This guide explains how SSL.com’s eSigner cloud signing service stores third-party digital certificates and their associated private keys. eSigner provides a convenient and secure way to add globally trusted digital signatures and timestamps to documents and code from any location, without requiring USB tokens or special hardware. Utilizing cloud-based FIPS-compliant hardware appliances, eSigner securely stores certificates and keys, accessible through individual credentials or via platforms like the eSigner Express app or a Cloud Signature Consortium (CSC) compliant API.
Use cases for wanting to store third-party certificates in eSigner, include the following:
- Existing Certificates. Customers wanting to use eSigner might have external certificates that are not yet expired and they are looking to maximize their duration value or have other obligations to use certificates from other publicly trusted certificate authorities besides SSL.com.
- eIDAS-Compliant Certificates. The document signing certificate has to be compliant with the European Union’s eIDAS (electronic IDentification, Authentication and trust Services) or other regional standard requirements. Certificates from any certificate authority (CAs) that are audited by the European Telecommunications Standards Institute (ETSI) and issue eIDAS-compliant certificates can also be used with eSigner. SSL.com has preferred partners and can facilitate the purchase of eIDAS-compliant certificates if this is not sourced by the customer.
In particular, eSigner offers great value for storing the private keys of code signing certificates. Since June 1, 2023, the Certificate Authority/Browser (CA/B) Forum required the private keys of all types of code signing certificates (Individual Validation, Organization Validation, and Extended Validation) to be stored in a hardware crypto module that is at least FIPS 140-2 Level 2. This new key storage requirement is intended to increase security for code signing keys. The previous rule allowed OV and IV code signing certificates to be generated as locally-stored .pfx files which contain both the certificate and the private key. Since the new requirements only allow the use of encrypted USB tokens or other FIPS-compliant hardware appliances to store the private key, it is expected that instances of code signing keys being stolen and misused by malicious actors will be greatly reduced.
As a cloud signing service, eSigner also overcomes the limitations of token-based code signing since it enables automated code signing and robust integration with popular CI/CD tools including Github Actions, Jenkins, Gitlab CI, Travis, BitBucket, Azure DevOps and Circle CI.
Step 1: Purchase eSigner Subscription
This service is available to all SSL.com Code Signing and Document Signing customers, ensuring compatibility with major software like Adobe Acrobat, Microsoft Office, and operating systems including Windows and Linux.
For information on how to purchase eSigner subscription, please visit our
service page.
Step 2: Request CSR from SSL.com
When applying for a digital certificate, an organization sends a Certificate Signing Request (CSR) to a trusted Certificate Authority like SSL.com. This encoded message includes essential details such as the subscriber’s name, domain name, location, and country, coupled with the public key for the certificate. By creating and signing the CSR with its private key, the subscriber confirms the authenticity of the information provided.
Step 3: Order and Issue Certificate from Third-Party CA
- Visit Third-Party CA’s Website:
- Go to the website of the Certification Authority from which you intend to purchase the certificate.
- Select Certificate Type:
- Choose the type of certificate you require for your signing needs. For eIDAS compliant document signing certificates, only Advanced eSeal for Legal Entities and Advanced eSignatures for Natural Entities are supported.
- Submit CSR:
- During the certificate ordering process, submit the CSR provided by SSL.com.
- Complete Validation:
- Follow the CA’s steps which include the validation for the Organization and the legal representative (or a duly-authorized representative) for eSeals or Individual validation for eSignatures.
- This might involve providing additional documentation or completing specific validation procedures e.g. Face to Face Identification with a Notary/ Lawyer/CPA.
- Issue Certificate:
- Once the validation is successful, the CA will issue the certificate.
- Download the issued certificate.
Step 4: Submit Issued Certificate to SSL.com
The downloaded certificate will be submitted to the SSL.com agent assigned to the subscriber. The SSL.com agent assigned to the subscriber will provide updates until the signing certificate is ready to be used on eSigner.
Step 5: Test Your Certificate on eSigner
There are 3 eSigner tools you can use for code signing:
- eSigner Express: A browser-based app where you can login using your SSL.com account credentials and upload the file you wish to sign.
- eSigner Cloud Key Adapter/eSigner CKA: A Windows based application that uses the CNG interface (KSP Key Service Provider) to allow tools such as certutil.exe and signtool.exe to use the eSigner Cloud Signature Consortium (CSC)-compliant API for enterprise code signing operations.
- eSigner CodeSignTool: A secure, privacy-oriented multi-platform Java command line utility for remotely signing Microsoft Authenticode and Java code objects with eSigner EV code signing certificates.
There are 4 eSigner tools you can use for document signing:
-
eSigner Express. A browser-based app where you can login using your SSL.com account credentials and upload the file you wish to sign.
-
eSigner DocSignTool. A secure, privacy-oriented multi-platform Java command line utility for remotely signing PDF files using eSigner document signing certificates.
-
eSigner CSC API. Use the Cloud Signature Consortium (CSC) API to digitally sign a document hash and a PDF file. You can use this with either cURL or Postman.
- eSigner Document Signing Gateway. A simple solution for companies seeking to maintain document confidentiality without sending files or developing custom software.
- Document Signing Watch Folder. A signing service for Windows and Linux that can be used to sign bulk volumes of electronic documents (including PDFs) by simply placing them into a folder.
If you encounter any issues while using eSigner, feel free to reach out to your account manager.