Signature Levels
The app supports four standardised PAdES levels. Each level adds more verification data into the signed PDF. Pick the one that matches your retention and verification needs.
The four PAdES levels
| Level | What's included | Best for |
|---|---|---|
| PAdES-B-B (Basic) | Signature + signer's certificate | Internal use, short-lived documents. Verifiable only while the certificate is valid. |
| PAdES-B-T (Timestamp) | B-B + trusted timestamp | Recommended default. Proves exactly when the document was signed. Survives certificate revocation later. |
| PAdES-B-LT (Long-Term) | B-T + full certificate chain + CRL embedded | Documents that must be verifiable offline or years after signing. PDF is self-contained. |
| PAdES-B-LTA (Long-Term Archival) | B-LT + archive timestamp | Regulatory archives needing decades-long validity. Protects against future algorithm obsolescence. |
How to choose
| You need... | Use |
|---|---|
| Quick internal signing | B-B |
| Customer-facing, audit-friendly | B-T (recommended) |
| Offline verification, 5+ year retention | B-LT |
| Multi-decade regulatory archives | B-LTA |
What each level guarantees
B-B: "Signed by someone with this certificate." Useless after the certificate expires.
B-T: "Signed at this exact time by someone with this certificate." If the certificate is later revoked, you can still prove the signature was made before revocation.
B-LT: "Verifiable for years, no server needed." All trust data is in the PDF. Even if your CA goes offline, the signature can still be validated.
B-LTA: "Verifiable for decades." Periodic archive timestamps add fresh hashes, so the signature stays valid even as cryptographic algorithms become obsolete (e.g., when SHA-256 eventually weakens).
Setting the default level
Signing Settings → Signature Level controls the default for all signings on the site. Most deployments use B-T for the right balance of verifiability and signing speed.
You can change the level later, but already-signed documents keep the level they were signed at — re-signing isn't supported.
Timestamp Authority
Levels B-T and above use an external Timestamp Authority (TSA) for the trusted timestamp. The default is Sectigo (http://timestamp.sectigo.com) — free, no registration, RFC 3161 compliant. You can configure a different TSA in Signing Settings.
If the TSA is unreachable at signing time, signing fails. There's no automatic fallback to B-B; you'd need to temporarily switch the default in Signing Settings.
File size impact
| Level | Approximate overhead |
|---|---|
| B-B | ~3 KB |
| B-T | ~5 KB |
| B-LT | ~30-100 KB (CA chain + CRL) |
| B-LTA | ~30-100 KB + ~5 KB per archive timestamp |
Negligible for most use cases.
Related
- Sign a Document — the signing workflow
- Verifying a Signature — what verifiers see
- Security & Audit — key + audit data protection