Skip to main content
Documenso uses digital certificates to sign PDF documents with legally valid signatures. This ensures document authenticity, integrity, and non-repudiation.

How PDF Signing Works

When a document is signed in Documenso:
  1. The recipient’s signature (drawn, typed, or uploaded) is added to the PDF
  2. The entire PDF is digitally signed using a certificate
  3. The signature includes cryptographic proof that the document hasn’t been altered
  4. Optionally, a timestamp from a trusted authority is embedded for long-term validation

Signing Transports

Documenso supports two signing methods:

Local Signing

File-based signing with .p12 certificate. Best for getting started.

Google Cloud KMS

Hardware-secured signing using Google Cloud KMS. Enterprise-grade security.

Local Signing

Best for: Getting started, small deployments, development
  • Uses a .p12 (PKCS#12) certificate file
  • Certificate stored as a file or base64-encoded environment variable
  • Simple to set up
  • Certificate is accessible to the application
Pros:
  • Easy to configure
  • No external dependencies
  • Works in any environment
Cons:
  • Certificate file must be secured
  • Risk of key exposure if server is compromised
  • Harder to meet compliance requirements

Google Cloud KMS

Best for: Production deployments, enterprise environments, compliance requirements
  • Private key never leaves Google’s Hardware Security Module (HSM)
  • Signs documents using Google Cloud KMS API
  • Certificate chain stored separately
  • Meets compliance standards (FIPS 140-2, etc.)
Pros:
  • Maximum security - private key never exposed
  • Hardware-backed cryptographic operations
  • Audit trails and access control via Google Cloud
  • Meets enterprise compliance requirements
Cons:
  • Requires Google Cloud account
  • Additional cost for KMS operations
  • More complex setup

Certificate Requirements

Regardless of the signing method, your certificate should:
  • Be issued by a trusted Certificate Authority (CA) or be self-signed
  • Use RSA 2048-bit or higher encryption
  • Be valid (not expired)
  • Include the “Digital Signature” key usage
Self-signed certificates work fine for most use cases. However, publicly trusted certificates from CAs like DigiCert or GlobalSign provide additional trust indicators in PDF viewers.

Timestamp Authorities (TSA)

Timestamp authorities provide proof that a document was signed at a specific time. This is crucial for:
  • Long-Term Validation (LTV) - documents remain valid even after the signing certificate expires
  • Legal compliance in certain jurisdictions
  • Proving when a document was signed

Supported TSA Services

Documenso supports any RFC 3161-compliant timestamp authority. Popular free options include:
  • DigiCert: http://timestamp.digicert.com
  • GlobalSign: http://timestamp.globalsign.com/tsa/r6advanced1
  • Sectigo: http://timestamp.sectigo.com
  • Entrust: http://timestamp.entrust.net/TSS/RFC3161sha2TS

Configuration

Add one or more TSA URLs to your environment: 
NEXT_PRIVATE_SIGNING_TIMESTAMP_AUTHORITY="http://timestamp.digicert.com,http://timestamp.globalsign.com/tsa/r6advanced1"
Configure multiple TSA URLs for redundancy. Documenso will randomly select one for each signing operation.

Signature Standards

Documenso uses the ETSI.CAdES.detached signature format by default, which is the modern European standard for PDF signatures (PAdES baseline).

Legacy Mode

If you need compatibility with older PDF readers, you can switch to the legacy adbe.pkcs7.detached format: 
NEXT_PRIVATE_USE_LEGACY_SIGNING_SUBFILTER="true"
Only use legacy mode if you have specific compatibility requirements. The modern CAdES format provides better long-term validation support.

Signature Appearance

Contact Information

You can customize the contact information embedded in PDF signatures: 
NEXT_PUBLIC_SIGNING_CONTACT_INFO="[email protected]"
This appears in the signature properties when viewing the PDF.

Choosing a Signing Method

Start with local signing. It’s simple to set up and you can always migrate to Google Cloud KMS later.Set up local signing →
Use Google Cloud KMS. This meets most compliance requirements and keeps your private key secure.Set up Google Cloud KMS →
Use Google Cloud KMS with a certificate from a trusted CA and configure timestamp authorities.This combination provides maximum security and long-term validation.
Both methods work well in containers:
  • Local signing: Pass the certificate as a base64-encoded environment variable
  • Google Cloud KMS: Pass the Google Cloud credentials as a base64-encoded environment variable
See the respective guides for details.

Next Steps

Local Signing Setup

Configure file-based certificate signing

Google Cloud KMS Setup

Set up hardware-secured signing with Google Cloud

Build docs developers (and LLMs) love

Get started for freeTalk to us