value to messages exchanged via e-mail. I told you about it in more detail in my tutorial on how to register a PEC address.

The Digital Signature Kits

As mentioned at the beginning of the post, to use the digital signature you need to purchase a special kit. There are various types of kits and their prices generally vary between 30 and 60 euros. The simplest kits to use are those in USB format, which can be divided into token USB e key all-in-one: the former allow the use of smart cards in SIM format with small readers similar to USB sticks and provide for the download of the signature software separately; the all-in-one keys, on the other hand, act as USB tokens and include both the smart card with the signature certificate and the software for applying the latter. Alternatively there are the more traditional kits which consist of a credit card-sized smart card with the signature certificate and a smart card reader table. In both cases, the signature certificate has an average validity of 3 years which must be renewed near the expiry date.

There are also systems of remote digital signature that allow you to sign documents from any device without using specific hardware components (they rely on the use of a virtual smart card). Usually they are supplied together with a key that generates temporary passwords (similar to those that many banks use for their online services) but, if desired, the passwords in question can also be generated via smartphone app or via SMS. It is up to you to choose which solution best suits your needs.

How to Obtain the Digital Signature

To purchase a digital signature kit (digital electronic signature or qualified electronic signature), you must connect to the website of a certification body and choose the kit that seems to you best suited to your needs. The most expensive kits are those that include all-in-one USB sticks, while the cheapest ones are those consisting of smart cards and smart card readers. If you already have a smart card reader or a USB token, you can also buy the digital signature certificate alone, saving a lot of money.

Among the most popular certification bodies of the moment I point out Aruba, Poste Italiane and InfoCert which offer excellent solutions for digital signature at affordable prices, but there are also other companies you can contact: you can find the complete list on the Agency website for Digital Italy. And if you are the owner of a business, know that you can also request a digital signature kit from the Chamber of Commerce of your city. The necessary steps for purchase and activate a digital signature kit there are basically three.

  • Purchase of the kit - as already mentioned, the first step you need to take is to connect to the website of a certification body and purchase the kit of your interest. To complete the operation you will need to create an account on the website of the certification body and provide all your personal data plus a valid payment method (credit card, rechargeable card or PayPal).
  • Verification of identity - to use the digital signature kit you must verify your identity. The check must be done face-to-face, therefore in person, by going to the Municipality (with the purchase of a stamp duty), at a courier's office, in a post office, or it can be done at home through the postman who delivers the kit.
  • Activation of the kit - after providing all the necessary documentation and verifying your identity, you must connect again to the website of the certification body and activate your kit by providing the serial number of the smart card, the social security number and other data obtained following the identity verification .

For more detailed information on all three steps listed above, check out my guide on how to get a digital signature.

How to Use the Digital Signature

After verifying your identity and activating the kit, you can begin to digitally sign your documents. However, you may need to download the driver and signature software from the website of the certification body. These are the links to the download pages of the main certification bodies.

  • Aruba digital signature driver and software
  • Driver e software di company digital Postecert
  • Driver e software di company digital InfoCert

Once the download is complete, to install drivers and signature software, all you have to do is extract them from zip packages in which they are contained, start their executables (ex. setup.exe if you use Windows or filename.pkg if you're using macOS) and follow the onscreen instructions. Generally just click on Next / Continue And that's it.

The download of drivers and signing software is required for smart card readers, USB tokens but not for all-in-one USB sticks, which also include signing software and do not need drivers to function . If you have purchased a kit of the latter type, please skip this step and move on.

Sign a Document

When you are ready to sign an electronic document, start the signature software included in your kit (or that you downloaded separately from the certification body's website), click on the sign button and select the file to be digitally signed. As mentioned earlier, you can select a PDF file, a Word document or other documents.

In the window that opens, then enter the PIN of the smart card that contains your digital signature certificate (or your password if you purchased a remote signature kit) and select the type of output file you intend to obtain. You can choose between various types of files.

