1. IronPDF
  2. How-Tos
  3. Signing PDFs with HSM

How to Digitally Sign PDFs with C# using HSM

Curtis Chau
Curtis Chau
Updated:

Adding a signature to a PDF document is a common requirement in many applications. However, mission-critical applications require a higher level of security where the key itself cannot be tampered with. A normal signing operation with a .pfx file is akin to having a master key at your house. The application needs to load the key into your computer's memory to sign the document. If the computer itself is compromised, the key may be stolen.

A far more secure alternative is using a Hardware Security Module (HSM). With an HSM (like your USB token), the private key is generated inside the device and is physically incapable of ever leaving it.

This process is akin to bringing the document to the bank. The application provides a PIN, and the "bank manager" (the HSM) takes the document into the vault, stamps it with the key, and hands the stamped document back. The main aspect is that the key never leaves the vault. This provides an additional security measure, as the key cannot be copied or stolen.

How to digitally Sign PDFs with HSM

  1. Download the IronPDF C# library for signing PDFs with HSM
  2. Import your existing HSM or simulate it with other libraries
  3. Create a new UsbPkcs11HsmSigner object
  4. Sign and save the PDF with SignAndSave
  5. Verify the PDF output and certificate with a PDF viewer

Start using IronPDF in your project today with a free trial.

First Step:
green arrow pointer

Signing with an HSM

Signing with an HSM typically requires a physical device, such as a USB token, that the application interacts with. IronPDF is fully compatible with these operations, as both the library and standard HSMs often use PKCS#11 as a common API. For demonstrative purposes regarding IronPDF's functionality with HSMs, this guide will use a simulated HSM instead of a physical one.

In a production or live testing environment, you should not use this simulation. Instead, you must use your actual HSM.

To run this simulation, you must first install SoftHSM, OpenSSL, and OpenSC to generate the necessary key and token. For more information on how to utilize SoftHSM, please refer to their public GitHub repository.

We'll start by creating a PDF from an HTML string. In the example below, we define the paths and credentials for our simulated SoftHSM. This includes providing the absolute path to the SoftHSM .dll library file and the .crt certificate file that you created.

Next, we specify the output path, which in this instance is output.pdf.

Furthermore, we define three strings: hsmTokenLabel, hsmPin, and hsmKeyLabel. These strings are case-sensitive and must exactly match the credentials you created when generating the token and certificate with SoftHSM. Afterwards, we initialize the UsbPkcs11HsmSigner object, passing the SoftHSM library path, PIN, token label, and key label as parameters.

We additionally create a PdfSignatureImage to add a visual representation of the signature onto the document. Finally, we call SignAndSave, which uses the hsmSigner we configured to sign the document and save it to the specified output path.

Code

:path=/static-assets/pdf/content-code-examples/how-to/signing-with-hsm.cs
using IronPdf;
using IronPdf.Signing;
using IronSoftware.Pdfium.Signing;
using System.Drawing;

ChromePdfRenderer renderer = new ChromePdfRenderer();
PdfDocument pdf = renderer.RenderHtmlAsPdf("<h1>Testing</h1>");

// Define Paths and Credentials
string softhsmLibraryPath = @"D:\SoftHSM2\lib\softhsm2-x64.dll";
// These MUST match what you created
string hsmTokenLabel = "MyTestToken";
string hsmPin = "123456";
string hsmKeyLabel = "my-key"; // The label for the key *inside* the token

// Create the HsmSigner object.
UsbPkcs11HsmSigner hsmSigner = new UsbPkcs11HsmSigner(
    softhsmLibraryPath,
    hsmPin,
    hsmTokenLabel,
    hsmKeyLabel
);

// Create the Signature Image
string signatureImagePath = "IronSoftware.png";
PdfSignatureImage sigImage = new PdfSignatureImage(signatureImagePath, 0, new Rectangle(50, 50, 150, 150));

// Sign PDF with HSM
pdf.SignAndSave("signedWithHSM.pdf", hsmSigner);
IRON VB CONVERTER ERROR developers@ironsoftware.com
$vbLabelText   $csharpLabel

The UsbPkcs11HsmSigner additionally takes two optional parameters, the digestAlgorithm and signingAlgorithm. By default, they are set to SHA256 and RSA.

