Product
Everything you need to issue, sign and verify.
Certums is a complete foundation: idempotent issuance, professional PAdES signing, public verification by CSV/QR, a lifecycle with revocation and supersession, strict multi-tenancy, immutable audit trails and controlled storage.
Issuance
- Customizable document templates (HTML + typed variables).
- Idempotent issuance: safe retries, no duplicates.
- Every document gets a unique CSV, QR code and verification block.
- Canonical PDF generation with institutional metadata.
Digital signing
- Standard PAdES PDF signatures (B-B, B-T, B-LT, B-LTA).
- Support for HSM/PKCS#11, KMS (AWS/GCP/Azure) and eIDAS QTSPs.
- RFC 3161 timestamping and long-term validation (DSS).
- Archivable validation report stored alongside the document.
Verification
- Public verification by CSV, QR or URL — no account required.
- No quotas for the end verifier.
- Authenticated internal verification with full detail.
- Anti-enumeration: rate limiting, optional captcha, abuse monitoring.
Lifecycle
- States: issued, valid, revoked, expired, superseded.
- Revocation with normalized reason and audit trail.
- Supersession that links the previous document to the new CSV.
- Fixed expiration, per document type, or no expiration at all.
Traceability and audit
- Every critical action recorded append-only.
- Optional per-institution hash chain (tamper-evident).
- Filter by actor, resource, time range and correlation ID.
- Report exports for compliance and external audits.
Storage
- S3-compatible storage (MinIO, AWS, institutional).
- Encryption at rest, logical immutability, versioning.
- Retention by plan: months or years, up to perpetual on Enterprise.
- Backups and recovery documented in the runbook.
Multi-tenant and branding
- Strict per-institution isolation at the data and permission level.
- Roles: super admin, institution admin, issuer, signer, auditor, verifier, support.
- Basic branding: logo, colors, custom domain on Enterprise.
- Public verification policy configurable per document type.
Security
- Authentication with optional MFA, refresh-token rotation, lockout.
- OWASP ASVS 5.0, OWASP API Security, NIST SP 800-57 and 63B.
- Helmet, CORS allowlist, security headers, TLS 1.3.
- No secrets in logs; sanitization; strict input validation.