I want to start signing PDFs by adding a certificate and to show its creation authenticity and validity.
For that - I plan to use TCPDF library but I need access to the private key in addition to the .crt file.
I've contacted several vendors that sell PDF certificates - yet they all plan to send an HSM module (physical device) and the private key cannot be extracted from it, so how can I use it programmatically?
CodePudding user response:
HSM devices can only be used from desktop applications as they require to display a secure window for entering the device PIN.
If you do not have the certificates as .pfx files then you have to work with the certificate vendor and use their web API, if available, for signing. GlobalSign for example has such an API, you send them the document hash and they return the signed hash.
CodePudding user response:
There are some certificate authorities available which allow you to store the keys also on HSM services such as:
The CA may charge an additional fee for the key creation ceremony.
Anyhow you will not be able to simply use the keys with TCPDF without modification.
We (Setasign) offer a PDF signature solution in pure PHP (not free) which comes with signature modules for all of the listed services.
You can find online demos using all listed services with an AATL certificate here:
An overview over additional modules (for e.g. GlobalSign DSS, Swisscom Signing Service, CSC API) is available here.