Question: 
How a document is signed with a certificate when Indeed AirKey is used?

Answer:
To sign a document with digital signature, the document (a letter, file etc.) in question is hashed at first by standard means Microsoft Base CSP at the client side (user workstation). The document hash is sent to the AirKey Enterprise server to sign. The AirKey does not perform any operations with the document itself. The AirKey server performs digital signing and data decryption operations that require private key. In case of Indeed AirKey Enterprise, the certificate private key always resides in the Indeed AirKey Enterprise data storage (Microsoft SQL database or Active Directory) that the server interacts with. HTTPS protocol is used for connection between the client and AirKey Enterprise server. The operations that do not require private key and can be performed with public key only, are executed in Microsoft Base CSP at the client side.