How to Sign Digitally

The digital signature is a tool that allows you to sign electronic documents (eg files in PDF format) adding to them a value of authenticity and integrity. It is based on three fundamental principles: that of authenticity which testifies to the identity of the signatory; that of integrity which ensures that the signed documents have not been modified after signing and that of "non-repudiation", which instead guarantees the legal validity of a document and prevents it from being repudiated by its signatory after signature.

The "digital signature" should not be confused with the "electronic signature", as a generic electronic signature may not comply with all the above characteristics and, therefore, may not guarantee the same legal value (more on that shortly). Furthermore, the digital signature and electronic signature should not be confused with the PEC, which is a tool thanks to which legal value is assigned to e-mail messages and not to individual documents signed by a person: I talked about it in more detail in the my tutorial on how to register PEC.

To take advantage of the digital signature, you need to buy special kits that can be easily found online (sold by certified companies), you need to activate them and you need to use special software that allows you to validate the documents using the certificates contained in the kits. I know, this way it may seem like a very complicated thing, but instead I assure you that it is much simpler than you can imagine. If you want to know more and want to find out how to digitally sign your documents, read on. Find all the information you need right below.

Differences Between the Various Types of Electronic Signature

Before we get to the heart of this tutorial and find out how to digitally sign a document, it should be noted that there are various types of electronic signature, each of which with different characteristics and degrees of legal value.

  • Electronic signature - is the simplest type of signature. It does not require the implementation of special security measures and, therefore, does not allow to be sure about the integrity and originality of the signed document. In legal proceedings, it is up to a judge to evaluate the originality of a document signed with a simple electronic signature.
  • Advanced electronic signature - is a slightly more secure version of the simple electronic signature. It provides for the signing of documents by means over which the signatory can keep exclusive control (eg his / her tablet) and which allow to demonstrate the integrity and originality of the signed document. Documents signed with advanced electronic signature have legal value (with the exception of real estate contracts).
  • Qualified electronic signature - it is a type of signature created with qualified means (eg kits sold by companies such as Aruba or Poste Italiane), which therefore allows you to be sure about the integrity and originality of the signed document. Documents signed with this signature have legal value.
  • Digital electronic signature - it is a type of advanced electronic signature that involves the use of an asymmetric cryptography system, i.e. the use of two cryptographic keys (one public and one private) that allow both the sender and the recipient of a document to verify its integrity and originality. Documents signed with a digital electronic signature have legal value.

In summary: documents signed with advanced electronic signature, qualified electronic signature and digital electronic signature all have legal value, to be exact the same legal value as private writing. Documents signed with a simple electronic signature, on the other hand, have a "variable" legal value that must be evaluated case by case by a judge.

A separate chapter deserves it National Service Card (CNS): a certificate that allows the user (the certificate holder) to authenticate himself on the services of the Public Administration. It also offers the possibility of electronically signing documents, but you have to be careful because not all CNS have the same properties: some allow, in fact, to affix only the simple electronic signature, while others also support advanced electronic signature.

How to Obtain the Digital Signature

Having made this necessary distinction between the various types of electronic signature, let's see what is needed and how to proceed to activate your kit. The steps to take are relatively simple.

1. Purchase a digital signature kit - electronic signature kits (we are talking about qualified and digital signature) are sold by various companies, such as Aruba, Poste Italiane and InfoCert (the complete list can be found on the Agency for Digital Italy website). They generally have prices between 40 and 50 euros and can be composed of various devices: let's see together which ones.

  • Key USB - these are USB sticks which have a smart card inside with the digital signature certificate, the software to sign documents and, in some cases, the certificate for the National Services Card. They represent the simplest solution to use, as they do not require installation and have everything inside them to sign and verify electronic documents. If necessary, they can be transformed into CCID devices (i.e. simple smart card readers) to import the digital signature on the PC and sign documents using applications other than those included in the key.
  • USB token - these are USB sticks which contain a smart card, the certificate for the digital signature and, in some cases, the certificate for the National Services Card. It includes the installation of drivers and the separate download of software to sign documents. As you can easily understand, USB tokens are slightly more complicated to use than keys with everything included, but they are also cheaper.
  • Smart card reader - smart card readers combined with smart cards with digital signature certificates and, in some cases, CNS. They provide for the installation of drivers and signature software separately. They are cheaper than tokens but are poorly transportable, so they are only worth considering if you need to use the electronic signature from a fixed location (e.g. a single desktop PC).
  • Remote digital firm kit - these are kits, alternative to those mentioned above, which allow you to digitally sign documents using a virtual smart card, an OTP password (i.e. a disposable password received via SMS or generated by keys similar to those provided by banks) and signature and verification software. In practice, they allow you to apply a digital signature to documents without using keys or other physical devices (everything is done remotely). They are more expensive than the "physical" kits mentioned above.

2. Verify your identity - to receive your digital signature kit, you must verify your identity. Recognition can take place in various ways.

