Sign PDF Documents with X.509 Certificates using PAdES Standards

PDF Digital Signature API with PAdES Compliance

Sign PDF documents with legally-compliant digital signatures using X.509 certificates. Supports multiple PAdES signature levels (B, T, LT, LTA) with optional visible stamps.

What this workflow does

This workflow creates a professional PDF signing service that:

Accepts PDF files via webhook API Signs documents using X.509 certificates (PFX format) Returns cryptographically signed PDFs compliant with EU eIDAS standards Supports both visible and invisible signatures Provides multi-language landing pages for easy testing

Perfect for contracts, invoices, legal documents, and any PDF requiring digital authentication.

Use Cases

Legal Document Signing**: Sign contracts and agreements with legally-binding digital signatures Invoice Authentication**: Add cryptographic signatures to invoices for validation Regulatory Compliance**: Meet EU eIDAS and other digital signature requirements Document Archival**: Create long-term valid signatures for permanent storage Automated Signing Pipeline**: Integrate PDF signing into your existing workflows

How it Works

Workflow Process

File Upload: Receives PDF, certificate (PFX), and password via webhook Dependency Check: Automatically installs Java and signing tool if needed Certificate Processing: Extracts certificate and private key from PFX Signature Selection: Routes to appropriate signing method based on level PDF Signing: Signs document using open-pdf-sign tool Response: Returns signed PDF and cleans up temporary files

Signature Levels Explained

Choose the signature level based on your needs:

BASELINE-B (Basic, 2-3 seconds) Fastest option Short-term validity (months) Best for: Testing, internal documents

BASELINE-T (Timestamp, 3-5 seconds) - Recommended Includes trusted timestamp Medium-term validity (years) Best for: Contracts, invoices, business documents

BASELINE-LT (Long-Term, 5-10 seconds) Includes revocation information Long-term validity (decades) Best for: Banking, healthcare, government

BASELINE-LTA (Archival, 8-12 seconds) Maximum compliance level Permanent validity Best for: Critical legal documents

Visible vs Invisible Signatures

Invisible (default): No visual mark on document Preserves original appearance Signature in document metadata

Visible: Shows signature stamp on PDF Includes logo and signature details More reassuring for recipients Add isVisible=true and logoFile to request

Customization

Change Signature Level

Modify the signLevel parameter in your request: B - Basic T - Timestamp (default) LT - Long-term LTA - Archival

Customize Visible Signature

Upload a logo and add customization parameters to the signing command nodes:

--hint "Digitally Signed" # Custom text --page 2 # Sign on page 2 --label-signee "Signed by" # Custom label --label-timestamp "Date" # Custom timestamp label --no-hint # Hide hint row --signature-reason "Contract Approval" # Reason text

Adjust File Paths

Modify these nodes to change temporary file locations: Write Files : PDF - PDF storage path Write Files : PFX - Certificate storage path Write Files : LOGO - Logo storage path

Add Authentication

For production use, add authentication before the webhook: Insert HTTP Request node to validate API key Add rate limiting Log signature operations

Technical Details

What Gets Installed

The workflow automatically installs: OpenJDK 11 JRE (Java runtime) curl (for downloading) open-pdf-sign v0.3.0 (signing tool)

Certificate Processing

Uses OpenSSL to extract: X.509 certificate chain (.pem) Private key (.pem)

All files use timestamped names to prevent conflicts.

Security Features

Automatic cleanup of sensitive files after each request No persistent storage of certificates or keys HTTPS recommended for production Supports password-protected certificates

Standards Compliance

Implements ETSI EN 319 142 PAdES standards: EU eIDAS regulation compliant Validates in Adobe Acrobat Reader Verifiable at EU DSS Demo webapp

FAQ

Q: Where do I get certificates? A: For testing, use free certificates from Codegic. For production, purchase from DigiCert, GlobalSign, or Sectigo.

Q: What PDF sizes are supported? A: Up to 50MB by default. Adjust n8n configuration for larger files.

Q: Can I sign multiple PDFs at once? A: Call the API once per PDF, or modify the workflow to accept multiple files.

Q: Will signatures work in Adobe Reader? A: Yes, if using certificates from trusted CAs. Self-signed certificates will show warnings.

Q: How do I verify signed PDFs? A: Open in Adobe Acrobat Reader and check the signature panel, or use the EU DSS validation tool webapp.

Q: Can I use this commercially? A: Yes, the workflow is free for personal and commercial use.

Support

Documentation**: See workflow sticky notes for detailed information Tool Source**: open-pdf-sign on GitHub Standards**: ETSI PAdES specifications Community**: n8n Community Forum

License: Free for personal and commercial use
Dependencies: OpenJDK 11, OpenSSL, curl, open-pdf-sign v0.3.0 (Apache 2.0)