Remote signature, digital signature on server side (mass signature) and time stamps, PDF´s, emails, scanned documents, forms, XML and more

Digital signature on server side (mass signature) and time stamp

First, you should find out which legal value is required for your signed files, respectively, the reason why you want to sign them.

If, for example, you only require a proof that the data which you stored in the archive have not been changed, a mass signature on server side would be the right choice.



However, particularly for the transfer of analog files to digital documents (e.g. for data received from the scanning process) it is often required to make a visual control of the documents before signing them. For this it can be recommended to use a combination of a signature software on client side (in the described scenario the SecArchive client) and the SecPKI signature server in order to verify signature and user and to have a hash tree (long-term archive) generated.


More about substitute scanning

In the following paragraph we describe how to realize a mass signature on your own server. Some special cases lik batch files as well as archiving of email and print data will be explained on the following page.

You can select between a qualified electronic signature (signature card) and an advanced signature with software certificate (signature certificate). The following process explains the procedure using a qualified signature. The procedure using a software certificate would be the same, but in that case you can do without signature card and card reader.

For the qualified electronic signature one or more signature cards are connected with the SecPKI server by using a card reader. For a mass signature card you have to enter the PIN directly when inserting the card. In the properties file you define time period or number of signatures for which the card can be used. When using an individual signature card, however, you have to enter the PIN every time.

The number of required signature cards depends on the time period during which a defined amount of files is supposed to be signed.


Details about hardware requirements

Process – Mass signature

The SecPKI server can accept in several ways the files or document batches which are supposed to be signed


Monitoring of one or several pre-configured directories (the SecPKI server takes automatically the files or document batches, signs them and moves them to an outgoing directory)
▾ Show more

It is possible to configure several root directories for which different options apply. For example, the signature can be included in the PDF file or it might only be allowed to sign with some specified signature cards (or with none at all).

Below the root directory batches can be filed in any number of directories. The SecPKI server scans them and processes the individual subdirectory as soon as the semaphore for approval is placed there.



Transfer via the SecPKI API. Invocations in Java or SOAP are available for developers.

▾ Show more

The advantage of the SecPKI API is that you get synchronously a reply to the request. Therefore, you do not have to check in the target directory, if a semaphore with the message “Ready” coming from SecPKI is already available.

It is also possible to define the exact parameters for this request (signature format, card, padding, etc.). Otherwise, you would have this as a fixed definition in the properties file for the root directory.


For both options the SecPKI server verifies the generated signatures and thus the user´s certificates and enters the hash values of the signatures and documents into a hash tree. The hash tree is completed each day with the time stamp of a trust center. By using these time stamps (which are – if necessary – after some years followed by renewed time stamps with updated cryptographic procedures), the evidential value is maintained in the long term. Please also see the page about Long-term archive.


  1. Signature card and card reader are connected with the server
  2. Ingoing and outgoing directories of the file which should be signed are defined. Alternatively, the process which creates the file, can be connected by using the SecPKI API
  3. SecPKI waits for the data which are meant to be signed
  4. SecPKI verifies user certificates and signatures
  5. SecPKI sets up a long-term archive (hash tree) by using signatures and time stamp
  6. Completely signed document batches can be collected from the process and, for example, be stored in the DMS