ENTRUST SIGNING AUTOMATION SERVICE
Step-by-step PDF document sealing process using iText
iText prepares the PDF document for sealing
iText adds a signature value dictionary to a signature field in the PDF’s code. This value contains some meta information (signing reason, signing time, etc.) and a placeholder for the future signature container. iText calculates the hash value of the document (not including the placeholder) using a strong message digest algorithm (e.g. SHA-256). iText builds a signature container that consists of a set of “signed attributes,” including the document hash, then calculates the hash of the full set into one final hash.
iText requests and fetches a digital seal using the Entrust Signing Automation Service
Using the Entrust Signing Automation client, iText sends the final hash value to the Entrust Signing Automation Service via an authenticated PKCS #11 request. The Entrust Signing Automation Service uses the private key securely stored in your account to generate a digital seal for the hash value, and sends this seal back to iText.
iText requests and fetches a timestamp token using the Entrust public timestamping service
Using the same process described in step 1, iText recalculates a final hash of the document, including the digital seal. This new hash is sent to the Entrust public timestamping service. The timestamping service bundles the hash value with the exact date and time, and uses the private key of its own long-lived certificate to generate a signature for the bundle. This signature (timestamp token) is sent back to iText.
iText finalizes the sealing process
iText embeds the seal and the timestamp token into the signature container that it started building in step 1. iText injects the signature container into the placeholder created during step 1. The PDF document is now sealed!