How to sign a PDF with your BCE certificate

Step-by-step guide for signing a PDF with your digital certificate from the Banco Central del Ecuador from any browser, without Java, without installation. Works on mobile.

The Banco Central del Ecuador (BCE) certificate is one of the most widely used in the country by both individuals and legal entities. Traditionally it required FirmaEC desktop (with Java installed and token driver configured). This guide shows how to sign the same type of PDFs without installing anything, from your browser, using firmar.ec — even from a mobile phone.

Total time: 2–3 minutes per PDF (first time may take 5 min while you get familiar).

What you need

  • Your BCE certificate file in .p12 format (downloaded when obtaining the cert at eci.bce.fin.ec).
  • The certificate password.
  • A PDF you want to sign.
  • A modern browser (Chrome, Firefox, Safari, Edge — last 2 versions).

If you only have the certificate on a hardware token, this guide does not apply directly; you will need to export the certificate to .p12 using the token software or use FirmaEC desktop. We are evaluating WebUSB support on the roadmap.

Step 1: Open the signing app

Visit app.firmar.ec/firmar.

The first time, your browser downloads the app (~3–5 MB). On subsequent visits it loads instantly from the local cache. Your file and your key never leave your device — verifiable by opening DevTools → Network during the flow.

Step 2: Load the PDF

Drag the file to the indicated zone, or tap/click to open the file selector. Supports up to 50 MB on mobile, 200 MB on desktop.

Verify that the name and PDF preview are correct before continuing.

Step 3: Load your .p12 certificate

On the next screen:

  1. Select your .p12 file (drag-and-drop also works).
  2. Enter the certificate password in the corresponding field.
  3. The app validates that the certificate is from an ARCOTEL-accredited Ecuadorian ECI (BCE in this case) and that it is current.

If your certificate is expired, the app warns you. You can continue, but the resulting signature will not have full legal validity.

Step 4: Place the visible stamp (optional)

By default, firmar.ec adds a visible stamp on the last page with your name, issuing CA, date, and a QR code linking to app.firmar.ec/verificar?h=<hash>. You can:

  • Accept the suggested stamp (lower-right corner of the last page).
  • Reposition it by dragging (on desktop) or tapping (on mobile) over the preview.
  • Change the reason on the stamp: “Approved”, “Reviewed”, “Seen”, or custom.
  • Disable the stamp if you only want an invisible cryptographic signature.

Step 5: Sign

The app shows a summary: “You are about to sign document.pdf with the certificate of Jane Doe (BCE)”. Confirm with the Sign button.

Behind the scenes (all in a dedicated browser Web Worker):

  1. Computes the SHA-256 hash of the prepared PDF.
  2. Signs the hash with your private key (imported into Web Crypto as CryptoKey extractable:false).
  3. Builds a CMS SignedData with cert + chain.
  4. Inserts the signature into the PDF (PAdES B-B).
  5. The Worker terminates; your key buffers are overwritten with zeros.

Takes less than 2 seconds on typical mobile, ~500 ms on desktop.

Step 6: Download the signed PDF

Large Download signed PDF button. The suggested filename is <original>-signed.pdf.

On iOS/Android mobile, you can also use Share (Web Share API) to send it directly via WhatsApp, email, or another app.

Step 7 (optional): Verify before sending

Before submitting the PDF to the SRI, your bank, or a counterparty, validate your own signature at app.firmar.ec/verificar. This confirms:

  • The signature is cryptographically valid.
  • Your cert was current at the time of signing.
  • The chain up to the root CA validates.
  • BCE’s OCSP confirms the cert is not revoked.

Troubleshooting

”Incorrect password”

Your password has a typo. Remember it is case-sensitive and special characters matter. If you forgot it, you must request a new certificate from BCE; it is not recoverable.

”Certificate is not from an accredited Ecuadorian ECI”

Your .p12 was issued by an entity outside Ecuador or by an ECI that lost its accreditation. firmar.ec only trusts the roots in the Ecuadorian TSL. Verify with your issuer.

”Certificate expired”

Your cert has passed its expiry date. Renew with BCE before signing.

”The PDF is protected”

Your PDF has an opening password. Remove it (in Adobe Reader, “Print → Microsoft Print to PDF” produces a copy without a password that can be signed).

”The bundle is loading, please wait”

You are on a 3G connection and the app is downloading for the first time. Wait 30–60 s; on subsequent visits it loads instantly from cache.

Behind a corporate firewall

Some firewalls block Service Workers or WebAssembly. If the app does not load, try on a different network or consult your IT team.

What about FirmaEC desktop?

FirmaEC remains excellent, especially for:

  • Batch signing of many PDFs.
  • Signing with a physical USB token (not yet supported in the browser).
  • SRI electronic receipts (XAdES, not PAdES).

firmar.ec complements FirmaEC; it does not replace it. Each has its best use case.

Validity of the produced signature

The resulting signature is PAdES Baseline B-B (ETSI EN 319 142-1) with your BCE certificate. It is fully valid for:

  • SRI (for administrative PDFs)
  • Private banking
  • Municipal and IESS procedures
  • Notaries (check with your local notary first)
  • Any counterparty that knows how to validate PAdES

Next step

If your procedure requires XAdES (SRI XML), firmar.ec does not cover that yet; use your accounting system or FirmaEC desktop. For everything else, you are ready to go.