Product

Everything you need to issue, sign and verify.

Certums is a complete foundation: idempotent issuance, professional PAdES signing, public verification by CSV/QR, a lifecycle with revocation and supersession, strict multi-tenancy, immutable audit trails and controlled storage.

Issuance

  • Customizable document templates (HTML + typed variables).
  • Idempotent issuance: safe retries, no duplicates.
  • Every document gets a unique CSV, QR code and verification block.
  • Canonical PDF generation with institutional metadata.

Digital signing

  • Standard PAdES PDF signatures (B-B, B-T, B-LT, B-LTA).
  • Support for HSM/PKCS#11, KMS (AWS/GCP/Azure) and eIDAS QTSPs.
  • RFC 3161 timestamping and long-term validation (DSS).
  • Archivable validation report stored alongside the document.

Verification

  • Public verification by CSV, QR or URL — no account required.
  • No quotas for the end verifier.
  • Authenticated internal verification with full detail.
  • Anti-enumeration: rate limiting, optional captcha, abuse monitoring.

Lifecycle

  • States: issued, valid, revoked, expired, superseded.
  • Revocation with normalized reason and audit trail.
  • Supersession that links the previous document to the new CSV.
  • Fixed expiration, per document type, or no expiration at all.

Traceability and audit

  • Every critical action recorded append-only.
  • Optional per-institution hash chain (tamper-evident).
  • Filter by actor, resource, time range and correlation ID.
  • Report exports for compliance and external audits.

Storage

  • S3-compatible storage (MinIO, AWS, institutional).
  • Encryption at rest, logical immutability, versioning.
  • Retention by plan: months or years, up to perpetual on Enterprise.
  • Backups and recovery documented in the runbook.

Multi-tenant and branding

  • Strict per-institution isolation at the data and permission level.
  • Roles: super admin, institution admin, issuer, signer, auditor, verifier, support.
  • Basic branding: logo, colors, custom domain on Enterprise.
  • Public verification policy configurable per document type.

Security

  • Authentication with optional MFA, refresh-token rotation, lockout.
  • OWASP ASVS 5.0, OWASP API Security, NIST SP 800-57 and 63B.
  • Helmet, CORS allowlist, security headers, TLS 1.3.
  • No secrets in logs; sanitization; strict input validation.