Output

Below is the output generated. As you can see, it displays the signature field and confirms that it is signed with the certificate we generated.

Output
Output Certificate

Troubleshooting

If you encounter the error shown below while running the code example, follow these troubleshooting steps to debug and verify your configuration. This CKR_GENERAL_ERROR commonly occurs when the program cannot find the SoftHSM configuration file or when the .NET application is running as a 32-bit process while the SoftHSM library is 64-bit.

General CKS error

Changing the Platform Target

A common cause for this error is an architecture mismatch. Your C# application must run as a 64-bit process to match the 64-bit SoftHSM library (softhsm2-x64.dll). In your Visual Studio project properties, change the Platform target from 'Any CPU' or 'x86' to 'x64' to ensure compatibility.

Platform Target

Setting the Environment Variable

Another common cause of error is that the program cannot find the .conf file in SoftHSM. You must tell the library where to look by setting a system-wide environment variable. Create a new variable named SOFTHSM2_CONF and set its value to the full path of your configuration file (e.g., D:\SoftHSM2\etc\softhsm2.conf). Afterwards, remember to restart Visual Studio after making the changes.

Set Environment variable

Additionally, you can verify whether the variable is found by adding this line.

Console.WriteLine($"Verifying variable: {Environment.GetEnvironmentVariable("SOFTHSM2_CONF")}");
Console.WriteLine($"Verifying variable: {Environment.GetEnvironmentVariable("SOFTHSM2_CONF")}");
IRON VB CONVERTER ERROR developers@ironsoftware.com
$vbLabelText   $csharpLabel

If the console output returns blank, then the program can't find the environment variable. You must set it, restart Visual Studio or your computer, and try again.

Frequently Asked Questions

What is a Hardware Security Module (HSM) and why is it used for signing PDFs?

A Hardware Security Module (HSM) is a physical device used to manage digital keys and perform encryption and decryption functions. It is used for signing PDFs to enhance security by ensuring that the signing process is both secure and compliant with various standards.

How can I configure an HSM for signing PDFs in C#?

To configure an HSM for signing PDFs in C#, you need to set up the HSM with the appropriate drivers and software, ensure it is connected to your system, and configure the signing process within your C# application using IronPDF.

What are the steps to digitally sign a PDF using IronPDF?

To digitally sign a PDF using IronPDF, you need to first initialize your HSM, configure the digital signature within your C# code, and apply the signature to the PDF document using IronPDF's signing functionality.

Can I use IronPDF to sign PDFs with other types of digital certificates?

Yes, IronPDF supports signing PDFs with various types of digital certificates, not just those managed by an HSM. This includes certificates stored in software keystores.

What are the benefits of using IronPDF for PDF signing?

IronPDF provides a straightforward API for signing PDFs, allowing you to easily integrate digital signatures into your C# applications. It supports various certificate types, including those managed by HSMs, ensuring flexibility and security.

Is it possible to verify a PDF signature created with IronPDF?

Yes, once a PDF is signed using IronPDF, the signature can be verified using standard PDF readers that support digital signatures, ensuring the integrity and authenticity of the document.

Do I need to have programming experience to use IronPDF for signing PDFs?

Basic programming knowledge in C# is recommended to use IronPDF for signing PDFs, as it involves writing code to manage the signing process and configure the HSM appropriately.

What kind of support is available for integrating HSM with IronPDF?

Iron Software provides documentation and technical support to help you integrate HSMs with IronPDF, ensuring a smooth setup and operation of digital signature functionalities.

Curtis Chau
Curtis Chau
  Chat with engineering team now
Technical Writer

Curtis Chau holds a Bachelor’s degree in Computer Science (Carleton University) and specializes in front-end development with expertise in Node.js, TypeScript, JavaScript, and React. Passionate about crafting intuitive and aesthetically pleasing user interfaces, Curtis enjoys working with modern frameworks and creating well-structured, visually appealing manuals.

...

Read More
Ready to Get Started?
Nuget Downloads 16,133,208 | Version: 2025.11 just released