How to integrate digital signatures with GlobalSign

This guide explains how to integrate Nutrient Document Engine with GlobalSign’s Digital Signing Service (DSS) for digital signatures. Document Engine is our server-backed operational mode that provides advanced features like digital signatures.

GlobalSign DSS is a cloud-based solution that enables organizations to deploy trusted digital signatures quickly and securely, without the need for hardware security modules (HSMs) or USB tokens. As a Qualified Trust Service Provider (QTSP), GlobalSign is part of the Adobe Approved Trust List (AATL) and provides PKI-based digital signatures that meet eIDAS regulations in Europe, along with various US regulations.

eIDAS Qualified Trust Mark
Information

GlobalSign DSS supports qualified electronic signatures (QES), the highest standards for digital signatures, thanks to their Qualified Trust Seals. Learn more about signature types in our digital signatures overview.

Prerequisites

Before starting the integration, you’ll need:

  1. A Nutrient Document Engine license with digital signature support.

  2. GlobalSign DSS credentials:

    • API key

    • API secret

    • TLS certificate chain (in PEM format)

    • TLS certificate private key (in PEM format)

Information

Contact Sales to obtain GlobalSign DSS credentials. We’ll help streamline the process of getting your organization vetted by GlobalSign, which is required for obtaining a digital signing certificate.

Architecture overview

Architecture diagram showing Document Engine, Signing Service, and GlobalSign DSS

Follow our sign a PDF document guide for the basic setup. Then make the adjustments in the following sections to use GlobalSign DSS as your signing provider.

Implementation

Set up your GlobalSign DSS credentials in your signing service:

# GlobalSign DSS Credentials.
export GLOBALSIGN_API_KEY=<your-api-key>
export GLOBALSIGN_API_SECRET=<your-api-secret>
export GLOBALSIGN_TLS_CERT=<your-tls-certificate-chain>
export GLOBALSIGN_TLS_KEY=<your-tls-certificate-private-key>

Sign documents

To sign a document with GlobalSign DSS, use the following request format:

curl -X 'POST' 'http://localhost:5000/api/documents/my-document-id/sign' \
  -H 'Accept: application/json' \
  -H 'Authorization: Token token="secret"' \
  -H 'Content-Type: application/json' \
  -d '{
    "signatureType": "cades",
    "signatureContainer": "raw",
    "cadesLevel": "b-lt",
    "signingToken": "{\"signMethod\": \"globalsign\"}",
    "signatureMetadata": {
      "signerName": "John Doe",
      "signatureReason": "Approval",
      "signatureLocation": "Vienna"
    }
  }'

For security purposes, GlobalSign DSS certificates expire after 10 minutes. To ensure your signed documents remain valid indefinitely, you must use both signatureType: "cades" and cadesLevel: "b-lt" in your signing requests.

Security considerations

  1. Credential security:

    • Store GlobalSign credentials securely.

    • Never expose credentials in client-side code.

    • Use environment variables or a secure key management service.

  2. Network security:

    • Use HTTPS for all communications.

    • Restrict access to your signing service.

    • Configure appropriate firewalls and network policies.