January 17, 2019

Blog postEJBCA CloudEnterpriseMedTechSignServer Cloud

Digital Signing evolving in to the cloud

Digital Signature

The post was updated: 2020-06-11

Digital Signing, using PKI and X.509 certificates, is the true enabler for automation and digitalization! It can help you modernize work-flows, save time, decrease costs and drive new opportunities.

Why is digital signing / electronic signing so powerful?

One of the powers of digital signature in the cloud lies in that both the origin and the integrity of electronic data can be ensured at the time of the signing and then again at a later time. An organization can thereby securely sign and build automated processes for customer on-boarding, signing agreements, e-invoicing etc. There are endless use cases where digital signing is applicable, and solutions have been developed for many years already. What has happened in the past couple of years is that server-side (remote) signing is gaining more attraction as being the most cost effective and secure solution. Central key management, control and audit trails on who signed what and when are a few of the advantages. Any signing key is preferably stored and used in Hardware Security Modules (HSM) and with a server-side signing solution you will also be able to limit the number of HSMs needed.

Use cases for eSignatures

Common electronic signing use cases include document management workflows, e-service transactions and software distribution. Electronic signing for documents and transactions is relevant in basically all workflow automation scenarios for B2B, B2C, Gov2B, Gov2C e-services. Customer on-boarding processes, human resource agreements, travel expense approvals, e-procurement management, PDF scanning processes, e-invoicing and minutes of meetings needing multiple signatures are a few examples. Some of these workflows have in the past struggled to reach their full potential but are now becoming really powerful as interoperable solutions and legal frameworks surrounding the lifecycle of a signature are starting to come into place. In the European Union the countries have harmonized their electronic signature laws to create a predictable regulatory environment in alignment with the eIDAS regulation.

Code Signing, Time-Stamping and ePassports

One area where the power of the digital signature is evident is in signing code for software distribution. In the connected society the need for secure and cost-effective distribution of installation packages, software updates, license files etc., is critical for the business case. With a wide diversity in device platform capabilities and connectivity demands, flexibility is a key component for digital signing in this area. Support for multiple code signing formats and a tight integration with existing build processes is required for cost efficiency and security. If you want to know more about important aspects to consider when choosing the right code signing solution for your business case, we recommend this blog post: Six things to consider when choosing your code signing solution Two other areas where digital signing is already extensively used today is in time-stamping and e-passport solutions. Time-stamping is standardized in RFC#3161, RFC#5816, ETSI EN 319 422 and ETSI EN 319 421, and digital signing of documents or software (for example Microsoft Authenticode) are relying on this service for trusted and reliable time information. Add-on services such as Long Term Validity (LTV) signatures embeds additional elements needed for secure and standard based verification of signatures in the future. E-passports, Machine Readable Travel Documents (MRTD), are implemented worldwide and they are standardized by International Civil Aviation Organization (ICAO). ICAO has specified that digital signing is required for passport data that is stored in the passport chip.

Signing should not be difficult or expensive to deploy, is a Cloud deployment the right solution for you?

In November last year we announced EJBCA Enterprise Cloud and in a blog from December we talked about the advantages of deploying your PKI in the cloud. The same advantages of course also apply to signing solutions, and as we said then:

Many enterprises today, choose to deploy all or parts of their IT infrastructure and/or service offering in the cloud. Rapid deployment and ease of scale are two of the advantages. There is no upfront investment in hardware, servers and software which minimizes risk and makes it is easy to get started. A cloud deployment thus enables you to start small and grow with the use case. Most solutions in the cloud only charge you for the resources that you use. So why not do the same with your signing solution?

So, if you’re looking to deploy your signing solution in the cloud you can rest assure that you, with PrimeKey solutions, are able to get a proper signing solution from the start. Step-by-step how-to guides, already proven best-practices, easy to use integration interfaces and PrimeKey’s professional services team are available to support you. You’re easily up and running regardless if you start with a single use case or of you want to set up a service with multiple tenants and/or use cases. In the picture below, you can see a typical signing solution reference architecture including redundancy, cross cloud deployments and AWS CloudHSM stored keys.

SignServer in the cloud

Try out signing in the cloud

Has this sparked your curiosity about signing in the cloud? Or are you already convinced that deploying your security solutions in the cloud is and efficient way forward for your organization? Please feel free to try it out for a 30 day, free trial on AWS. SignServer Enterprise Cloud will get you a single node, perfect for testing and for evaluation within minutes. This same node can also be expanded to meet the most demanding digital signature needs.  SignServer in the cloud scales with you as you grow.  All documentation you need to get up and running on AWS, plus how to get your first SignServer running is available here.

Would you like to know more about PKI in the cloud?

Sign up for our webinar on PKI in the cloud, to learn more: 

Sign up for webinar  

 SignServer Enterprise on AWS

Read more about SignServer Enterprise Cloud



Alex Gregory

Alex Gregory is Senior Director Cloud & Managed, PKI Products and Services at PrimeKey based in San Mateo, Silicon Valley. He has over 20 years of experience in the IT Security and Product Management fields, providing senior systems, security and IT solutions to a diverse set of companies.