Advanced digital signature workflows
Use advanced signature features when you need timestamping, stronger hashing, or visual-only signing.
Common use cases include:
- PAdES-T workflows with trusted timestamps
- Long-term validation and archival requirements
- Stronger hash policies such as SHA-512
- Internal workflows that use visual-only signatures
How Nutrient helps
Nutrient Java SDK handles advanced signing options, timestamp configuration, and hash selection.
The SDK handles:
- Implementing the RFC 3161 timestamp protocol for time stamp authority communication
- Managing cryptographic hash algorithm selection and byte encoding
- Handling PAdES-T signature format specifications and validation data embedding
- Complex electronic signature appearance rendering without certificate structures
Complete implementation
This example covers timestamps, custom hash algorithms, and visual-only signatures:
package io.nutrient.Sample;
import io.nutrient.sdk.*;import io.nutrient.sdk.editors.*;import io.nutrient.sdk.editors.pdf.pages.*;import io.nutrient.sdk.editors.pdf.formfields.*;import io.nutrient.sdk.enums.*;import io.nutrient.sdk.signing.*;
public class DigitalSignatures {Create the main method as the sample entry point:
public static void main(String[] args) {Adding a timestamp for PAdES-T compliance
Add a trusted timestamp to produce a PAdES-T style signature.
In this sample:
Document.open("input.pdf")opens the PDF before signing.TimestampConfigurationsets the TSA endpoint.options.setTimestamp(...)enables timestamping.sign(document, outputPath, options)applies the timestamped digital signature.
This supports long-term validation after certificate expiration:
try (PdfSigner signer = new PdfSigner(); Document document = Document.open("input.pdf")) { DigitalSignatureOptions options = new DigitalSignatureOptions(); options.setCertificatePath("certificate.pfx"); options.setCertificatePassword("Nutrient answers all your document needs"); options.setSignerName("Legal Department"); options.setReason("Contract Execution");
TimestampConfiguration timestamp = new TimestampConfiguration(); timestamp.setServerUrl("http://timestamp.digicert.com"); options.setTimestamp(timestamp);
signer.sign(document, "output_signed_timestamped.pdf", options); } catch (Exception e) { System.err.println("Error signing with timestamp: " + e.getMessage()); }Using the SHA-512 hash algorithm
Set setHashAlgorithm(SignatureHashAlgorithm.SHA512) when policy requires SHA-512.
In this sample:
Document.open("input.pdf")opens the PDF before signing.setHashAlgorithm(SignatureHashAlgorithm.SHA512)selects SHA-512.- Signing still uses
sign(document, outputPath, options). - Output is written to a new signed file.
try (PdfSigner signer = new PdfSigner(); Document document = Document.open("input.pdf")) { DigitalSignatureOptions options = new DigitalSignatureOptions(); options.setCertificatePath("certificate.pfx"); options.setCertificatePassword("Nutrient answers all your document needs"); options.setSignerName("Security Officer"); options.setHashAlgorithm(SignatureHashAlgorithm.SHA512);
signer.sign(document, "output_signed_sha512.pdf", options); } catch (Exception e) { System.err.println("Error signing with SHA-512: " + e.getMessage()); }Creating a signature field for electronic signatures
Before applying a visual-only signature, create a signature field.
In this sample:
- The field name is
ApprovalSignature. - The position is
(100, 700). - The size is
200 × 50.
The field defines where the visual signature will render:
try (Document document = Document.open("input.pdf")) { PdfEditor editor = PdfEditor.edit(document); PdfPage page = editor.getPageCollection().getFirst();
PdfSignatureField signatureField = editor.getFormFieldCollection().addSignatureField( "ApprovalSignature", page, 100.0f, // left 700.0f, // top 200.0f, // width 50.0f // height );
editor.saveAs("output_document_with_field.pdf"); editor.close(); } catch (Exception e) { System.err.println("Error creating signature field: " + e.getMessage()); }Electronic signatures (visual only)
Use visual-only signatures when cryptographic validation isn’t required.
In this sample:
Document.open("output_document_with_field.pdf")opens the PDF before signing.setImagePath(...)sets the signature image.signField(document, outputPath, fieldName, null, appearance)usesnulloptions for visual-only signing.- The result is a flattened visual signature.
Visual-only signatures don’t provide certificate-based verification:
try (PdfSigner signer = new PdfSigner(); Document document = Document.open("output_document_with_field.pdf")) { SignatureAppearance appearance = new SignatureAppearance(); appearance.setImagePath("input_signature.jpg");
signer.signField( document, "output_electronic_signature.pdf", "ApprovalSignature", null, // No certificate = electronic signature appearance ); } catch (Exception e) { System.err.println("Error adding electronic signature: " + e.getMessage()); } }}Conclusion
Use this workflow for advanced signing scenarios:
- Open the document using try-with-resources for automatic resource cleanup.
- Configure digital signature options with certificate credentials and signing metadata.
- Add trusted timestamps using
TimestampConfigurationwith a TSA server URL for PAdES-T compliance. - The SDK communicates with the TSA via the RFC 3161 protocol to obtain cryptographically signed timestamps.
- Timestamps enable long-term validation, even after signing certificates expire.
- Configure custom hash algorithms using
setHashAlgorithm()with theSignatureHashAlgorithmenumeration. - Use SHA-512 for enhanced security requirements, government compliance, or high-security environments.
- Create signature fields using
addSignatureField(), with coordinates and dimensions for visual signature placement. - Apply electronic signatures (visual only) by passing
nullcertificate options tosignField(). - Electronic signatures render images as flattened graphics without cryptographic validation.
- Combine timestamp and hash algorithm configurations for regulatory-compliant signing workflows.
- Use PAdES-T signatures for legal document archival and long-term validation requirements.
For related signing workflows, refer to the Java SDK guides.