Digital signatures and PA documents:
why they expire without a timestamp

The little-known problem of digital signatures

When a document is digitally signed with an Italian qualified certificate, the signature is valid and verifiable as long as the certificate is valid. Qualified certificates issued by Italian TSPs (ArubaPEC, InfoCert, Namirial, PosteCom) typically last three years. On expiry, any verification tool (Aruba Sign, Dike, FirmaCerta, AgID services) will return «signature not valid» on those documents.

The technical verification is correct: at the time of the check the certificate is no longer valid, and without an independent attestation proving when the signature was actually applied, the verifier cannot distinguish between a legitimate signature (applied while the certificate was valid) and a fraudulent one (applied after expiry with a compromised certificate).

The solution provided by the eIDAS Regulation (EU 910/2014) and the Italian Digital Administration Code (CAD, art. 20) is the qualified timestamp: a certificate issued by a Time Stamping Authority (TSA) that legally attests the date and time the signature was applied. With a timestamp, the signature remains valid over time even after the signer's certificate expires.

The four CAdES signature levels

The CAdES format (CMS Advanced Electronic Signatures), standardised by ETSI EN 319 122, defines four levels of increasing durability. A typical file with .p7m extension can belong to any of these levels:

• 1CAdES-BES (Basic Electronic Signature)— minimal compliant signature, contains the cryptographic signature, the signer's certificate and a signingTime attribute declared by the signer (not certified). Default of most desktop tools. Valid only while the certificate is valid.
• 2CAdES-T (Timestamped)— adds a qualified timestamp issued by a TSA. The timestamp is applied to the unsigned attributes of the PKCS#7 envelope and is legally enforceable. Remains verifiable beyond the signer's certificate expiry, until the TSA's own certificate expires (typically 5-10 years).
• 3CAdES-LT (Long Term) — includes timestamp + all revocation status information (CRL or OCSP responses) at signing time. Allows future verification even when the original CAs are no longer reachable. Suitable for multi-year contracts.
• 4CAdES-LTA (Long Term Archival) — adds a periodic re-timestamping mechanism that protects from cryptographic obsolescence. The level used by qualified substitute conservation services for multi-decade archival.

For PDFs there is an equivalent and specific format: PAdES (PDF Advanced Electronic Signatures), with the same BES / T / LT / LTA levels. PAdES has the advantage of embedding the signature into the PDF itself, making it readable by Acrobat Reader without external tools.

How to check if your signature has a timestamp

Verifying your signature level is simple and does not require commercial tools. Using openssl (available on Linux, macOS and Windows) you can inspect all attributes of a .p7m file:

openssl cms -cmsout -inform DER -in document.pdf.p7m -print

What to look for in the output:

• Under signedAttrs there must be signingTime (the declared date) and ideally signingCertificateV2 (hash of the signer's certificate).
• Under unsignedAttrs there must be signatureTimeStampToken (OID 1.2.840.113549.1.9.16.2.14) for CAdES-T. If the output shows <ABSENT>, the signature is BES level (without timestamp).
• For CAdES-LT/LTA you should also look for certificate-values and revocation-values.

The three risks of publishing signed documents online

For companies serving the Public Administration, it is common practice to publish some digitally signed administrative documents online (substitutive DURC declaration, financial flow traceability, self-declarations) to facilitate contract setup with RUPs and procurement offices. It is an efficient practice, but involves three distinct risks that are often not considered together.

• 1Exposure of sensitive personal data — financial flow traceability contains the dedicated corporate IBAN, tax codes of persons authorised to operate on the account, the personal residence address of the legal representative. These aggregated data form the basic kit for BEC (Business Email Compromise) fraud, targeted phishing and identity theft attempts. The GDPR data minimisation principle (art. 5) recommends not exposing data that is not strictly necessary.
• 2Silent signature expiration— if the document is signed in CAdES-BES (without timestamp), once the certificate expires (typically 3 years) the signature can no longer be verified. The document remains online, downloadable, seemingly valid, but any automatic verifier classifies it as «signature not valid». A RUP attempting to use it for a contracting procedure would find themselves with an unusable document.
• 3Obsolescence of declared data — INPS/INAIL registration numbers can change, dedicated IBANs for contracts can be updated, the applied collective agreement can vary, new directors can join. A document published three years ago might contain information that is no longer accurate, impacting the substantive validity of the declaration.

How to correctly activate timestamping

The main Italian TSPs offer qualified timestamping services that integrate with the most widely used signing tools. The cost is low (typically 20-50 euros per year for an SME) and activation takes a few minutes of configuration.

• 1Purchase a timestamp package— TSPs sell packages of 100, 250 or 500 timestamps with multi-year validity. ArubaPEC calls it «Aruba TimeStamp», InfoCert integrates it into «InfoCert Sign», Namirial includes it in «DigitalSign». Cost starts from 15-25 euros for 100 timestamps.
• 2Configure the signing tool — in the tool preferences (Aruba Sign, Dike GoSign, FirmaCerta, DigitalSign) enter the TSA credentials and select CAdES-T or PAdES-T as default signature level. From that moment every signed document will automatically include a timestamp.
• 3Verify the result — after configuration, sign a test document and inspect it with the verification tool or with openssl. The signatureTimeStampToken attribute must appear in the unsigned attributes. Also verify the timestamp date: it should match (approximately) the moment of signing.
• 4For long archival — if documents must be preserved beyond 5-10 years (balance sheets, multi-year contracts, articles of incorporation, corporate resolutions), evaluate a qualified substitute conservation service that guarantees periodic re-timestamping and revocation information updates (CAdES-LTA).

The correct pattern for PA administrative documents

Considering the three risks — privacy, expiration and obsolescence — the most robust operational pattern for companies serving the PA is to forgo public publication of signed documents and adopt a request-based model instead:

• A public page lists the available documents (substitutive DURC, financial flow traceability, anti-mafia declaration, general requirements, chamber of commerce extract) with legal references, but does not publish the signed PDFs.
• A dedicated contact channel (typically a specific PA email) receives requests from RUPs and responds with freshly signed documents, with current certificate and up-to-date data, within guaranteed times (24-48 business hours).
• Only publicly intended documents (ISO certifications, ACN qualifications, commercial brochures) remain downloadable from the site: they are designed to be disseminated, do not contain sensitive personal data and are renewable without impact.

This model is consistent with the GDPR data minimisation principle (art. 5), reduces the attack surface for BEC fraud and phishing, eliminates the risk of silently expired signatures, and keeps documentation always relevant to the specific contracting procedure.

AtWorkStudio's approach

AtWorkStudio has chosen not to publish signed administrative documents online, for the reasons outlined above. Anyone needing documentation for MePA, Consip Convention or direct negotiation contracting can write to pa@atworkstudio.it: they will receive within 24 business hours the documents signed with current certificate and timestamp, relevant to the specific procedure.

We are certified ISO/IEC 27001, 27017, 27018 and ISO 9001, with ACN QC1 qualification on three cloud services in the PA Catalogue. We are members of Clusit (Italian Association for Information Security) and Confindustria Piacenza (RICT cluster).