Digital PDF Signing Feature

Digital PDF signing enables users to digitally sign generated PDFs directly within Salesforce using either a built-in or custom X.509 certificate. This feature provides secure, legally recognized signatures while maintaining compliance with industry standards.

Overview

The Digital PDF Signing feature allows Salesforce admins and end users to apply digital signatures to PDF documents, ensuring authenticity, integrity, and non-repudiation. Whether you're using a built-in certificate or importing your own, the signing process is straightforward and secure.

Prerequisites

• Viewer application installed and configured
• Admin access to Digital Signing Settings (for certificate management)
• User permissions configured for signing documents
• For custom certificates: Valid X.509 certificate in .p12, .pfx, or base64 format

Key Features

Certificate Management

• Built-in Certificates — Pre-configured certificates provided by the system
• Custom Certificates — Import your own X.509 certificates (PKCS#12, PEM, or base64 format)
• Secure Storage — All certificates are stored locally within your Salesforce instance and never transmitted externally
• Encryption — Certificates are encrypted at rest for maximum security

Signing Capabilities

• Select PDF — Choose any generated PDF document to sign
• Enter Credentials — Provide certificate password and signing reason
• Apply Signature — Digitally sign the document with a single click
• Download/Save — Download the signed PDF or save it to Salesforce Files

Security & Compliance

• X.509 Standard — Supports industry-standard X.509 digital certificates
• PDF/A Compliance — Ensures long-term document preservation and compliance
• Audit Logging — Every signing event is recorded for compliance and audit purposes
• Access Control — Only authorized users can manage and use certificates

Setup Instructions

For Administrators

1. Access Certificate Management

   • Navigate to Viewer Administrator → Digital Signing Settings
   • Click "Manage Certificates"

2. Upload a Custom Certificate (Optional)

   • Click "Import Certificate"
   • Select your X.509 certificate file or paste base64-encoded content
   • Enter the certificate name, description, and password
   • Save

3. Configure Signing Permissions

   • Assign signing permissions to users or roles
   • Set up audit logging preferences

For End Users

1. Select a PDF to Sign

   • Open a document or generate a new PDF from a template
   • Click "Sign Document" or "Digital Sign"

2. Enter Signing Details

   • Select the certificate to use (built-in or custom)
   • Enter the certificate password
   • Provide a signing reason (e.g., "Approved," "Authorized," "Received")

3. Apply the Signature

   • Click "Sign and Download" to apply the signature
   • The signed PDF will be downloaded to your device or saved to Salesforce Files

4. Verify the Signature

   • Open the signed PDF in Adobe Reader or compatible viewer
   • The signature information will display, confirming authenticity

User Flow

1. Admin imports certificate (or selects built-in)
2. User selects PDF to sign
3. User enters password and signing reason
4. User applies signature and downloads/saves the signed PDF
5. Audit log records the signing event

Security Best Practices

Best Practices

• Protect Certificate Passwords — Never share certificate credentials; store them securely
• Regular Audits — Review audit logs regularly to monitor signing activity
• Certificate Expiry — Be aware of certificate expiration dates and plan for renewal
• Access Control — Restrict signing permissions to authorized users only
• Test Signatures — Verify signed PDFs in Adobe Reader to ensure validity
• Secure Storage — Keep backup copies of certificates in secure locations

Troubleshooting

Signature Not Applied

• Verify that the certificate password is correct
• Ensure the certificate has not expired
• Check that your user has signing permissions
• Verify the PDF document size is within acceptable limits

Certificate Upload Failed

• Confirm the certificate is in base64 format or a valid certificate file
• Ensure the file size is within acceptable limits (typically under 2 MB)
• Verify the certificate password is correct
• Contact your administrator if issues persist

Audit Log Not Recording

• Verify that audit logging is enabled in Digital Signing Settings
• Check that your organization has sufficient storage for audit records
• Ensure your user has permission to view audit logs

Signature Verification Issues

• Open the signed PDF in Adobe Reader (other viewers may not support full verification)
• Ensure the certificate has not been revoked or expired
• Check that the document has not been modified after signing

Success Criteria

• Users can sign a PDF and verify the signature in Adobe Reader
• Certificates never leave the Salesforce instance
• Each signing event is recorded in the audit log
• All X.509 and PDF/A compliance standards are met

More resources

• Creating Documents in Salesforce using Apex
• Trigger Flow to create Viewer Document
• Viewer Application Security Blueprint

Additional Resources

• Security and Compliance Overview
• Document Generation and Automation
• Advanced Features