PDF Advanced Electronic Signatures (PAdES) in C# and VB.NET

PDF Advanced Electronic Signature (PAdES) is an electronic signature in a PDF file that has met the requirements set forth by the eIDAS regulation on electronic identification and trust services for electronic transactions in the European Single Market.

With GemBox.Pdf, you can create PAdES baseline signatures as specified in ETSI EN 319 142-1 and additional PAdES signature profiles as defined in ETSI EN 319 142-2.

The following examples show how to create PAdES baseline signatures of all levels in your C# or VB.NET application:

Before reviewing the output of the following examples in your Adobe Acrobat Reader, please read the Digital ID notes and Time-stamp notes.

PAdES B-B level

You can use this level for short-term electronic signatures. A PDF digital signature must be an advanced electronic signature and must include the signer's certificate.

See the following example to learn how to add a PAdES B-B level signature to a PDF file.

PDF file with PAdES B-B level signature created with GemBox.Pdf
Screenshot of PDF file with PAdES B-B level signature created with GemBox.Pdf
Upload your file (Drag file here)
using GemBox.Pdf;
using GemBox.Pdf.Forms;
using GemBox.Pdf.Security;

class Program
{
    static void Main()
    {
        // If using the Professional version, put your serial key below.
        ComponentInfo.SetLicense("FREE-LIMITED-KEY");

        using (var document = PdfDocument.Load("%InputFileName%"))
        {
            // Add a visible signature field to the first page of the PDF document.
            var signatureField = document.Form.Fields.AddSignature(document.Pages[0], 300, 500, 250, 50);

            // Get a digital ID from PKCS#12/PFX file.
            var digitalId = new PdfDigitalId("%InputDigitalId[0]%", "GemBoxPassword");

            // Create a PDF signer that will create PAdES B-B level signature.
            var signer = new PdfSigner(digitalId);

            // PdfSigner should create CAdES-equivalent signature.
            signer.SignatureFormat = PdfSignatureFormat.CAdES;

            // Adobe Acrobat Reader currently doesn't download certificate chain
            // so we will also embed certificate of intermediate Certificate Authority in the signature.
            // (see https://community.adobe.com/t5/acrobat/signature-validation-using-aia-extension-not-enabled-by-default/td-p/10729647)
            signer.ValidationInfo = new PdfSignatureValidationInfo(new PdfCertificate[] { new PdfCertificate("%InputDigitalId[1]%") }, null, null);

            // Make sure that all properties specified on PdfSigner are according to PAdES B-B level.
            signer.SignatureLevel = PdfSignatureLevel.PAdES_B_B;

            // Initiate signing of a PDF file with the specified signer.
            signatureField.Sign(signer);

            // Finish signing of a PDF file.
            document.Save("PAdES B-B.pdf");
        }
    }
}
Imports GemBox.Pdf
Imports GemBox.Pdf.Forms
Imports GemBox.Pdf.Security

Module Program

    Sub Main()

        ' If using the Professional version, put your serial key below.
        ComponentInfo.SetLicense("FREE-LIMITED-KEY")

        Using document = PdfDocument.Load("%InputFileName%")

            ' Add a visible signature field to the first page of the PDF document.
            Dim signatureField = document.Form.Fields.AddSignature(document.Pages(0), 300, 500, 250, 50)

            ' Get a digital ID from PKCS#12/PFX file.
            Dim digitalId = New PdfDigitalId("%InputDigitalId[0]%", "GemBoxPassword")

            ' Create a PDF signer that will create PAdES B-B level signature.
            Dim signer = New PdfSigner(digitalId)

            ' PdfSigner should create CAdES-equivalent signature.
            signer.SignatureFormat = PdfSignatureFormat.CAdES

            ' Adobe Acrobat Reader currently doesn't download certificate chain
            ' so we will also embed certificate of intermediate Certificate Authority in the signature.
            ' (see https://community.adobe.com/t5/acrobat/signature-validation-using-aia-extension-not-enabled-by-default/td-p/10729647)
            signer.ValidationInfo = New PdfSignatureValidationInfo(New PdfCertificate() {New PdfCertificate("%InputDigitalId[1]%")}, Nothing, Nothing)

