π‘For the complete working code and detailed explanations, please refer to the full repository here. This repository contains all source files, helper classes, and configuration examples to implement PKCS#11 digital signing in your .NET applications.
This article demonstrates how to sign documents with PKCS#11 hardware tokens (HSMs, smart cards, USB tokens) using GroupDocs.Signature for .NET. The sample project integrates the Pkcs11Interop library, which provides a .NET interface for PKCS#11 devices.
PKCS#11 devices can include hardware security modules (HSMs), smart cards, and USB dongles. USB dongles are often used in corporate environments as a portable way to securely store private keys. With GroupDocs.Signature for .NET, you can use a dongle in the same way as other PKCS#11 tokens to apply digital signatures to your documents.
π‘ Use this approach when you need to securely sign documents with a private key stored in hardware rather than in a local file.
Pkcs11DigitalSigner.cs integrates PKCS#11 with GroupDocs.Signature:
publicclassPkcs11DigitalSigner{publicX509Certificate2GetCertificateFromPkcs11(){// Load certificate directly from token// Uses Settings.Pkcs11LibraryPath and Settings.TokenPin}}
Sign a document
Program.cs shows how to sign using GroupDocs.Signature.
This example demonstrates two flows:\
Directly from PKCS#11 device\
From Windows certificate store
usingGroupDocs.Signature;usingGroupDocs.Signature.Options;usingSystem;classProgram{staticvoidMain(){stringfilePath="sample.pdf";stringoutputPath="signed.pdf";// (1) Sign using PKCS#11 devicevarpkcs11Signer=newPkcs11DigitalSigner();varcertificate=pkcs11Signer.GetCertificateFromPkcs11();using(varsignature=newSignature(filePath)){varoptions=newDigitalSignOptions(certificate){Comments="Signed with PKCS#11 device",SignTime=DateTime.Now};signature.Sign(outputPath,options);}// (2) Sign using certificate from Windows store// var windowsCert = Helpers.GetCertificateFromWindowsStore(Settings.CertificateSubject);// (sign in the same way with windowsCert)}}
Notes
Replace <PKCS11_LIBRARY_PATH>, <TOKEN_PIN>, and <CERT_SUBJECT> with your actual values.
Both PKCS#11 and Windows certificate store flows are supported. Choose the one that matches your infrastructure.
For detailed helper methods and advanced scenarios, see the full repository.
Warning
Early Implementation Notice This solution is currently provided as an early implementation for using PKCS#11 digital signature dongles with GroupDocs.Signature. While it enables document signing with hardware tokens, we strongly recommend performing additional testing in your own environment to ensure it meets your compliance and security requirements.
We would greatly appreciate your feedback, test results, and suggestions for improvements. Your input will help us refine this functionality and explore new ideas to make it more robust and user-friendly.