Digital Signature Support: CSP and CNG

Supported today: CSP-based signatures

IronPDF signs using certificates based on Microsoft's legacy Cryptographic Service Provider (CSP) model:

• Signing: PDF documents can be signed with a CSP-based PFX file using RSA keys, through IronPDF's Sign() method.
• Verifying: signatures created in this legacy format can be verified.

CSP is an older cryptographic framework that supports traditional algorithms like RSA but lacks modern extensibility.

Not yet supported: CNG-based signatures

Microsoft introduced Cryptography Next Generation (CNG) with Windows Vista and Windows Server 2008 to replace CSP, adding modern algorithms such as ECDSA and a more flexible API. As of IronPDF v2025.06.08, CNG-based digital signatures are not supported.

Using a CNG certificate raises a specific error:

• ECDSA: throws certificate key algorithm not supported.
• RSA via CNG: throws requested operation not supported.

These occur because the current signing implementation does not integrate with Microsoft's CNG key storage provider and API.

What CNG is

CNG is Microsoft's modern cryptographic framework, the successor to the older CryptoAPI and CSP system. It supports algorithms like RSA, ECDSA, SHA-256, and SHA-384, allows pluggable cryptographic providers, and underpins Windows features such as BitLocker, TPM, and Windows Hello.

Roadmap

Iron Software is reviewing CNG support for a future release. The goals are to enable CNG-based RSA and ECDSA certificates, work with the Windows Certificate Store and CNG key storage providers, and pass signing and verification against industry-standard tools and the PDF signature specification.