As an alternative to managing a private key and certificate itself, an engineering tool may make use of a remote signing service to digitally sign a Descriptor. In this case, a hash value representing the Descriptor’s content is submitted to the service along with some form of authorization. Provided the submitter is authorized, the service replies with a matching digital signature. The private key and certificate are maintained by the signing service instead of the engineering tool.

Communication between the engineering tool and the signing service may be automated by deploying a remote signing protocol. Such a protocol is specified by the Cloud Signature Consortium ( It uses HTTPS as the transport protocol and OAuth 2.0 as the authorization protocol and fulfils the requirements of the EU’s electronic identification and trust services (eIDAS) regulation. While it is primarily intended for public signing services, it can be implemented as an in-house service as well.


Whitepaper AutomationML Edition 2.1 Part1 – Architecture and General Requirements

AML Whitepaper AutomationML in a Nutshell, November 2015

ECMA-376 Edition 5 – Office Open XML file formats

W3C XML Schema Structures, XML Schema Part 1: Structures (Second Edition)

W3C XML Schema Datatypes, XML Schema Part 2: Datatypes (Second Edition)

RFC 3987: Internationalized Resource Identifiers (IRIs)

OPC2AML Conversion Tool