            ' Make sure that all properties specified on PdfSigner are according to PAdES B-B level.
            signer.SignatureLevel = PdfSignatureLevel.PAdES_B_B

            ' Initiate signing of a PDF file with the specified signer.
            signatureField.Sign(signer)

            ' Finish signing of a PDF file.
            document.Save("PAdES B-B.pdf")
        End Using
    End Sub
End Module

PAdES B-T level

This level is like the B-B level but adds a timestamp. A time-based mark that proves that the signature existed at a specific date and time.

The example below shows how to add a PAdES B-T level signature to a PDF file.

PDF file with PAdES B-T level signature created with GemBox.Pdf
Screenshot of PDF file with PAdES B-T level signature created with GemBox.Pdf
Upload your file (Drag file here)
using GemBox.Pdf;
using GemBox.Pdf.Forms;
using GemBox.Pdf.Security;

class Program
{
    static void Main()
    {
        // If using the Professional version, put your serial key below.
        ComponentInfo.SetLicense("FREE-LIMITED-KEY");

        using (var document = PdfDocument.Load("%InputFileName%"))
        {
            // Add a visible signature field to the first page of the PDF document.
            var signatureField = document.Form.Fields.AddSignature(document.Pages[0], 300, 500, 250, 50);

            // Get a digital ID from PKCS#12/PFX file.
            var digitalId = new PdfDigitalId("%InputDigitalId[0]%", "GemBoxPassword");

            // Create a PDF signer that will create PAdES B-T level signature.
            var signer = new PdfSigner(digitalId);

            // PdfSigner should create CAdES-equivalent signature.
            signer.SignatureFormat = PdfSignatureFormat.CAdES;

            // PdfSigner will embed a timestamp created by freeTSA.org Time Stamp Authority in the signature.
            signer.Timestamper = new PdfTimestamper("https://freetsa.org/tsr");

            // Adobe Acrobat Reader currently doesn't download certificate chain
            // so we will also embed certificate of intermediate Certificate Authority in the signature.
            // (see https://community.adobe.com/t5/acrobat/signature-validation-using-aia-extension-not-enabled-by-default/td-p/10729647)
            signer.ValidationInfo = new PdfSignatureValidationInfo(new PdfCertificate[] { new PdfCertificate("%InputDigitalId[1]%") }, null, null);

            // Make sure that all properties specified on PdfSigner are according to PAdES B-T level.
            signer.SignatureLevel = PdfSignatureLevel.PAdES_B_T;

            // Initiate signing of a PDF file with the specified signer.
            signatureField.Sign(signer);

            // Finish signing of a PDF file.
            document.Save("PAdES B-T.pdf");
        }
    }
}
Imports GemBox.Pdf
Imports GemBox.Pdf.Forms
Imports GemBox.Pdf.Security

Module Program

    Sub Main()

        ' If using the Professional version, put your serial key below.
        ComponentInfo.SetLicense("FREE-LIMITED-KEY")

        Using document = PdfDocument.Load("%InputFileName%")

            ' Add a visible signature field to the first page of the PDF document.
            Dim signatureField = document.Form.Fields.AddSignature(document.Pages(0), 300, 500, 250, 50)

            ' Get a digital ID from PKCS#12/PFX file.
            Dim digitalId = New PdfDigitalId("%InputDigitalId[0]%", "GemBoxPassword")

            ' Create a PDF signer that will create PAdES B-T level signature.
            Dim signer = New PdfSigner(digitalId)

            ' PdfSigner should create CAdES-equivalent signature.
            signer.SignatureFormat = PdfSignatureFormat.CAdES

            ' PdfSigner will embed a timestamp created by freeTSA.org Time Stamp Authority in the signature.
            signer.Timestamper = New PdfTimestamper("https://freetsa.org/tsr")

