Integrate digital signatures with GlobalSign DSS

This guide explains how to use Nutrient Web SDK to sign documents with GlobalSign’s Digital Signing Service (DSS)(opens in a new tab). GlobalSign integration requires Document Engine as the backend signing service.

Unless you explicitly need a Qualified Electronic Signature (QES), Nutrient offers a powerful developer-friendly digital signing API service. Refer to our advanced eSignatures API for more information.

Overview

GlobalSign DSS is a cloud-based solution that enables organizations to deploy trusted digital signatures, without the need for hardware security modules (HSMs) or USB tokens. As a Qualified Trust Service Provider (QTSP), GlobalSign is part of the Adobe Approved Trust List (AATL)(opens in a new tab) and provides PKI-based digital signatures that meet eIDAS regulations in Europe, along with various US regulations.

eIDAS Qualified Trust Mark

Prerequisites

Before you can use GlobalSign with Web SDK, you’ll need:

  1. A Nutrient Document Engine instance with digital signature support
  2. GlobalSign DSS credentials (API key, API secret, TLS certificates)
  3. A JWT that authorizes the digital_signatures_api operation

Contact Sales to obtain GlobalSign DSS credentials. We’ll help streamline the process of getting your organization vetted by GlobalSign, which is required for obtaining a digital signing certificate.

Architecture

When using GlobalSign with Web SDK, the architecture works as follows:

  1. Client-side (Web SDK) — Your web application triggers the signing operation using JavaScript.
  2. Server-side (Document Engine) — Document Engine handles the actual GlobalSign integration and cryptographic operations.
  3. GlobalSign DSS — The cloud-based signing service that performs the digital signature.

This architecture keeps your GlobalSign credentials secure on the server while providing a seamless signing experience in the browser.

Client-side implementation

To sign a document from Web SDK using GlobalSign on the backend, use the signDocument method with the signingToken parameter. The signingToken tells Document Engine to use GlobalSign DSS for the signing operation. The CAdES signature type and b_lt level are required because GlobalSign certificates expire after 10 minutes. These settings ensure long-term signature validity.

Follow our guide on signing PDFs via Document Engine to understand the complete implementation. The key is to include the signingToken parameter.

Server-side setup

The GlobalSign integration must be configured on your Document Engine instance. This includes:

  • Setting up GlobalSign DSS credentials
  • Configuring the signing service to use GlobalSign
  • Managing certificate chains and API keys

For complete server-side setup instructions, refer to the Document Engine GlobalSign integration guide.