Signature With an Electronic Seal According to eIDAS

An electronic seal enables a group of people to attach – in accordance with eIDAS and therefore valid throughout Europe – a company stamp or an official seal to an electronic document.

This means that for a qualified seal the certificate is issued in the name of a legal entity and not (as in case of a qualified signature) in the name of an individual person.

A qualified Seal can be used as smart card (seal card), HSM or remote seal with our software.
The benefit of the seal is that the server, which is used for the sealing of the documents, can (and should) manage the authorized users, respectively, the access to the seal via its authorization management. By this no user must enter a PIN for the signature card anymore (please see more about authorization management further down below). It is, of course, also possible to sign directly with the seal at the individual workspace by using client software (SecSigner).

A qualified seal can guarantee at least two important aspects: The authenticity of the data (i.e. that they originate from the legal entity as claimed) and the integrity (that the data was not manipulated after the sealing process – e.g. statements of account or a notice from a public authority).

What makes the qualified seal so special is that it can be used very conveniently for the signature on server side in order to seal files on server side (e.g. automated sealing of emails or statements of account).


Electronic Trust Centers
Remote Signature Service
Qualified Signature

Generation of Qualified Seals

Qualified electronic sealing can be realized by using:

  • Seal card (either single or multi seal cards)
  • A remote seal, for example with Swisscom. The customer does not need any additional hardware for the seal process.
  • HSMs (Hardware Security Modules): A Hardware Security Module (HSM) means a data processing equipment which manages digital keys and provides cryptographic procedures and prevents (on hardware side) the reading of these keys.

On the sealing card the private key and the certificate of the authority/the company are located.

A qualified seal can be generated via the client or on the server:

  • Manual sealing of single documents or document batches with SecSigner
  • Centrally automated and highly performant sealing of documents, batches of documents or bulk documents
  • For the future: Sealing via remote signature server of a validated trust center

Generating Electronic Seals With SecPKI Server

File transfer by using:

  • Custom Webservice which enables sealing conveniently via a website by using the drag and drop function

Precise control of access rights for:

  • User authentication: Password and two-factor authentication
  • Process authentication : HTTP Basic Auth, oAuth, based on certificates, etc.


For the qualified electronic seal you can use our SecPKI Server (SecSign ID Server). You can operate the SecPKI Server either in your own data center or in a data center of your choice. By this all files remain on your server until they are signed and processed.

The SecPKI Server manages the electronic seal centrally and provides you with an authorization management for the electronic sealing processes so that you can define on a finely granular basis which user or process is allowed to seal electronically.

Documents from external programs are transferred in an automated way to SecPKI by using an authenticated process. You can, for example, define in the SecPKI Server that the process is authorized to seal all generated files electronically. Email attachments, invoices, prescriptions, etc. are, for example, transferred automatically.

The electronic seal is created by individuals who have the required authorization in the SecPKI Server. According to the respective application you can decide on the authentication level for the approval of the electronic seal. All this is controlled and configured in the internal authorization management of the SecPKI Server (please also see “User management for the SecPKI Server”)

As a result you can get a PDF signature with a stylish visual seal stamp and integrated signature as usual or a file with an external signature file. The signed PDF meets the European standards for qualified signatures (eIDAS). An internal signature is called PAdES signature. In case of an external signature it is called CAdES signature.

Thus, you can simply transfer the PDF files from your process to the SecPKI Server directly via API calls (SOAP, REST, etc.) or via a monitored directory and seal them in an automated process. The position can be defined by using properties or form fields (PDF signature fields). The SecPKI Server verifies the signature and can, if desired, ensure the evidential value for the electronically sealed documents by using a hash tree (long-term archiving).

The electronically sealed files can then be transmitted directly from the SecPKI Server to further processing and can, for example, be provided as download option to the users via the customer portal.

Additionally, the SecPKI Server can provide you with a web service which can be used for the convenient manual electronic sealing of files by using the upload function.

Furthermore, you can use the web service of the SecPKI Server for the verification of signatures and have your customers (by using your web service) verify the document to make sure that you are really the sender of the document. It is, of course, also possible to integrate the verification of signatures into your customer portal by using a REST Api.

User Management With SecPKI Server

The operator of the server can exactly define if, when, and how a process/user/user group is allowed to seal electronically. It can also be clearly defined if access is only allowed, for example, after a two-factor authentication or only with a specific computer.

Important note: The factors for the authentication are not the same factors as for the seal card (the sealing process can be directly activated at the workstation of the authorized employee). The authentication here is required for each single document, respectively, document batch, which should receive a qualified seal.

The SecPKI Server can also make the generation of electronic seals available for external users/employees. The access can be protected via two-factor authentication.

For an easier enrollment SecPKI Server and user management can be connected directly with the existing identity management by using standardized interfaces.

The administration of the seal cards and remote signature provider takes place via the admin interface of the SecPKI Server.

If an employee should no longer be authorized to seal electronically, the authorization management provides you with the option to make the appropriate changes without the need to replace the relevant seal card.

For example, the user logs into a web service and uploads a PDF file in order to have it electronically sealed. The access to the seal is additionally protected by detailed access rules which can be individually defined, e.g. by a 2FA. Only after a successful authentication against the SecPKI sealing server the document receives the seal certificate.

Invoices are automatically transferred by the process creating the invoices to the SecPKI sealing server. The process transmission is carried out by, for example, SOAP, REST Api or Java Api. For this the process authenticates, for example, by using certificates, password, oAuth or other authentication processes. Only after a successful authentication of the invoicing process the documents receive the seal.