How it works

Cryptomathic Signer is typically operated in a 3-tier environment

  • Business : Application server with business logic to prepare the data to be signed
  • User : Typically in possession of laptop, tablet or mobile phone
  • Trust center: Operating the central signing service and often the certificate provisioning.

To commit to a document or a transaction, the user sends a signing request to Signer, authenticates himself (using strong authentication) to retain remote control over their signing key. The user´s signing key is stored centrally in the tamper resistant environment of the trust center. The signature value is then computed in the HSM and pushed to the client application, where it is embedded in the document using the appropriate signature profile.

Cryptomathic Signer offers a direct communication path from the browser to the Signature Activation Module inside the hardware security module (HSM).

New Call-to-action
New Call-to-action
New Call-to-action

Cryptomathic Signer
The complete signing solution

Cryptomathic guarantees the highest level of signing security by operating on a framework of audited processes and controls that protect your information from unauthorized access.

Leverage existing technology

Certificate Generation - Signer relies on open standards and can easily integrate with legacy PKI solutions. Our registration workflow supports the generation of PKCS#10 certificate requests for a smooth integration with any certificate authority. Signer supports the CMC/CMP interface for communication with CAs. Different Certificate Policies / Certificate Practice Statements can be supported.

Strong authentication - Signer supports open standards for strong user authentication such as OATH based authentication mechanisms. This makes it easy to step up from strong authentication to central signing. Multiple authentication methods can also be used with Signer via Cryptomathic Authenticator – the de facto authentication server for Signer. Alternative authentication servers can also be used in which case the integration is based on SAML v2 authentication assertions.


Cryptomathic Signer offers a unique signing experience, integrated into the business workflow so that the data can be effortlessly signed by users wherever they are. The solution is versatile and can be applied in various use cases. The only prerequisite is that the user has a connected device and a strong authentication mean. Signer offers user-side integration with: 

Mobile Devices: app SDK for smart phone or tablet apps
Web browsers: offering a zero footprint javascript based signing experience
Client PC applications: plug-in, e.g. for email signing/decryption or local PDF signing


Transparent PKI

Users’ keys are generated and used centrally under the sole control of their signatory. With this central design, certificate lifecycle management operations can be made painless to the user. Signer renders the keys unusable when the certificate is no longer valid (revoked or suspended). This also solves a traditional headache on signature validation as it is typically impossible with smart cards or USB tokens to guaranty that the certificate was valid at time of signing.

In addition, Signer allows for different key and certificate policies to be set thereby offering some granularity on the proposed security assurance levels and their usability.


The Signer security design is, together with end-user convenience, of the utmost importance. The product is certified as a QSCD to deliver Qualified Electronic Signatures (QES).

The security design includes:

  • The Signature Activation Module: signature authorization is carried out inside the tamper-resistant environment of a Signature Activation Module, which ensures sole control of the signature key 
  • The Signature Activation Protocol: allowing data to be signed and authentication credentials to be communicated over a secure channel to protect sensitive information
  • Secure administration and logging: admin is privilege based and all logs are stored in a high capacity integrity protected database.

Availability and Monitoring

System uptime, performance and flexibility are of utmost importance for a centralized service offering, which is exactly what Signer delivers. HSMs and servers can be added and removed from the platform to meet any SLA or throughput requirements.


Cryptomathic Signer allows Signature Generation Service Providers (SGSPs) to define their own assurance level for generating electronic signatures. Signer comes with a flexible key and command policy manager which allows SGSPs to easily offer different assurance levels for their signature provisioning - from Advanced (AdES) to Qualified Electronic Signatures (QES).

The solution is designed in strict compliance against:

  • eIDAS: the EU regulation on electronic identification and trust services for electronic transactions (applicable for all EU member states and endorsed by many other countries)
  • Other national signature Law incl. ZertES for Switzerland , ELECTRONIC TRANSACTIONS ORDINANCE for Hong Kong, Electronic Transactions Act 2010 for Singapore etc.

Try out our on-line interactive demo

This demo shows how Cryptomathic Signer utilizes strong authentication to deliver user-friendly and legally binding digitally signed documents and transactions over the web.




Case Study - Central Signing Services - LuxTrust

See why LuxTrust chose Signer as their strategic solution for nationwide deployment.

Read Case Study

White Paper - Achieving Qualified Remote eSigning

Explore the key business advantages and the security requirements for remote e-signatures in accordance with eIDAS.

Read WhitePaper
E-Book - Digital Signatures for dummies

E-Book - Digital Signatures for

Understand the business, technical and regulatory implications and how to deploy and manage digital signatures for your business.

Read E-Book


At the leading edge of security provision within its key markets, Cryptomathic closely supports its global customer base with many multinationals as longstanding clients.