            ' Adobe Acrobat Reader currently doesn't download certificate chain
            ' so we will also embed certificate of intermediate Certificate Authority in the signature.
            ' (see https://community.adobe.com/t5/acrobat/signature-validation-using-aia-extension-not-enabled-by-default/td-p/10729647)
            signer.ValidationInfo = New PdfSignatureValidationInfo(New PdfCertificate() {New PdfCertificate("%InputDigitalId[1]%")}, Nothing, Nothing)

            ' Make sure that all properties specified on PdfSigner are according to PAdES B-T level.
            signer.SignatureLevel = PdfSignatureLevel.PAdES_B_T

            ' Initiate signing of a PDF file with the specified signer.
            signatureField.Sign(signer)

            ' Finish signing of a PDF file.
            document.Save("PAdES B-T.pdf")
        End Using
    End Sub
End Module

PAdES B-LT level

This level is like the B-T level, but adds validation-related information (OCSP responses or CRLs and all certificates of the certificate chain, from the signer's certificate to the root CA certificate) for the signature to the Document Security Store (DSS) of a PDF document.

B-LT level allows for a signature to be validated, even after a long period of time, when the signing environment (e.g. signer's Certificate Authority) is not available anymore. This level is recommended for Advanced Electronic Signatures.

The following example shows how to add a PAdES B-LT level signature to an existing PDF file.

PDF file with PAdES B-LT level signature created with GemBox.Pdf
Screenshot of PDF file with PAdES B-LT level signature created with GemBox.Pdf
Upload your file (Drag file here)
using GemBox.Pdf;
using GemBox.Pdf.Forms;
using GemBox.Pdf.Security;

class Program
{
    static void Main()
    {
        // If using the Professional version, put your serial key below.
        ComponentInfo.SetLicense("FREE-LIMITED-KEY");

        using (var document = PdfDocument.Load("%InputFileName%"))
        {
            // Add a visible signature field to the first page of the PDF document.
            var signatureField = document.Form.Fields.AddSignature(document.Pages[0], 300, 500, 250, 50);

            // Get a digital ID from PKCS#12/PFX file.
            var digitalId = new PdfDigitalId("%InputDigitalId%", "GemBoxPassword");

            // Create a PDF signer that will create PAdES B-LT level signature.
            var signer = new PdfSigner(digitalId);

            // PdfSigner should create CAdES-equivalent signature.
            signer.SignatureFormat = PdfSignatureFormat.CAdES;

            // PdfSigner will embed a timestamp created by freeTSA.org Time Stamp Authority in the signature.
            signer.Timestamper = new PdfTimestamper("https://freetsa.org/tsr");

            // Make sure that all properties specified on PdfSigner are according to PAdES B-LT level.
            signer.SignatureLevel = PdfSignatureLevel.PAdES_B_LT;

            // Initiate signing of a PDF file with the specified signer.
            signatureField.Sign(signer);

            // Finish signing of a PDF file.
            document.Save("PAdES B-LT.pdf");

            // Download validation-related information for the signer's certificate.
            var signerValidationInfo = document.SecurityStore.GetValidationInfo(digitalId.Certificate);

            // Embed validation-related information for the signer's certificate in the PDF file.
            // This will make the signature "LTV enabled".
            document.SecurityStore.AddValidationInfo(signerValidationInfo);

            // Save any changes done to the PDF file that were done since the last time Save was called.
            document.Save();
        }
    }
}
Imports GemBox.Pdf
Imports GemBox.Pdf.Forms
Imports GemBox.Pdf.Security

Module Program

    Sub Main()

        ' If using the Professional version, put your serial key below.
        ComponentInfo.SetLicense("FREE-LIMITED-KEY")

        Using document = PdfDocument.Load("%InputFileName%")

            ' Add a visible signature field to the first page of the PDF document.
            Dim signatureField = document.Form.Fields.AddSignature(document.Pages(0), 300, 500, 250, 50)