  • Face-to-face identification with a Public Official - if you choose this route, you must go to the Municipality with a valid identity document, the documentation received from the company that issues the digital signature (received by email) and you must be identified by a Public Official to authenticate the request for the digital signature (by revenue stamp, to be purchased separately). Once the operation is completed, the authenticated documentation must be sent to the company that issues the digital signature.
  • Face-to-face identification at post office or dispatch center - depending on the methods provided by each company providing digital signature, it is possible to identify one's identity also by going to a post office or to a courier center entrusted with the delivery of the kit. Obviously you must bring with you the documents received by email and a valid identity document. The identification operation has a variable price.
  • Home face identification - by choosing this option, you can be identified directly by the postman who delivers the digital signature kit (providing a valid identity document and signing all the documents received).

3. Activate the electronic signature kit - once the digital signature kit has been received, it must be authenticated on the website of the company that supplied the kit. The procedure is quite quick and involves the insertion of information such as the serial code of the smart card, your tax code and your personal activation code (which is usually received via SMS during the kit activation process).

Once activated, digital signature certificates go through one deadline(usually set at 3 years) and therefore must be renewed at a modest expense, always through the company that issued the signature kit.

How to Use the Digital Signature

Once you've purchased and activated your digital signature kit, it's possible digitally sign their documents following various paths. The simplest way, as already mentioned above, is the one that involves the use of Key USB, which contain all the software necessary for the authentication of documents (and for the verification of documents already signed) and do not require the download of external drivers to work: they are automatically recognized by the computer at the first insertion and are configured accordingly. They are usually compatible with Windows, macOS and Linux.

If you have preferred i to the Key all-in-one token USB or smart card readers, before proceeding with the signing of the documents it is necessary to download the drivers and software for signing from the website of the company that issued the kit (eg Aruba or Poste Italiane).

After having properly configured your digital signature kit, just start the signature software integrated in it (or downloaded from the website of the company providing the kit) and click on the icon forapplication of the digital signature. Next, you have to choose the file to which to apply the signature, insert the PIN of your smart card and select the type of signature to apply to the document. There are generally three types of signature available.

  • P7M Encryption Envelope (CAdES) - creates a new file in P7M format that contains the original document plus the digital signature files. This type of signature is applicable to all types of documents.
  • PDF signature - create a PDF file with signature included. The signature can be invisible or graphic, therefore visible graphically within the document. Of course it can only be applied to PDF files.
  • XML signature (XAdES) - create a new file in P7M format. It is applicable to all types of documents.

When signing, it is possible to authenticate a document by applying a time stamp, that is, a certification that associates a precise (and legally valid) date and time to an IT document. Applying a time stamp allows you to maintain the legal value of a document even if it has been signed with a certificate that has subsequently expired or revoked.

Once signed, the documents can be verified using the appropriate function in the signature software. If you want to know more, take a "jump" on the websites of companies like Aruba and Poste Italiane, on which there are detailed instructions on how their digital signature software works.

As already mentioned in a previous step of the tutorial, it is possible to import the digital signature certificates on the PC and convert the USB keys provided by companies such as Aruba and Poste Italiane from HID devices to CCID devices. This allows you to use the keys as common smart card readers and to digitally sign your documents with alternative software to those included in the kits, such as Adobe Acrobat, Microsoft Office or LibreOffice.

To convert a USB kit for digital signature into a CCID device, you need to start its software and click on the appropriate item. For example, in the Aruba software you have to go up Utilities and click on the icon "Import" Certificate, while in the software of Poste Italiane you have to go up Chip management and click on the icon HID<>CCID. Then you have to follow the guided procedure that is proposed (just click on Next) And that's it.

Once the key has been converted from HID to CCID, you need to configure the certificate with the digital signature in the application you want to use to sign the documents.

For example, if you want to sign your documents in Adobe Acrobat, you have to go to the menu Edit> Preferences, then you have to select the item Firm from the left sidebar and you have to press the button Others ... related to the field Trusted identities and certificates.

In the window that opens, you need to expand the entry Digital IDs which is in the left sidebar, you need to go up Moduli e token PKCS e devi pigiare sul pulsating Add module. When the operation is complete, you have to choose the file that allows you to recall the USB kit module and then to use the digital signature. Depending on the kit you have, the file to choose might be C:WindowsSystem32bit4ipki.dll, C:WindowsSystem32 bit4opki.dll o X:SystemFirma4NG_WindowsFirma4.

After activating the PKCS module, you need to select it from the menu Moduli e token PKCS Acrobat and you need to run the login by entering the PIN of your digital signature. After this step too, you should be able to use the digital signature by calling the appropriate function from the Acrobat menu.

To use the digital signature in Microsoft Word you have to click on the button Fillet located at the top left and select the item Add digital signature from the menu Protect document. To use it in LibreOfficeinstead, you have to select the item Digital signatures from the menu Fillet (top left).

In order for Word and LibreOffice to "see" digital signature certificates, you may need to import them into browsers Mozilla Firefox o Internet Explorer. To import a certificate into Firefox you need to go to the menu ≡> Options> Advanced> Certificates and click on the button Safety devices, to import it into Internet Explorer you have to go to the Web page indicated by the signature provider. For practical examples of what has just been said, consult the official Aruba guide on importing certificates into browsers.

In case of second thoughts, to return the USB key to an HID device, you must remove it from the PC and connect it again to the latter. If the device is still recognized as a smart card reader, try uninstalling any software installed when CCID mode is activated (ex. And Switcher for Aruba keys).