PDF generation and signing with CAC/PIV

kristenmkar · ‎03-26-2025

Good afternoon!

I have been working the last month or so on trying to configure the Digital Signature with a CAC to work within a Document Template/PDF template. So far I have not had any luck. I can see from the community that there isn't much information on this, and I have followed all the instructions within the ServiceNow documentation (https://www.servicenow.com/docs/bundle/yokohama-servicenow-platform/page/product/document-services/c...). Currently I am getting the below error when trying to sign the pdf, and I cannot find any associated logs. This is all configured within the HR app. I have ran traces/debugging, but am still unable to find what is wrong. I have tried to find any applicable YouTube videos or blogs, but there seems to be a shortage of information/guidance for implementing this.

Has anyone successfully implemented Digitally Signing a PDF with a CAC/PIV? We currently have CAC authentication for login configured, so it seems like it should not be as difficult as it is proving to be.

Thanks so much!

kristenmkar · ‎04-11-2025

Although we are still unsuccessful in figuring out the digital signature portion of the pdf templates due to issues with our F5 and obtaining user client certs, I did figure out that the PDF we were using had security settings that were not allowing it to pull up properly. So as a note, the pdfs must be completely free of any security settings as well as fillable. Unfortunately still no luck with the digital signature portion.

View solution in original post

SasiChanthati · ‎04-11-2025

This is a bit challenging when you're trying to digitally sign a PDF using a CAC (Common Access Card) or PIV (Personal Identity Verification), here's what's actually happening:

1. You upload a fillable PDF into ServiceNow. This PDF must be editable (fillable form fields). Not have any password protection or restrictions. Have at least one signature field marked.

2. You create a Document Template inside ServiceNow using that PDF. You define which fields in the PDF pull from data. You set up signature fields and assign them to specific users or roles.

3. You tie the Document Template to an HR service like an onboarding case or offer letter flow so that when the case is triggered, the PDF is generated and routed to the user to sign.

4. The signature step uses the end user’s CAC/PIV card. This happens outside of the browser, in Adobe Acrobat Reader (not in the ServiceNow UI). When a user opens the PDF from their email or document portal and clicks the signature field, it prompts them to sign using their card.

Common Pain Points: Security settings on the PDF. Even minor security restrictions, like disallowing editing can break the signature process.
Wrong scope: Check the scope for example, If you're using the HR module’s older templates instead of the newer Document Template plugin, signing might not work correctly. The two systems don’t always play nicely together.
Certificate passthrough: If your infrastructure blocks the user’s certificate from passing through to the signing process (say, via a reverse proxy or load balancer), the signing will fail silently.
Field mapping errors: If a PDF form field isn’t correctly mapped to a value (e.g., first name, job title), the generation step might break or the field might be blank.
Adobe Reader setup: The user’s machine needs Adobe Reader to be configured to recognize CAC/PIV for digital signing. If Adobe isn't set up to read from the card, the whole thing falls apart.

Best Practices for Getting This Working

1. Start with a very simple test PDF:
Just a name field and one signature field.
Make sure it’s fillable and editable.
Upload it and run through the whole process.

2. Ensure that you're using the Document Template plugin, not just HR Document Templates. The plugin gives you much more control and is better suited for digital signatures.

3. Check for signature block setup: Signature blocks need to be marked and assigned to a participant. The participant must have the correct user info to match a CAC/PIV identity.

4. Use external signing: Signing happens outside ServiceNow, when the user opens the generated PDF. That PDF must be downloaded and opened in Adobe Reader to complete the digital signature using their CAC. If you're getting errors but no logs, the problem is likely at the PDF level (format or permissions) or with Adobe not recognizing the CAC/PIV card. Try opening a test version manually in Acrobat, placing a signature, and verifying that your environment supports it before layering in ServiceNow.

View solution in original post

kristenmkar · ‎04-11-2025

Although we are still unsuccessful in figuring out the digital signature portion of the pdf templates due to issues with our F5 and obtaining user client certs, I did figure out that the PDF we were using had security settings that were not allowing it to pull up properly. So as a note, the pdfs must be completely free of any security settings as well as fillable. Unfortunately still no luck with the digital signature portion.

SasiChanthati · ‎04-11-2025

This is a bit challenging when you're trying to digitally sign a PDF using a CAC (Common Access Card) or PIV (Personal Identity Verification), here's what's actually happening:

1. You upload a fillable PDF into ServiceNow. This PDF must be editable (fillable form fields). Not have any password protection or restrictions. Have at least one signature field marked.

2. You create a Document Template inside ServiceNow using that PDF. You define which fields in the PDF pull from data. You set up signature fields and assign them to specific users or roles.

3. You tie the Document Template to an HR service like an onboarding case or offer letter flow so that when the case is triggered, the PDF is generated and routed to the user to sign.

4. The signature step uses the end user’s CAC/PIV card. This happens outside of the browser, in Adobe Acrobat Reader (not in the ServiceNow UI). When a user opens the PDF from their email or document portal and clicks the signature field, it prompts them to sign using their card.

Common Pain Points: Security settings on the PDF. Even minor security restrictions, like disallowing editing can break the signature process.
Wrong scope: Check the scope for example, If you're using the HR module’s older templates instead of the newer Document Template plugin, signing might not work correctly. The two systems don’t always play nicely together.
Certificate passthrough: If your infrastructure blocks the user’s certificate from passing through to the signing process (say, via a reverse proxy or load balancer), the signing will fail silently.
Field mapping errors: If a PDF form field isn’t correctly mapped to a value (e.g., first name, job title), the generation step might break or the field might be blank.
Adobe Reader setup: The user’s machine needs Adobe Reader to be configured to recognize CAC/PIV for digital signing. If Adobe isn't set up to read from the card, the whole thing falls apart.

Best Practices for Getting This Working

1. Start with a very simple test PDF:
Just a name field and one signature field.
Make sure it’s fillable and editable.
Upload it and run through the whole process.

2. Ensure that you're using the Document Template plugin, not just HR Document Templates. The plugin gives you much more control and is better suited for digital signatures.

3. Check for signature block setup: Signature blocks need to be marked and assigned to a participant. The participant must have the correct user info to match a CAC/PIV identity.

4. Use external signing: Signing happens outside ServiceNow, when the user opens the generated PDF. That PDF must be downloaded and opened in Adobe Reader to complete the digital signature using their CAC. If you're getting errors but no logs, the problem is likely at the PDF level (format or permissions) or with Adobe not recognizing the CAC/PIV card. Try opening a test version manually in Acrobat, placing a signature, and verifying that your environment supports it before layering in ServiceNow.

kristenmkar · ‎04-12-2025

Thank you so much for the additional insight! I ended up figuring out quite a few of these points via trial and error, but I definitely think we may have some roadblocks with our current load balancer in terms of the digital signing. Thanks again!

kennethafue · ‎06-17-2025

Were you ever able to figure out the CAC signature portion? I am having trouble when sending the document back to ServiceNow after signing it. Nothing happens.