Azure Key Vault is a cloud service provided by Microsoft Azure for securely storing and accessing sensitive information such as API keys, passwords, certificates, and cryptographic keys. It provides strong protection for data at rest and in transit by acting as a central vault for managing secrets and cryptographic operations.
Azure Key Vault provides several key benefits for signing PDF documents with PFX certificates. Most importantly, it increases security by storing sensitive certificates in a centralized, highly secure environment, eliminating the risk of exposure on local devices or servers. Private keys never leave the vault because cryptographic operations are performed inside the vault.
This approach simplifies certificate management and allows organizations to centralize and streamline key rotation, revocation, and auditing. Azure Key Vault also provides scalability to seamlessly meet the needs of growing applications while maintaining high availability and robust performance. Compliance is another key benefit, as the service helps meet stringent industry standards and regulations such as GDPR, HIPAA, and PCI DSS, ensuring data protection and privacy.
These benefits combine to provide a secure, reliable, and cost-effective way to manage certificates for PDF signing and other cryptographic operations.
PFX Certificate in Azure Key Vault
This article shows how to use a PFX certificate stored in Azure Key Vault to sign a PDF document. The following screenshot shows the Azure Key Vault portal with a PFX certificate uploaded:
Azure SDK
The following NuGet packages are required for Azure:
- Azure.Identity
- Azure.Security.KeyVault.Certificates
- TXTextControl.TextControl.ASP.SDK
Uploading a PFX Certificate to Azure Key Vault
The following code shows one way to upload a local PFX file to Azure Key Vault, although this article should not focus on how to upload the certificates. You can also upload the certificates to the portal if you have the appropriate user access rights.
using System; | |
using System.Security.Cryptography.X509Certificates; | |
using Azure.Identity; | |
using Azure.Security.KeyVault.Certificates; | |
string keyVaultUrl = "https://txtestvault.vault.azure.net/"; | |
string certificateName = "txselfcert"; | |
string password = "123"; | |
// Create a CertificateClient using DefaultAzureCredential for authentication | |
var credential = new DefaultAzureCredential(true); | |
var client = new CertificateClient(new Uri(keyVaultUrl), credential); | |
// Read the PFX file into a byte array | |
byte[] pfxBytes = await File.ReadAllBytesAsync("certificate.pfx"); | |
// Import the certificate into Key Vault | |
var importOptions = new ImportCertificateOptions(certificateName, pfxBytes) | |
{ | |
Password = password | |
}; | |
var importedCertificate = await client.ImportCertificateAsync(importOptions); | |
Console.WriteLine($"Certificate '{certificateName}' imported successfully."); |
Signing a PDF Document
After uploading the PFX certificate to Azure Key Vault, you can use the Azure SDK to access the certificate and sign a PDF document. The following code snippet demonstrates how to sign a PDF document using a PFX certificate stored in Azure Key Vault:
using System; | |
using System.Security.Cryptography.X509Certificates; | |
using Azure.Identity; | |
using Azure.Security.KeyVault.Certificates; | |
using TXTextControl; | |
string keyVaultUrl = "https://txtestvault.vault.azure.net/"; | |
string certificateName = "txselfcert"; | |
// Create a CertificateClient using DefaultAzureCredential for authentication | |
var credential = new DefaultAzureCredential(true); | |
var client = new CertificateClient(new Uri(keyVaultUrl), credential); | |
// Retrieve the certificate from the Azure Key Vault | |
var certificateWithPolicy = client.GetCertificate(certificateName); | |
byte[] pfxBytes = certificateWithPolicy.Value.Cer; // Extract the certificate's byte array | |
// Load the certificate into an X509Certificate2 object for digital signature purposes | |
var cert = new X509Certificate2(pfxBytes, (string)null, X509KeyStorageFlags.PersistKeySet); | |
// Initialize TXTextControl to create and save a document with the digital signature | |
using (var tx = new ServerTextControl()) | |
{ | |
tx.Create(); | |
tx.Text = "Hello, World!"; | |
// Prepare the digital signature for the document | |
var saveSettings = new SaveSettings | |
{ | |
DigitalSignature = new DigitalSignature(cert, null) | |
}; | |
// Save the document as a PDF with the digital signature | |
tx.Save("result.pdf", StreamType.AdobePDF, saveSettings); | |
} | |
Console.WriteLine("PDF saved with digital signature."); |
When you open the created PDF document in Acrobat Reader, you can see the valid certificate in the Signatures panel.
Conclusion
Using Azure Key Vault to store PFX certificates for PDF signing provides a secure, scalable, and compliant solution for managing sensitive cryptographic operations. By using Azure Key Vault, organizations can increase security, simplify certificate management, and ensure compliance with industry standards and regulations.