  • P7M Encryption Envelope (CAdES) - selecting this option you will get a file in P7M format containing the original document and the digital signature files.
  • PDF - by selecting this option, which as easy to understand is only available for PDF files, you will get a PDF file with the digital signature included. The signature can be invisible or graphic, i.e. visible.
  • XML (XAdES) - this option also creates a file in P7M format.

After selecting the type of output file, you can directly start the digital signature application by clicking on the appropriate button or you can choose to apply a timestamp or a password to encrypt the file. The time stamp is a certification that allows you to verify the date and time in which a document was signed, extends the legal value of the latter, keeping it valid even in the event of the signature certificate expiring. Encryption, on the other hand, allows you to limit access to the document, allowing it to be opened only by using a public key by selected recipients.

If you want more information on how the signature kit you have purchased works, I highly recommend that you visit the certification body's website: there you will surely find detailed documentation that illustrates all the software features. Below you will find the links to access the official guides of the main digital signature kits: Aruba, Postecert and InfoCert.

Please note: if you have purchased a remote signature kit, before signing your documents you will need to access the signature software settings and enter your certificate authentication data. For example, in Aruba signature software you have to go up Options and parameters and enter your username in the form Remote signature.

Use the Signing Certificate in Third-party Applications

USB stick format digital signature kits, those that work without drivers and also include signature software, work in HID (Human Interface Device) mode but if necessary you can convert them to CCID devices, i.e. in common smart card readers that allow you to sign documents with alternative software to those included in the kit, such as Adobe Acrobat, LibreOffice o Microsoft Office.

If you want to convert a USB signature kit into a CCID device, you must start the management software of the latter and call up the appropriate option. For example, if you are using an Aruba USB key you have to click on the item Utilities and select the option "Import" Certificate from the screen that opens, while if you use a Postecert signature kit you have to go to Chip management and select the icon HID<>CCID. After selecting the option to convert the signature kit into a CCID device, you must follow the instructions on the screen and the operation will be completed within a few clicks.

Now you need to configure the digital signature certificate in the "alternative" software with which you intend to sign your documents. If you want to use Adobe Acrobat, open the latter, go to the menu Edit> Preferences and select the item Firm from the side bar of the sinistra.

Next, click the button Others ... which is in the field Trusted identities and certificates, expand the item Digital IDsi went his Moduli e token PKCS, pigia sul pulsating Add module and select the file for using the signature kit in CCID mode (called PKCS module): depending on the kit in your possession, it should be C:WindowsSystem32bit4ipki.dll, C:WindowsSystem32 bit4opki.dll o X:SystemFirma4NG_WindowsFirma4.

Finally, select the PKCS form from the field Moduli e token PKCS, make the login by entering the PIN of your signature certificate and signing your documents using the appropriate Acrobat function. More info here.

If you prefer to use LibreOffice o OpenOffice, you can call up the function dedicated to digital signatures on the menu Fillet (top left), while if you want to use Microsoft Word you have to go to the menu Fillet and you need to select the item Add digital signature from the menu Protect document.

To use digitally signed certificates in applications such as LibreOffice, OpenOffice, and Microsoft Office, you may need to import them into web browsers first; an operation that among other things also enables the signing of online forms.

To import a certificate into Firefox, click on the button collocato in alto a destra, selects the voice options from the menu that appears and go up Advanced> Certificates then click on the button Safety devices. To perform the same operation in Internet Explorer, connect to the web page provided by the certifying body and follow the instructions on the screen. You may need to download and install a little software. For more information, consult the official guides of Aruba, Postecert and InfoCert.

When you're done signing your documents with Acrobat, LibreOffice, or Microsoft Office, remove the digitally signed USB stick from your computer and the kit should work again in HID mode the next time you use it. If not, go to the Windows control panel or macOS application menu and delete the software that was installed when you activated the CCID mode of the kit (eg. And Switcher for Aruba sticks).

If at this point of the tutorial you are still unable to digitally sign, try contacting the technical support of the certification body. There could be problems with your kit or configuration errors that you missed when installing the device or certificate.