1. IronPDF
  2. How-Tos
  3. Signing PDFs with HSM

How to Digitally Sign PDFs with C# Using HSM

Curtis Chau
Curtis Chau
Updated:

IronPDF enables secure PDF signing using Hardware Security Modules (HSMs) through the PKCS#11 API, where private keys never leave the physical device, providing bank-level security for mission-critical applications requiring tamper-proof digital signatures.

Quickstart: Sign a PDF with HSM in C#

  1. Install IronPDF via NuGet: Install-Package IronPdf
  2. Configure your HSM device (or use SoftHSM for testing)
  3. Create a UsbPkcs11HsmSigner with your HSM credentials:

    Nuget IconGet started making PDFs with NuGet now:

    1. Install IronPDF with NuGet Package Manager

      PM > Install-Package IronPdf

    2. Copy and run this code snippet.

      var hsmSigner = new UsbPkcs11HsmSigner(libraryPath, pin, tokenLabel, keyLabel);

    3. Deploy to test on your live environment

      Start using IronPDF in your project today with a free trial
      arrow pointer
  4. Generate your PDF and sign it:
    var pdf = renderer.RenderHtmlAsPdf("<h1>Document</h1>");
pdf.SignAndSave("signed.pdf", hsmSigner);
    var pdf = renderer.RenderHtmlAsPdf("<h1>Document</h1>");
pdf.SignAndSave("signed.pdf", hsmSigner);
    IRON VB CONVERTER ERROR developers@ironsoftware.com
    $vbLabelText   $csharpLabel
  5. Verify the signature in your PDF viewer

Adding a signature to a PDF document is a common requirement in many applications. However, mission-critical applications require higher security where the key cannot be tampered with. A normal signing operation with a .pfx file is like having a master key at your house. The application loads the key into memory to sign the document. If the computer is compromised, the key may be stolen.

A more secure alternative is using a Hardware Security Module (HSM). With an HSM (like a USB token), the private key is generated inside the device and cannot leave it.

This process is like bringing the document to a bank. The application provides a PIN, and the HSM takes the document into the vault, stamps it with the key, and returns the stamped document. The key never leaves the vault. This provides additional security, as the key cannot be copied or stolen.

How to digitally Sign PDFs with HSM

  1. Download the IronPDF C# library for signing PDFs with HSM
  2. Import your existing HSM or simulate it with other libraries
  3. Create a new UsbPkcs11HsmSigner object
  4. Sign and save the PDF with SignAndSave
  5. Verify the PDF output and certificate with a PDF viewer

Start using IronPDF in your project today with a free trial.

First Step:
green arrow pointer

How Do I Sign PDFs with an HSM?

Signing with an HSM typically requires a physical device, such as a USB token, that the application interacts with. IronPDF is compatible with these operations, as both the library and standard HSMs use PKCS#11 as a common API. For demonstrative purposes, this guide uses a simulated HSM instead of a physical one.

In production or live testing environments, you should not use this simulation. Instead, use your actual HSM. For production environments, consider implementing additional PDF security features such as password protection and permissions alongside HSM signing for comprehensive document protection.

To run this simulation, you must first install SoftHSM, OpenSSL, and OpenSC to generate the necessary key and token. For more information on utilizing SoftHSM, refer to their public GitHub repository.

Before implementing HSM signing, ensure you have properly installed IronPDF and configured your license key for production use.

Start by creating a PDF from an HTML string. In the example below, we define the paths and credentials for our simulated SoftHSM. This includes providing the absolute path to the SoftHSM .dll library file and the .crt certificate file that you created.

Next, specify the output path, which in this instance is output.pdf.

Define three strings: hsmTokenLabel, hsmPin, and hsmKeyLabel. These strings are case-sensitive and must exactly match the credentials you created when generating the token and certificate with SoftHSM. Afterwards, initialize the UsbPkcs11HsmSigner object, passing the SoftHSM library path, PIN, token label, and key label as parameters.

Additionally, create a PdfSignatureImage to add a visual representation of the signature onto the document. Finally, call SignAndSave, which uses the hsmSigner to sign the document and save it to the specified output path.

What Does the HSM Signing Code Look Like?

