Overview
Electronic seals (e-seals) provide the same legal validity as a company rubber stamp on paper, where no individual signer authenticity is conveyed. The main difference between a seal and a signature is that a signature is meant for individuals (natural persons), whereas a seal is used by a legal entity (business or organization). E-seals can be applied by more than one person or system under the control or supervision of the legal entity.
The electronic sealing feature in Adobe Acrobat Sign allows organizations to apply e-seals using digital certificates issued to their legal entity to help convey the integrity and authenticity of invoices, statements, or other official documents. Seals can be placed using only a graphic, a text block containing the subject, reason, date, and time of the seal, or a combination of both the graphical seal and text.
Users are assigned specific privileges to automatically apply an e-seal for their organization to a document using a digital certificate obtained from a Trust Service Provider (TSP) with a Cloud Signature Consortium (CSC) API integration with OAuth 2.0 Client Credential authorization flow. The following providers currently support this feature:
Prerequisites
- An enterprise-tier account is required to access the API and configure the seal.
- Acquire the following from your Trust Service Provider (see above for TSP options)
- OAuth 2.0 client_id and client_secret: Adobe uses these values to generate an access token which is used to make remote signing calls to the TSP. The access token is generated by calling the oauth2/token endpoint with a grant_type of "client_credentials." Please see section 8.3.3 of https://cloudsignatureconsortium.org/wp-content/uploads/2020/01/CSC_API_V1_1.0.4.0.pdf for details.
- Credential ID: An Identifier associated with the credentials of a given user for the TSP provider. A credential is a cryptographic object with related data used to support a remote digital signature over the Internet. It consists of the combination of a public/private key pair (also named "signing key" in CEN EN 419 241-1 [i.5]) and an X.509 public-key certificate managed by a remote signing service provider on behalf of a user. The credential is used as the entity with which the electronic seal is associated.
- Credential PIN: A pin code is used to secure access to a given TSP credential.
Configuration options
Electronic seals are automatically available to Adobe Acrobat Sign enterprise tier accounts and can be configured at the account or group level.
Two settings must be configured to expose the e-seal options on the user's Send page.
- Enable the account/group for senders to mark recipients with an electronic sealer role.
- Authorize user(s) to add electronic seals to their agreements, either by the account/group level setting or individually through the user's profile.
To allow your senders to use the e-seal role, you must enable it in the group from which the agreement will be sent.
- Enable the role at the account level and allow the group's default inheritance of the setting.
- Explicitly enable the role in the individual group's settings.
To enable the electronic seal recipient role, navigate to: Account Settings > Send Settings > Allowed Recipient Roles
If the option to allow electronic sealers is not enabled for the group in which the agreement is configured, the Add Electronic Seal link will not be exposed.
The default status for users to include e-seals in their agreements can be configured at the account and group levels.
For most accounts, the recommendation is to disable access at the account level and explicitly enable groups where appropriate. Accounts that have Users in Multiple Groups enabled may find dedicated groups for agreements that demand e-seals useful in limiting e-seal access at the group level.
The options are:
- By default, anyone in the group can use e-seals.
- By default, no one in the group can use e-seals.
In either case, individual users can be explicitly configured to override the group-level settings. (See Authorize individual users to add electronic seals below.)
If the option to add electronic seals is not enabled for the user creating the agreement, the Add Electronic Seal link will not be exposed.
Account-level administrators can edit the user profile of individual users to explicitly enable/disable their authority to include electronic seals in their agreements.
This authority is applied to the user directly, which overrides the group level settings for all groups in which the user is a member.
It is recommended that user-level enablement only be done when the expectation is that the whole of the account will have access to e-seals disabled, and only specialized userIDs will initiate agreements that exploit e-seals (such as API-driven workflows/technical accounts).
To explicitly enable/disable access to apply e-seals:
- Navigate to Users > [individual user] > Edit User Detail.
- Select/deselect the User can electronically seal documents checkbox.
- Save the user profile.
Create a new e-seal
At least one e-seal must be configured, active, and available to the group from which the agreement is being sent. Otherwise, the option to add the e-seal isn't exposed on the page.
Creating an e-seal requires that you first obtain a digital certificate from a TSP with a CSC API integration. (See the Prerequisites)
Once you have the certificate, you can configure the e-seal by:
1. Navigating to Account Settings > Electronic Seals.
2. Click the plus icon with a circle around it 
.
The interface to configure the new e-seal opens.
3. Enter the e-seal parameters using the information provided by your TSP:
- Name - Enter an intuitive name for the e-seal. This name is presented to the senders on the Send page.
- Cloud Signature Provider - Select the provider that issued the certificate.
- OAuth Client ID - Enter the client ID obtained from your TSP.
- OAuth Client Secret - Enter the client secret obtained from your TSP.
- Credential ID - Enter the credential ID obtained from your TSP.
- Credential PIN - Enter the credential PIN obtained from your TSP.