            ' Get a digital ID from PKCS#12/PFX file.
            Dim digitalId = New PdfDigitalId("%InputDigitalId%", "GemBoxPassword")

            ' Create a PDF signer that will create PAdES B-LT level signature.
            Dim signer = New PdfSigner(digitalId)

            ' PdfSigner should create CAdES-equivalent signature.
            signer.SignatureFormat = PdfSignatureFormat.CAdES

            ' PdfSigner will embed a timestamp created by freeTSA.org Time Stamp Authority in the signature.
            signer.Timestamper = New PdfTimestamper("https://freetsa.org/tsr")

            ' Make sure that all properties specified on PdfSigner are according to PAdES B-LT level.
            signer.SignatureLevel = PdfSignatureLevel.PAdES_B_LT

            ' Initiate signing of a PDF file with the specified signer.
            signatureField.Sign(signer)

            ' Finish signing of a PDF file.
            document.Save("PAdES B-LT.pdf")

            ' Download validation-related information for the signer's certificate.
            Dim signerValidationInfo = document.SecurityStore.GetValidationInfo(digitalId.Certificate)

            ' Embed validation-related information for the signer's certificate in the PDF file.
            ' This will make the signature "LTV enabled".
            document.SecurityStore.AddValidationInfo(signerValidationInfo)

            ' Save any changes done to the PDF file that were done since the last time Save was called.
            document.Save()
        End Using
    End Sub
End Module

PAdES B-LTA level

This level is like the B-LT level but adds validation-related information for the signature's timestamp to the DSS and a document timestamp to the PDF document.

B-LTA level may help validate the signature beyond any event that may limit its validity. This level is recommended for Qualified Electronic Signatures.

With the following example, you can see how to add a PAdES B-LTA level signature to a PDF file.

PDF file with PAdES B-LTA level signature created with GemBox.Pdf
Screenshot of PDF file with PAdES B-LTA level signature created with GemBox.Pdf
Upload your file (Drag file here)
using GemBox.Pdf;
using GemBox.Pdf.Forms;
using GemBox.Pdf.Security;

class Program
{
    static void Main()
    {
        // If using the Professional version, put your serial key below.
        ComponentInfo.SetLicense("FREE-LIMITED-KEY");

        using (var document = PdfDocument.Load("%InputFileName%"))
        {
            // Add a visible signature field to the first page of the PDF document.
            var signatureField = document.Form.Fields.AddSignature(document.Pages[0], 300, 500, 250, 50);

            // Get a digital ID from PKCS#12/PFX file.
            var digitalId = new PdfDigitalId("%InputDigitalId%", "GemBoxPassword");

            // Create a PDF signer that will create PAdES B-LTA level signature.
            var signer = new PdfSigner(digitalId);

            // PdfSigner should create CAdES-equivalent signature.
            signer.SignatureFormat = PdfSignatureFormat.CAdES;

            // PdfSigner will embed a timestamp created by freeTSA.org Time Stamp Authority in the signature.
            signer.Timestamper = new PdfTimestamper("https://freetsa.org/tsr");

            // Make sure that all properties specified on PdfSigner are according to PAdES B-LTA level.
            signer.SignatureLevel = PdfSignatureLevel.PAdES_B_LTA;

            // Initiate signing of a PDF file with the specified signer.
            signatureField.Sign(signer);

            // Finish signing of a PDF file.
            document.Save("PAdES B-LTA.pdf");

            // Download validation-related information for the signature and the signature's timestamp and embed it in the PDF file.
            // This will make the signature "LTV enabled".
            document.SecurityStore.AddValidationInfo(signatureField.Value);

            // Add an invisible signature field to the PDF document that will hold the document timestamp.
            var timestampField = document.Form.Fields.AddSignature();

            // Initiate timestamping of a PDF file with the specified timestamper.
            timestampField.Timestamp(signer.Timestamper);

