ENTERPRISE  This is a SignServer Enterprise feature.

The signer has the fully qualified class name: org.signserver.module.ades.signer.AdESSigner.


The AdES signer signs PDF and XML documents using ETSI formats for advanced electronic signatures (AdES).

The most common electronic signatures formats used within the European Union are XML Advanced Electronic Signatures (XAdES) and PDF Advanced Electronic Signatures (PAdES). The European Telecommunications Standards Institute (ETSI) creates and maintains a set of technical standards for electronic signatures that support the eIDAS legal framework. 

As of version 5.7, SignServer supports Baseline Signature Levels for XAdES (as defined in ETSI EN 319 132) and PAdES (as defined in ETSI EN 319 142). The signature formats fulfill the requirements for Advanced Electronic Signatures as per the EU eIDAS regulation. 

Signature Levels

The following list the signature levels:

  • Baseline-B: Basic Electronic Signature. The most simplistic version includes the document signature.
  • Baseline-T: Signature with a time-stamp. A time-stamp regarding the time of signing is also added.
  • Baseline-LT: Signature with Long Term Data. Certificates and revocation data are embedded to allow verification in the future even if their original source is not available.
  • Baseline-LTA: Signature with Long Term Data and Archive time-stamp. Adds an additional time-stamp and is suited for long-term archiving of documents.

Available Properties


Signature level to use. Required. The supported values are:


Signature algorithm. Optional, default: depending on the signing key, SHA256withRSA, SHA256withDSA, or SHA256withECDSA.

Only one of SIGNATUREALGORITHM and DIGESTALGORITHM can be specified at the same time.


Algorithm for the digest of the binary. Optional, default: SHA256.

Only one of SIGNATUREALGORITHM and DIGESTALGORITHM can be specified at the same time.


Setting if a time-stamp over the content should be included. Note that this is different from the signature time-stamp added as part of BASELINE-T and higher levels.

Possible values: True or False.

Optional, default: False.


Worker ID or name of internal time-stamp signer in the same SignServer instance. Optional, default: none.

This property cannot be combined with TSA_URL. This or TSA_URL must be set when SIGNATURE_LEVEL is set to BASELINE-T (or higher).


URL of external time-stamp authority. Optional, default: none.

This property cannot be combined with TSA_WORKER. This or TSA_WORKER must be set when SIGNATURE_LEVEL is set to BASELINE-T (or higher).

TSA_USERNAMELogin username used if the TSA uses HTTP Basic Auth. Optional, default: none.
TSA_PASSWORDLogin password used if the TSA uses HTTP Basic Auth. Required if TSA_USERNAME is specified. Default: none.
TSA_DIGESTALGORITHMAlgorithm for time-stamp digests. Optional, default: SHA-256.

Additional trusted certificates in PEM format.

When the certificates, revocation data or time-stamp tokens etc. are verified as part of signing, certificates not chaining up to the same root CA needs to have its root certificate added to this property. If not the signing could fail with a processing failure message and the logs show that "revocation data is missing".

This especially needs to be done when using a TSA with a signer certificate issued by another root then what this signer is using at LT or higher level and also for cases (at LT level) when the input document already contains signatures (or time-stamps) using a different root.



Signature formats to use. Required. Supported formats:

  • PAdES
  • XAdES

(warning) This property is not supported with PAdES.

This property is used and valid when SIGNATURE_FORMAT = XAdES.

Supported values:

  • ENVELOPED: When the signature applies to data that surrounds the rest of the document.
  • ENVELOPING: When the signed data form a sub-element of the signature itself:
    • Base64 encoded binaries.
    • Embed XML object(s).
    • Embed Manifest object(s).
  • DETACHED: When the signature relates to the external resource(s) separated from it.
  • INTERNALLY-DETACHED: When the signature and the related signed data are both included in a parent element (only XML).



(warning) This property is only supported with PAdES.

This property sets a fixed size for the signature space within the PDF and disables the signature size estimation in the first try.

If the signature format is PAdES and FIXED_SIGNATURE_SIZE is not set (or equal to zero) then we try to estimate the PKCS#7 signature size.

Signature Size Estimation and Retry Algorithm

The first estimated value is calculated as the sum of:
• Certificate chain size
• 2000 for PKCS#7 structure + hash
• 8192 for OCSP
• 8192 for CRLs size
• 4096 for TSC

Then if signing the certificate fails due to that the signature became larger than the estimated size, the signer will retry using the actual signature size plus a 1024 bytes margin. The retry can happen up to 3 times before it gives up.

ADD_VISIBLE_SIGNATUREThis property enables adding the visible signature.
VISIBLE_SIGNATURE_IMAGE_PATHThe path to the image for the visible signature.
VISIBLE_SIGNATURE_IMAGE_BASE64The image to use in the visible signature in Base64 format.
VISIBLE_SIGNATURE_CONTENT_TYPEContent-type of the Base64 image. For example, image/png.
VISIBLE_SIGNATURE_PAGESets a page number where the signature field should be placed.
(warning) The counting starts from 1 (one) for the first page of the document.

Sets an upper-left X coordinate of the visible signature field.


Sets an upper-left Y coordinate of the visible signature field.


Sets the width of the visible signature field.


Sets the height of the visible signature field.

EXTEND_VALIDITYWhen set to true and the signature level is BASELINE-LTA, will extend validity of a document if it was already signed (at any level) with an up-to-date archive timestamp. This can be set to true or false. True is only supported when SIGNATURE_LEVEL is BASELINE-LTA. Optional. Default: false.