- Reason - Provide some text that identifies the reason for the e-seal application. This string is displayed in the e-seal on the document and in the audit report.
- Group -Select the group for which the e-seal is available.
- Graphic appearance - One or both of the blow options must be enabled for the seal to be successfully saved and used:
- Display Subject, Reason, Date, Time and Acrobat logo - When enabled, the text components of the seal are applied in the signature. If not enabled, only the seal graphic is used.
- Upload a graphic file to customize the appearance of this Seal - When an image is uploaded, it is applied to the signature. If no image is uploaded, only the text is used.
- Display Subject, Reason, Date, Time and Acrobat logo - When enabled, the text components of the seal are applied in the signature. If not enabled, only the seal graphic is used.
- Display email - Provide an email address that should be associated with the e-seal. This email is displayed in the email template as the address for the e-seal recipient.
4. Click Save when done.
The configured e-seal is created in Active status and displays on the Electronic Seals page in the list of seals.
The e-seal is ready to be applied to agreements immediately.
Manage existing seals
The properties of an e-seal can be updated while the seal is in an Active status.
To edit the properties of an e-seal:
- Navigate to Account Settings > Electronic Seals.
- Select the e-seal with a single click to expose the available actions at the top of the list of e-seals.
- Select the Edit option.
The configurable fields of the seal are exposed:
- Edit the fields as needed.
- Click Save to save any changes.
All saved changes take effect immediately.
To deactivate an e-seal:
- Navigate to Account Settings > Electronic Seals.
- Select the e-seal with a single click to expose the available actions at the top of the list of e-seals.
- Select the Deactivate Electronic Seal option.
You will be challenged to ensure you want to deactivate the e-seal.
- Click Yes.
The seal is immediately deactivated and is no longer available for use.
When reviewing the list of e-seals for the account/group, you will find the e-seal with an Inactive status.
Deactivated e-seals persist in the list of seals and can be re-activated at any time.
There is no method to fully delete the e-seal.
The agreement is terminated if an e-seal is disabled when it is expected to be applied to an agreement.
If an agreement attempts to have an e-seal applied by a seal that is disabled, the agreement is declined and terminated.
An email is delivered to the sender, indicating that the electronic sealing failed.
The audit report reports a Document declined event, citing the reason that electronic sealing has failed.
To re-activate an e-seal that has been deactivated:
- Navigate to Account Settings > Electronic Seals.
- Select the e-seal with a single click to expose the available actions at the top of the list of e-seals.
- Select the Reactivate Electronic Seal option.
The seal is immediately reactivated and available for use.
When reviewing the list of e-seals for the account/group, you will find the e-seal with an Active status.
To easily copy the ID of an e-seal:
- Navigate to Account Settings > Electronic Seals.
- Select the e-seal with a single click to expose the available actions at the top of the list of e-seals.
- Select the Copy ID option. The e-seal ID is automatically copied to your local system clipboard.
Create a new agreement with the seal as a recipient
When the group, user, and e-seal are properly configured, the Add Electronic Seal link is exposed in the top menu bar of the Recipients stack.
- If more than one seal is available, then a dropdown list is accessible from the name of the e-seal.
- E-seals can be included at any point of the signature cycle and adding more than one is permitted.
Once the agreement is sent, the e-seal recipient may not be edited or delegated.
If the Add Electronic Seal link is not exposed, check that:
- The correct group is selected. The group selector only loads the e-seals associated with the group (to include account-wide e-seals).
- The group is configured to allow e-seal usage.
- The user is empowered to use the e-seal role.
- There is at least one seal available to the group from which the agreement is being sent.
All agreements that use an e-seal recipient must go to the authoring environment to place the digital signature field that contains the e-seal.
Authoring
All e-seals must be explicitly placed on the document using a digital signature field.
- Only one digital signature field is permitted for each e-seal recipient.
- If a second e-seal must be placed, a second recipient must be defined for that e-seal placement.
- All other field types are disabled for the e-seal recipient.
- All fields assigned to an e-sign recipient on uploaded templates pre-configured with fields are removed.
All other recipient roles can be authored normally.
Email notification and application of seal
The e-seal is applied immediately after the e-seal recipient becomes the active recipient in the signature cycle.
The e-seal is applied programmatically in the location of the digital signature field, and the next recipient is notified (if any).
Email notification of the signing event follows the same rules and format as other recipient emails.
The applied e-seal provides the signature reason (as defined in the seal configuration) and the time/date stamp of when the seal was applied.
The digital signature object that contains the e-seal is slightly larger in height than a standard e-signature field:
Audit Report
Agreements that include an e-seal recipient clearly identify the sealing process in the audit report.
Details captured include:
- The signing reason (as provided in the e-seal configuration)
- The Cloud Service Provider
- The Service Provider's IP address
- The Service Provider's URL
- The certificate issuer
- The timestamp for the seal application
- The timestamp provider