:path=/static-assets/pdf/content-code-examples/how-to/signing-with-hsm.cs
using IronPdf;
using IronPdf.Signing;
using IronSoftware.Pdfium.Signing;
using System.Drawing;

ChromePdfRenderer renderer = new ChromePdfRenderer();
PdfDocument pdf = renderer.RenderHtmlAsPdf("<h1>Testing</h1>");

// Define Paths and Credentials
string softhsmLibraryPath = @"D:\SoftHSM2\lib\softhsm2-x64.dll";
// These MUST match what you created
string hsmTokenLabel = "MyTestToken";
string hsmPin = "123456";
string hsmKeyLabel = "my-key"; // The label for the key *inside* the token

// Create the HsmSigner object.
UsbPkcs11HsmSigner hsmSigner = new UsbPkcs11HsmSigner(
    softhsmLibraryPath,
    hsmPin,
    hsmTokenLabel,
    hsmKeyLabel
);

// Create the Signature Image
string signatureImagePath = "IronSoftware.png";
PdfSignatureImage sigImage = new PdfSignatureImage(signatureImagePath, 0, new Rectangle(50, 50, 150, 150));

// Sign PDF with HSM
pdf.SignAndSave("signedWithHSM.pdf", hsmSigner);
IRON VB CONVERTER ERROR developers@ironsoftware.com
$vbLabelText   $csharpLabel

The UsbPkcs11HsmSigner additionally takes two optional parameters: digestAlgorithm and signingAlgorithm. By default, they are set to SHA256 and RSA.

Working with Different HSM Configurations

Different HSM devices may require specific configurations. Here's an example showing how to configure the signer with custom algorithms and handle multiple signatures:

// Configure with custom algorithms
var customHsmSigner = new UsbPkcs11HsmSigner(
    hsmLibraryPath,
    hsmPin,
    hsmTokenLabel,
    hsmKeyLabel,
    digestAlgorithm: IronPdf.Signing.DigestAlgorithm.SHA512,
    signingAlgorithm: IronPdf.Signing.SigningAlgorithm.RSA
);

// Apply signature with custom location and reason
var signatureOptions = new SignatureOptions
{
    SignerName = "Corporate Signing Authority",
    Location = "Company Headquarters",
    Reason = "Contract Approval"
};

// Load existing PDF for signing
var existingPdf = PdfDocument.FromFile("contract.pdf");
existingPdf.SignAndSave("contract-signed.pdf", customHsmSigner, signatureOptions);
// Configure with custom algorithms
var customHsmSigner = new UsbPkcs11HsmSigner(
    hsmLibraryPath,
    hsmPin,
    hsmTokenLabel,
    hsmKeyLabel,
    digestAlgorithm: IronPdf.Signing.DigestAlgorithm.SHA512,
    signingAlgorithm: IronPdf.Signing.SigningAlgorithm.RSA
);

// Apply signature with custom location and reason
var signatureOptions = new SignatureOptions
{
    SignerName = "Corporate Signing Authority",
    Location = "Company Headquarters",
    Reason = "Contract Approval"
};

// Load existing PDF for signing
var existingPdf = PdfDocument.FromFile("contract.pdf");
existingPdf.SignAndSave("contract-signed.pdf", customHsmSigner, signatureOptions);
IRON VB CONVERTER ERROR developers@ironsoftware.com
$vbLabelText   $csharpLabel

This approach is particularly useful when working with digital signature examples that require specific compliance standards or when you need to add metadata to track signature details.

How Can I Verify the HSM Signature?

Below is the output generated. It displays the signature field and confirms that it is signed with the certificate we generated.

PDF signature panel showing HSM certificate 'MyTestToken' with unknown validity and signature verification details
Certificate Viewer showing MyTestToken certificate details with validity dates and path validation status

What Are Common HSM Configuration Issues?

If you encounter the error shown below while running the code example, follow these troubleshooting steps to debug and verify your configuration. For additional assistance with digital signature issues, consult our digital signatures troubleshooting guide.

This CKR_GENERAL_ERROR commonly occurs when the program cannot find the SoftHSM configuration file or when the .NET application is running as a 32-bit process while the SoftHSM library is 64-bit.

