Q: We are developing a webserver solution which will be deployed on Internet Explorer for digitally signing PDF documents. We need to sign using the certificate on the users CAC Card. Is it possible to get the certificate from the client to the server for signature?

A: If you are using a hardware device for the signature (the CAC card, or a different smart card or USB card), then the digital signing has to happen on the machine where the card is connected: It is not possible to send the certificate to the server. This is because the signing calculations actually happen on the card itself, the PDF data is fed to the card and then the card responds with the signature already.

In order to achieve this, you need to have the application that handles the signing of the PDF running on the client computer and interacting with the card.

If your users are using Internet Explorer, then this is possible running jPDFProcess inside of a Java applet. The applet runs inside the browser on the client computer, so it has access to the card. We do support CAC cards as well as other smart cards, so there should not be an issue here.

Another possibility, instead of running as an applet, is to run as a JNLP application.

To see how this works, you can try our jPDFNotes Java component running in an applet, we have sample applets here:

Once there, you can run the “Basic Applet with All Optional Jars”. jPDFNotes is a GUI component, it can open and then modify PDF documents. Among other tools, jPDFNotes has a signature tool that can create a signature field and then apply a signature to it. The sample on our website can do this using a PKCS#12 file, but the code to the applet (which we make available) can be modified to use a CAC card instead.

With your application, you can have a non-GUI applet that uses jPDFProcess just to apply the signature, or you could use jPDFNotes, if you want your end-users to see the PDF and then add the signature through the user interface.