An electronic seal is a tamper-proof digital stamp that authenticates a document's origin and integrity, guaranteeing that it was issued by a specific legal entity and has not been altered since it was sealed.
Unlike an individual's digital signature, an electronic seal is used by a company, government body, or other organization.
The creation of a valid electronic seal requires a digital certificate issued by a trusted third-party Certificate Authority (CA) or Trust Service Provider (TSP). While a simple visual image can be used, a truly secure and legally binding electronic seal must leverage public-key cryptography and a verifiable digital certificate. Here is a comprehensive guide to the process.
Step 1: Secure a digital certificate from a trusted provider
The digital certificate is the core of a legally valid electronic seal. It is a digital file that binds a public key to an organization's identity.
Choose a TSP: Select a TSP that is integrated with your signing platform (like Adobe Acrobat Sign) and compliant with regional regulations, such as eIDAS in the European Union. Popular providers include Intesi Group, GlobalSign, and Entrust.
Prepare your application: Your organization must gather all necessary legal and identity documents to prove its legitimacy. The requirements will vary by TSP and the level of seal you require (e.g., Qualified vs. Advanced).
Obtain the certificate: The TSP will verify your organization's identity and issue a digital certificate in its name. This certificate includes a public key, which is used to verify the seal, and is stored securely in a dedicated device like a Hardware Security Module (HSM) to protect the associated private key.
Step 2: Set up and configure a signing server
For a centralized solution, you will need a signing server to manage the application of the electronic seal across your organization.
Select signing server software: Use a specialized server application like SignServer, which centralizes signing operations and securely stores keys. This provides multiple developers and systems within your company with controlled access to the sealing function.
Integrate the TSP: Many enterprise signing solutions use a Cloud Signature Consortium (CSC) API for integration with the TSP. This involves configuring your server with the credentials provided by your TSP, including the:
- OAuth Client ID
- OAuth Client Secret
- Credential ID
- Credential PIN
Configure user access: Establish an access control policy to authorize specific users or systems to apply the electronic seal. It is best practice to disable broad access and explicitly enable only those accounts that require it.
Step 3: Configure the visual appearance and metadata
An electronic seal's visible stamp can contain customizable information to provide context to the recipient.
Create a seal graphic (optional): Design an official image for your organization's seal, which can be uploaded to your signing software. If you do not upload a graphic, only text will be used for the visible seal.
Define seal text: Your signing software will allow you to define the text that appears with the seal. This typically includes:
- The organization's name (the certificate's subject)
- The reason for the seal (e.g., "for official records," "issued by")
- The date and time of the seal application
Set up automation: Configure workflows to automatically apply the electronic seal. This is useful for high-volume tasks like automatically stamping invoices, receipts, or other official documents.
Step 4: Apply the electronic seal to a document
The final step is to integrate the seal into your document workflow.
Use a compatible application: Use a document management system or PDF editor that supports digital signing with cloud certificates.
- In-app signing: Within an application like Adobe Acrobat, select the option to "digitally sign" and then choose your organization's seal. Position the visual seal on the document and authenticate the transaction with your credential PIN and a one-time passcode if required.
- Automated sealing: For bulk processing, your signing server can apply the seal automatically via an API call as part of a larger document management workflow.
Step 5: Verify the electronic seal and maintain an audit trail
For both your organization and the recipient, verifying the electronic seal is crucial to ensure trust.
In-document verification: Recipients can verify the seal by opening the document in software like Adobe Reader. A valid electronic seal will display a blue bar at the top, confirming the document's origin and that it has not been tampered with. Clicking the signature panel reveals more details about the certificate issuer and the timestamp.
Maintain an audit trail: The signing software automatically captures a detailed audit trail, documenting every aspect of the sealing process. This log includes the signing reason, the TSP, the IP address, the certificate issuer, and a timestamp. This evidence is crucial for maintaining accountability and legal compliance.
Best practices for a robust electronic seal system
To maximize security and legal compliance, follow these guidelines:
- Implement strong authentication: Use multi-factor authentication (MFA) for anyone authorized to apply the electronic seal.
- Choose a reputable TSP: Use a trusted and certified TSP to ensure the legal standing and integrity of your certificates.
- Control user access: Limit access to seal credentials only to those who absolutely need it.
- Maintain a detailed audit log: Retain a robust, tamper-proof record of every document seal for accountability and legal defense.
- Ensure legal compliance: Be aware of the specific legal requirements for electronic seals in your jurisdiction, such as the eIDAS regulation in the EU.
- Protect private keys with an HSM: Do not store private keys on a standard computer. Use a dedicated HSM for secure storage and signing operations.