Sign PDF documents

Tip

It is not advisable to sign PDF documents with KIT-CA certificates in almost all use cases.

Digital signatures are more complex in several dimensions - semantically, technically and legally - than most poeple intuitively assume. For a more comprehensive overview, we recommend reading this white paper from bwUni.digital (only in German), in particular the Anhang A: Entscheidungshilfe für die Digitalisierung der Unterschrift on page 33.

Our slides from the IT-Expertenkreis (only in German) (slides 10-end) may also prove helpful.

We are aware of a handful of processes at KIT that are based on people sending each other PDF files that are signed with our certificates. As far as we are aware, these processes are either very fragile or only “work” because the recipients do not check the signature at all or simply ignore its invalidity.

Note

We would like to appeal to all process designers at KIT to not build any processes that use signed PDF documents with certificates from the KIT-CA. Web portals with strong authentication are a better choice in almost all cases. Alternatively, simply send signed emails with documents attached. As long as the complete email is kept or archived, the origin and authenticity can also be proven in the future.

There are also some use cases (usually certain legal transactions with non-KIT parties) in which a Qualified electronic signature is mandatory. This usually needs special and often proprietary software and hardware specific to the process in question. Since these cases are completely different from our core area of expertise, we are not normally a suitable point of contact for problems. Please first try the service providers or manufacturers of the hardware and software involved.

If you require certificates for qualified electronic signatures in accordance with the eIDAS Regulation, the EU has a list of accredited providers. The University of Münster has a field report (only in German) detailing their experiences.