Cryptographic providers
For digital signatures to be applied to a document, a cryptographic provider must be configured. The cryptographic provider manages certificates and the associated private keys, and implements cryptographic algorithms. The cryptographic provider used impacts the legal effect of your digital signatures, and often depends on your local legal and regulatory requirements. If you are unsure of these requirements, contact your local Certificate Authority (CA) for guidance.
The Pdftools SDK supports a range of cryptographic providers:
- Built-in cryptographic provider
- PKCS#11 provider
- Online signing services, e.g. GlobalSign and Swisscom
Built-in cryptographic provider
The built-in cryptographic provider requires no cryptographic hardware or external service, except for an optional connection to an external time-stamp service. Signing certificates with private keys can be loaded directly from a PFX (PKCS#12) soft certificate stored as a local file, using the Pdftools SDK. Additional certificates can be stored in a local Certificates directory.
These additional certificates are required when adding validation information to signatures that do not have the full trust chain embedded. The certificates directory may contain certificates in either PEM (.pem, ASCII text) or DER (.cer, binary) format.
PKCS#11 provider
The PKCS#11 provider creates a session to a cryptographic device (HSM, USB token, etc.) to perform cryptographic operations. It requires a driver module (middleware). More information on the driver required can be found in the documentation for your cryptographic device. The PKCS#11 Tech Note provides detailed information about configuring a PKCS#11 device to work with the Pdftools SDK.
Online Signing Services
Online signing services are cloud-based cryptographic providers that enable their customers to sign documents and provide them with time-stamps.
GlobalSign Digital Signing Service
This provider implements the methods of the GlobalSign Digital Signing Service. A GlobalSign account is required.
Swisscom Signing Service
This provider implements the methods of the Swisscom Signing Service. A Swisscom account is required.