            // Save any changes done to the PDF file that were done since the last time Save was called and
            // finish timestamping of a PDF file.
            document.Save();
        }
    }
}
Imports GemBox.Pdf
Imports GemBox.Pdf.Forms
Imports GemBox.Pdf.Security

Module Program

    Sub Main()

        ' If using the Professional version, put your serial key below.
        ComponentInfo.SetLicense("FREE-LIMITED-KEY")

        Using document = PdfDocument.Load("%InputFileName%")

            ' Add a visible signature field to the first page of the PDF document.
            Dim signatureField = document.Form.Fields.AddSignature(document.Pages(0), 300, 500, 250, 50)

            ' Get a digital ID from PKCS#12/PFX file.
            Dim digitalId = New PdfDigitalId("%InputDigitalId%", "GemBoxPassword")

            ' Create a PDF signer that will create PAdES B-LTA level signature.
            Dim signer = New PdfSigner(digitalId)

            ' PdfSigner should create CAdES-equivalent signature.
            signer.SignatureFormat = PdfSignatureFormat.CAdES

            ' PdfSigner will embed a timestamp created by freeTSA.org Time Stamp Authority in the signature.
            signer.Timestamper = New PdfTimestamper("https://freetsa.org/tsr")

            ' Make sure that all properties specified on PdfSigner are according to PAdES B-LTA level.
            signer.SignatureLevel = PdfSignatureLevel.PAdES_B_LTA

            ' Initiate signing of a PDF file with the specified signer.
            signatureField.Sign(signer)

            ' Finish signing of a PDF file.
            document.Save("PAdES B-LTA.pdf")

            ' Download validation-related information for the signature and the signature's timestamp and embed it in the PDF file.
            ' This will make the signature "LTV enabled".
            document.SecurityStore.AddValidationInfo(signatureField.Value)

            ' Add an invisible signature field to the PDF document that will hold the document timestamp.
            Dim timestampField = document.Form.Fields.AddSignature()

            ' Initiate timestamping of a PDF file with the specified timestamper.
            timestampField.Timestamp(signer.Timestamper)

            ' Save any changes done to the PDF file that were done since the last time Save was called and
            ' finish timestamping of a PDF file.
            document.Save()
        End Using
    End Sub
End Module

Digital ID notes

Digital ID files used in the preceding examples are part of a simple Public Key Infrastructure (PKI) created just for this demonstration which contains the following hierarchy of certificates and CRLs:

To get a valid signature in your Adobe Acrobat Reader as seen in the screenshots above, you will have to add GemBoxCA.crt certificate to the list of Trusted Certificates using the following steps:

  1. Download GemBoxCA.crt certificate.
  2. Open Adobe Acrobat Reader, select Edit > Preferences > Signatures. In Identities & Trusted Certificates click More.
  3. Select Trusted Certificates and click Import. Browse to the downloaded GemBoxCA.crt certificate and click Import.
  4. Select the imported GemBoxCA <info@gemboxsofware.com> certificate, click Edit Trust and add a check-mark next to Use this certificate as a trusted root.
  5. You can now delete the downloaded GemBoxCA.crt certificate. You can always later remove GemBoxCA <info@gemboxsofware.com> from Trusted Certificates by selecting it from the list of Trusted Certificates and clicking Remove.

Otherwise, to get a valid signature in any Adobe Acrobat Reader, your digital ID would have to be an AATL-enabled signing credential.

Time-stamp notes

The Time Stamp Authority used in the preceding examples is freeTSA.org.

The root certificate of the freeTSA.org Public Key Infrastructure (PKI) is tsa.crt.

To get a valid signature timestamp in your Adobe Acrobat Reader as seen in the screenshots above, you will have to add the tsa.crt certificate to the list of Trusted Certificates using the same steps as in the previous subsection.

See also


Next steps

GemBox.Pdf is a .NET component that enables developers to read, merge and split PDF files or execute low-level object manipulations from .NET applications in a simple and efficient way.

Download Buy