Edit on GitHub

Web remote signatures

A remote signature is a digital signature performed with a private key that is not available locally, that is, performing the signature algorithm computation remotely. Since the computation can depend on a number of factors such as network latency and user interaction, the process of performing remote signatures is inherently asynchronous, meaning that the process starts, waits for the computation, and later completes.

We call a web remote signature the special case of a remote signature on which a digital signature is being performed on a web application with the backend controlling the signature process, but using the private key from one of the user's certificates, available only on the client side.

This is the recommended way of implementing digital signatures on web applications with our products for most cases (see web signatures for exceptions).

This process is roughly outlined below:

  1. The backend initiates a remote signature process, yielding the bytes over which the signature algorithm computation with the user's private key must be performed (called the "to-sign-data")
  2. The "to-sign-data" is transferred to the client side
  3. The signature algorithm computation is performed on the frontend
  4. The result of the signature algorithm is transferred back to the server
  5. The backend completes the remote signature process

Web remote signature sequence

Note

This is merely an overview. There are extra steps involved, such as reading the user certificate's encoding on the frontend and transferring it to the backend.

The recommended way of implementing web remote signatures is using Rest PKI together with Web PKI.

  1. Access the Rest PKI documentation
  2. Choose a programming language
  3. Choose one of the samples projects for your programming language
  4. Follow the steps to run the samples project
  5. Once you get the project running, click on one of the signature examples
Tip

Although the solution involves both Rest PKI and Web PKI (for the back- and frontend respectively), you should focus on the Rest PKI documentation, which shows the usage of both products integrated.

Alternative implementations

If your application is a .NET application (C#, VB.NET, C++.NET), you can also use the PKI SDK on the backend with Web PKI on the frontend. See article Web remote signatures on the PKI SDK documentation.

If you already own a 3rd party crypto SDK or if you wish to implement the backend code yourself, you can also use Web PKI just for the frontend part.