Best Practices on Enabling LTV Signatures for Document Signing Using Self-managed HSMs

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

SSL.com provides turn-key remote cloud signing services through our eSigner signing operations API which includes the storage and management of private keys.

However, many users prefer to utilize their own HSM or cloud HSM service to store private keys used to sign documents. 

LTV signatures allow for verification without relying on external systems or repositories. All the necessary validation information is included within the document itself, making it self-contained. This is particularly important for long-term verification, as external systems or repositories may become unavailable or change over time.

With LTV signatures, the verification process remains independent and self-sufficient.

Below is a list of best practices that users can refer to in order to enable LTV signatures for document signing when using your own HSM or cloud HSM service.

  1. Prepare the document: Ensure that the document you want to sign is in a suitable format, such as PDF/A or a simple PDF document. PDF/A is specifically designed for long-term archiving and ensures that the document’s integrity is maintained over time.

  2. Use Cryptographic Timestamps: LTV signatures require a reliable and trusted source of time. Cryptographic timestamps provide this by securely linking the signature to a specific time, preventing any backdating or tampering. Use a trusted timestamping authority like SSL.com or an internal timestamping service within your organization.
    SSL.com’s timestamping server is at http://ts.ssl.com/. By default, SSL.com supports timestamps from ECDSA keys.

    If you encounter this error: The timestamp certificate does not meet a minimum public key length requirement, it could be that your HSM vendor does not permit timestamps from ECDSA keys unless a request is made.

    If there is no way for your HSM vendor to allow for the normal endpoint to be used, you can use this legacy endpoint http://ts.ssl.com/legacy to get a timestamp from an RSA Timestamping Unit.

  3. Preserve Certificate Revocation Information: To maintain the validity of signatures over time, it’s crucial to preserve the certificate revocation information. This includes the Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP) responses used to verify the signer’s certificate. 

    For Java language users, you can refer to the PDFBox Java library which contains examples to create LTV signatures. It also includes signature timestamp examples. 

    Here is an example code on how to embed revocation information (CRLs) of the document signing certificate chain inside the PDF document: https://svn.apache.org/viewvc/pdfbox/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java?view=markup

  4. Archive Signed Documents: Keep a secure and organized archive of all signed documents, including any intermediate versions. This ensures that the signed documents and associated validation information, such as timestamps and revocation data, are readily available for long-term verification. Implement proper storage mechanisms to prevent unauthorized access, tampering, or loss of data.

  5. Verify the signature: Implement a verification process to ensure that the signature can be validated correctly. This involves using the public key associated with the signing certificate to verify the signature’s integrity, checking the timestamp for validity, and verifying the certificate’s revocation status.

  6. Correctly configure HSMs: Ensure that the HSMs are properly configured and maintained, and adhere to industry standards and best practices for key management, such as key rotation, strong access controls, and regular auditing.

  7. Monitor and Update Security Controls: Regularly monitor the security controls and configurations of your signing infrastructure, including the HSMs, timestamping services, and storage systems. Stay updated with security patches, firmware updates, and industry best practices for HSM and document signing technologies.

For self-managed HSM document signing solutions, contact sales@ssl.com.

For a guide on SSL.com-supported cloud HSMs, please visit this article: Supported Cloud HSMs for Document Signing and EV Code Signing.

Learn more about SSL.com-supported Cloud HSMs

Cloud HSM Service Request Form

If you would like to order digital certificates for installation on a supported cloud HSM platform (AWS CloudHSM or Azure Dedicated HSM), please fill out and submit the form below. After we receive your request, a member of SSL.com’s staff will contact you with more details about the ordering and attestation process.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.