Sign the PDF document
When signing a PDF document, you can
set run-time options that are used by the Signature service. You
can set the following options:
Appearance options
Revocation checking
Time stamping values
You set appearance options
by using a PDFSignatureAppearanceOptionSpec object.
For example, you can display the date within a signature by invoking
the PDFSignatureAppearanceOptionSpec object’s setShowDate method
and passing true.
You can also specify whether
or not to perform a revocation check that determines whether the
certificate that is used to digitally sign a PDF document has been
revoked. To performing revocation checking, you can specify one
of the following values:
NoCheck: Do not perform
revocation checking.
BestEffort: Always attempt to check for revocation
of all certificates in the chain. If any problem occurs in checking,
the revocation is assumed to be valid. If any failure happens, assume
that the certificate is not revoked.
CheckIfAvailable: Check for revocation of all certificates
in the chain if revocation information is available. If any problem
occurs in checking, the revocation is assumed to be invalid. If
any failure happens, assume the certificate is revoked and invalid.
(This is the default value.)
AlwaysCheck: Check for revocation of all certificates
in the chain. If revocation information is not present in any certificate,
revocation is assumed to be invalid.
To perform
revocation checking on a certificate, you can specify a URL to a certificate
revocation list (CRL) server by using a CRLOptionSpec object.
However, if you want to perform revocation checking and you do not
specify a URL to a CRL server, then the Signature service obtains
the URL from the certificate.
Instead of using a CRL server,
you can use an online certificate status protocol (OCSP) server
when performing revocation checking. Typically when using an OCSP
server as opposed to a CRL server, the revocation check is performed
faster. (See “Online Certificate Status Protocol” at http://tools.ietf.org/html/rfc2560.)
You
can set the CRL and OCSP server order that the Signature service
uses using Adobe Applications and Services. For example, if the
OCSP server is set first in Adobe Applications and Services, then
the OCSP server is checked, followed by the CRL server. (See “Managing
certificates and credentials using Trust Store“ in AAC Help).
If
you specify not to perform revocation checking, then the Signature
service does not check to see if the certificate used to sign or
certify a document has been revoked. That is, CRL and OCSP server
information is ignored.
Note: Although a CRL or
an OCSP server may be specified in the certificate, you can override
the URL specified in the certificate by using a CRLOptionSpec and
an OCSPOptionSpec object. For example, to override
the CRL server, you can invoke the CRLOptionSpec object’s setLocalURI method.
Time
stamping refers to the process of tracking the time when a signed
or certified document was modified. Once a document is signed, it
should not be modified, even by the document owner. Time stamping
helps enforce the validity of a signed or certified document. You
can set time stamping options using a TSPOptionSpec object.
For example, you can specify the URL of a time stamping provider
(TSP) server.
Note: In the Java and web service
walk through sections and the corresponding quick starts, revocation
checking is used. Because no CRL or OCSP server information is specified,
the server information is obtained from the certificate used to
digitally sign the PDF document.
To successfully sign a
PDF document, you can specify the fully qualified name of the signature
field that will contain the digital signature, such as form1[0].#subform[1].SignatureField3[3]. When
using an XFA form field, the partial name of the signature field
can also be used: SignatureField3[3].
You
must also reference a security credential to digitally sign a PDF document.
To reference a security credential, you specify an alias. The alias
is a reference to an actual credential that may be in a PKCS#12
file (with a .pfx extension), or a hardware security module (HSM).
For information about the security credential, see the Installing and Deploying LiveCycle guide
for your application server.