ASP.NET ASP.NET Core Azure Key Vault PDF

Sign PDF Documents with PFX Certificates from Azure Key Vault in .NET C#

Bjoern Meyer

January 7, 2025

This article shows how to sign PDF documents with PFX certificates from Azure Key Vault in .NET C#. The sample code shows how to load a certificate from Azure Key Vault and how to sign a PDF document with that certificate.

Azure Key Vault is a cloud service provided by Microsoft Azure for securely storing and accessing sensitive information such as API keys, passwords, certificates, and cryptographic keys. It provides strong protection for data at rest and in transit by acting as a central vault for managing secrets and cryptographic operations.

Azure Key Vault provides several key benefits for signing PDF documents with PFX certificates. Most importantly, it increases security by storing sensitive certificates in a centralized, highly secure environment, eliminating the risk of exposure on local devices or servers. Private keys never leave the vault because cryptographic operations are performed inside the vault.

This approach simplifies certificate management and allows organizations to centralize and streamline key rotation, revocation, and auditing. Azure Key Vault also provides scalability to seamlessly meet the needs of growing applications while maintaining high availability and robust performance. Compliance is another key benefit, as the service helps meet stringent industry standards and regulations such as GDPR, HIPAA, and PCI DSS, ensuring data protection and privacy.

These benefits combine to provide a secure, reliable, and cost-effective way to manage certificates for PDF signing and other cryptographic operations.

PFX Certificate in Azure Key Vault

This article shows how to use a PFX certificate stored in Azure Key Vault to sign a PDF document. The following screenshot shows the Azure Key Vault portal with a PFX certificate uploaded:

Azure Key Vault Portal

Azure SDK

The following NuGet packages are required for Azure:

Azure.Identity
Azure.Security.KeyVault.Certificates
TXTextControl.TextControl.ASP.SDK

Azure Key Vault Portal

Uploading a PFX Certificate to Azure Key Vault

The following code shows one way to upload a local PFX file to Azure Key Vault, although this article should not focus on how to upload the certificates. You can also upload the certificates to the portal if you have the appropriate user access rights.

using System;
using System.Security.Cryptography.X509Certificates;
using Azure.Identity;
using Azure.Security.KeyVault.Certificates;

string keyVaultUrl = "https://txtestvault.vault.azure.net/";
string certificateName = "txselfcert";
string password = "123";

// Create a CertificateClient using DefaultAzureCredential for authentication
var credential = new DefaultAzureCredential(true);
var client = new CertificateClient(new Uri(keyVaultUrl), credential);

// Read the PFX file into a byte array
byte[] pfxBytes = await File.ReadAllBytesAsync("certificate.pfx");

// Import the certificate into Key Vault
var importOptions = new ImportCertificateOptions(certificateName, pfxBytes)
{
    Password = password
};

var importedCertificate = await client.ImportCertificateAsync(importOptions);

Console.WriteLine($"Certificate '{certificateName}' imported successfully.");

Signing a PDF Document

After uploading the PFX certificate to Azure Key Vault, you can use the Azure SDK to access the certificate and sign a PDF document. The following code snippet demonstrates how to sign a PDF document using a PFX certificate stored in Azure Key Vault:

using System;
using System.Security.Cryptography.X509Certificates;
using Azure.Identity;
using Azure.Security.KeyVault.Certificates;
using TXTextControl;

string keyVaultUrl = "https://txtestvault.vault.azure.net/";
string certificateName = "txselfcert";

// Create a CertificateClient using DefaultAzureCredential for authentication
var credential = new DefaultAzureCredential(true);
var client = new CertificateClient(new Uri(keyVaultUrl), credential);

// Retrieve the certificate from the Azure Key Vault
var certificateWithPolicy = client.GetCertificate(certificateName);
byte[] pfxBytes = certificateWithPolicy.Value.Cer;  // Extract the certificate's byte array

// Load the certificate into an X509Certificate2 object for digital signature purposes
var cert = new X509Certificate2(pfxBytes, (string)null, X509KeyStorageFlags.PersistKeySet);

// Initialize TXTextControl to create and save a document with the digital signature
using (var tx = new ServerTextControl())
{
    tx.Create();
    tx.Text = "Hello, World!";

    // Prepare the digital signature for the document
    var saveSettings = new SaveSettings
    {
        DigitalSignature = new DigitalSignature(cert, null)
    };

    // Save the document as a PDF with the digital signature
    tx.Save("result.pdf", StreamType.AdobePDF, saveSettings);
}

Console.WriteLine("PDF saved with digital signature.");

When you open the created PDF document in Acrobat Reader, you can see the valid certificate in the Signatures panel.

Signed PDF Document

Conclusion

Using Azure Key Vault to store PFX certificates for PDF signing provides a secure, scalable, and compliant solution for managing sensitive cryptographic operations. By using Azure Key Vault, organizations can increase security, simplify certificate management, and ensure compliance with industry standards and regulations.

ASP.NET

Integrate document processing into your applications to create documents such as PDFs and MS Word documents, including client-side document editing, viewing, and electronic signatures.