7

I have to Implement a digital signature in a certificate which we print as PDF in PHP.

The requirement is like that a authorized person like Registrar or Sub Registrar digitally signs a certificate. The basic idea behind implementing Digital signature is to know that:

  1. Is the certificate digitally signed by the Authorized person and who was that authorized person or someone else has created it who dont have the authority.

  2. Is there any changes in the certificate after the registrar/Sub-Registrar digitally signed the certificate (To stop forgery).

  3. When was the document signed or when were the changes were done.

I have searched a lot on this topic put getting nothing and even not any tutorial which could guide me how to do this. I have never heard about this before but according to requirement I have to do this. So please someone guide me or help me how can I implement this in PHP.

Mukesh Joshi
  • 2,784
  • 4
  • 24
  • 34
  • Related: [TCPDF adding digital signature to the created pdf](http://stackoverflow.com/questions/16100109/tcpdf-adding-digital-signature-to-the-created-pdf) – Ja͢ck May 27 '15 at 05:54
  • For Browser based digital signing, using javascript, please refer to my answer on SO https://stackoverflow.com/a/55676351/9659885. For PHP, not many (free) components are available. You may want to use Java component, through JavaBridge running on Tomcat through Apache proxy to digitally sign PDF from Browser USB token and PHP on server side. – Bharat Vasant May 16 '19 at 04:44

1 Answers1

2

There are software libraries available that will enable you to digitally sign PDF files. iText is one, but there are plenty of others, too.

However all of the libraries tend to suffer from a common problem: safe-guarding the signer's digital certificate, and in particular, the certificate's private key.

If the signed PDF will ever be audited or submitted to a relying party (recipient) who wants to assure himself that the PDF was really signed by the person who is purported to have signed it, then the digital certificate (and signing system) must be a QSCD -- Qualified Signature Creation Device. (An older name for the same idea was SSCD, "Secure Signature Creation Device.")

Smart cards were the old way to create a QSCD. More modern is to use a centralized signing appliance. My company, DocuSign, makes a QSCD with an API, others do too.

Larry K
  • 47,808
  • 15
  • 87
  • 140
  • I have researched so much into creating a cloud based QSCD, I understand that you must use `openssl_*` to create the PKI but am now lost for mind on how to actually sign the document and when it is then signed, how to decrypt it and ensure it was the same. Also, with the keys created, how do I store them in a `.pem` file? Do you have any relevant tutorials to help? I am not building one for a business, only to sign anything I send personally to people (its for personal use) and I'll build an API people can use to check I definitely signed it. – Jaquarh Oct 10 '18 at 15:47
  • Hi @KDOT, What you're asking takes a book to answer. Why not use a library such as iText or a competitor? Or use DocuSign via our API to digitally sign a document. See the Express SBS product. Note: I work for DocuSign. – Larry K Oct 11 '18 at 11:40
  • I'm not really looking to use a QSCD for legal reasons, I simply want to use the idea of signing a certificate to verify that it is not fake. The idea is that a worker can request a certificate of his position, give it to another Agency and then that agency can use an API to check that the certificate is not fake. I'm not too sure if I'm grasping the concept of QSCD correctly, if I can simply maybe jus store the data in the database and then make a simple API but I just wanted to be able to release PDF certificates too but then again, how do I ensure the position isn't tampered with? – Jaquarh Oct 11 '18 at 11:59
  • @LarryK - Why not use the DocuSign API? Because they wants $3 per document signed, and even if you do bulk, 12,000 per year (1,000 per month they want to charge $32,400, or $2.70 per document sent. That's insane. – j_allen_morris May 16 '21 at 19:03