PKCS#11 HSM initialization error showing CHR_GENERAL_ERROR in console output with full stack trace

Changing the Platform Target

A common cause for this error is an architecture mismatch. Your C# application must run as a 64-bit process to match the 64-bit SoftHSM library (softhsm2-x64.dll). In your Visual Studio project properties, change the Platform target from 'Any CPU' or 'x86' to 'x64' to ensure compatibility.

Visual Studio build configuration showing Platform target set to x64 architecture with conditional compilation symbols

Setting the Environment Variable

Another common cause is that the program cannot find the .conf file in SoftHSM. You must tell the library where to look by setting a system-wide environment variable. Create a new variable named SOFTHSM2_CONF and set its value to the full path of your configuration file (e.g., D:\SoftHSM2\etc\softhsm2.conf). Remember to restart Visual Studio after making the changes.

Windows System Variables dialog with SOFTISM2_CONF environment variable highlighted showing HSM configuration path

Additionally, you can verify whether the variable is found by adding this line:

Console.WriteLine($"Verifying variable: {Environment.GetEnvironmentVariable("SOFTHSM2_CONF")}");
Console.WriteLine($"Verifying variable: {Environment.GetEnvironmentVariable("SOFTHSM2_CONF")}");
IRON VB CONVERTER ERROR developers@ironsoftware.com
$vbLabelText   $csharpLabel

If the console output returns blank, the program cannot find the environment variable. You must set it, restart Visual Studio or your computer, and try again.

Best Practices for Production HSM Deployment

When deploying HSM-signed PDFs in production environments, consider these additional security measures:

  1. Audit Logging: Implement comprehensive logging for all HSM operations to maintain compliance and track access
  2. Certificate Management: Regularly update and rotate certificates according to your organization's security policies
  3. Backup Procedures: Establish proper backup and recovery procedures for HSM configurations
  4. Performance Optimization: Monitor signing performance and implement caching strategies for frequently accessed certificates

These practices complement the standard PDF signing workflow and ensure your document security infrastructure remains robust and compliant with industry standards.

Frequently Asked Questions

What is HSM signing and how does it differ from regular PDF signing?

HSM (Hardware Security Module) signing with IronPDF provides bank-level security where private keys never leave the physical device. Unlike regular .pfx file signing where keys are loaded into memory and can be compromised if the computer is attacked, HSM signing keeps the private key locked inside the hardware device, making it impossible to copy or steal.

How do I configure HSM signing in C# for PDFs?

To configure HSM signing with IronPDF, first install the library via NuGet with 'Install-Package IronPdf', then create a UsbPkcs11HsmSigner object with your HSM credentials including the library path, PIN, token label, and key label. Finally, use the SignAndSave method to sign your PDF document.

What are the security benefits of using HSM for PDF signatures?

Using HSM with IronPDF provides tamper-proof digital signatures ideal for mission-critical applications. The process is like bringing documents to a bank vault - the application provides a PIN, the HSM signs the document internally, and returns the signed document without ever exposing the private key, ensuring it cannot be copied or stolen.

Can I test HSM signing without a physical device?

Yes, IronPDF allows you to simulate HSM signing using libraries like SoftHSM for development and testing purposes. However, for production environments, you must use an actual physical HSM device to ensure proper security.

What API standard does IronPDF use for HSM communication?

IronPDF uses the PKCS#11 API standard for HSM communication, ensuring compatibility with standard HSM devices. This common API allows IronPDF to interact seamlessly with various HSM hardware tokens and security modules.

How can I verify that my PDF was successfully signed with HSM?

After signing a PDF with IronPDF's HSM functionality, you can verify the signature by opening the signed PDF in any standard PDF viewer. The viewer will display the digital signature information and confirm the document's authenticity and integrity.

Curtis Chau
Curtis Chau
  Chat with engineering team now
Technical Writer

Curtis Chau holds a Bachelor’s degree in Computer Science (Carleton University) and specializes in front-end development with expertise in Node.js, TypeScript, JavaScript, and React. Passionate about crafting intuitive and aesthetically pleasing user interfaces, Curtis enjoys working with modern frameworks and creating well-structured, visually appealing manuals.

...

Read More
Ready to Get Started?
Nuget Downloads 16,585,857 | Version: 2025.12 just released