Breng je eigen sleutel mee — 10 providers

Alle providers implementeren de IsgcKeyProvider-interface — dezelfde ondertekencode werkt tegen lokale bestanden, smartcards, HSM's, cloud-KMS of remote QTSP's. Wissel met één regel.

Lokale bestanden (PFX, PEM)
Hardware (PKCS#11)
Cloud-KMS (Azure, AWS, GCP)
QTSP's (Certum, CSC v2)
PROVIDER1 / 10

TsgcPFXKeyProvider

PFX / PKCS#12 files. Local password-protected key. Best for development, small deployments, and any workflow where the certificate ships as a single .pfx/.p12 file.

  • Geïmporteerd via Windows CNG met PKCS12_PREFER_CNG_KSP — SHA-256-/384-/512-ondertekening werkt ongeacht de oorspronkelijke CSP.
  • .pfx-bestanden met meerdere certificaten worden automatisch doorlopen tot het certificaat met de private sleutel is gevonden.
pfx.pas 
var
  vPFX: TsgcPFXKeyProvider;
begin
  vPFX := TsgcPFXKeyProvider.Create(nil);
  try
    vPFX.FileName := 'certificate.pfx';
    vPFX.Password := 'mypassword';
    vPFX.LoadFromFile;
    // vSigner.KeyProvider := vPFX;
  finally
    vPFX.Free;
  end;
end;
PROVIDER2 / 10

TsgcPEMKeyProvider

PEM files. Encrypted PKCS#8 with native PBES2 / PBKDF2 / AES-CBC support, plus the legacy RSA private-key DEK-Info format. Best for OpenSSL-based pipelines.

  • BEGIN CERTIFICATE, BEGIN RSA PRIVATE KEY, BEGIN PRIVATE KEY, BEGIN ENCRYPTED PRIVATE KEY all supported.
  • Combined PEMs (cert + key in one file) are detected automatically — leave PrivateKeyFile empty.
pem.pas 
var
  vPEM: TsgcPEMKeyProvider;
begin
  vPEM := TsgcPEMKeyProvider.Create(nil);
  try
    vPEM.CertificateFile := 'cert.pem';
    vPEM.PrivateKeyFile  := 'key.pem';
    vPEM.PrivateKeyPassword := 'secret';
    vPEM.LoadFromFile;
    // vSigner.KeyProvider := vPEM;
  finally
    vPEM.Free;
  end;
end;
PROVIDER3 / 10

TsgcWindowsCertStoreProvider

Windows Certificate Store. Local-machine and current-user stores. Best for desktop apps using existing AD-issued certificates, or any deployment where Windows already manages the cert lifecycle.

  • Signing happens via Windows CNG — the private key never leaves the store.
  • Selection by subject CN substring or by SHA-1 thumbprint.
winstore.pas 
var
  vStore: TsgcWindowsCertStoreProvider;
begin
  vStore := TsgcWindowsCertStoreProvider.Create(nil);
  try
    vStore.StoreName := 'MY';
    vStore.StoreLocation := cslCurrentUser;
    vStore.SelectCertificateBySubject('My Company');
    // vSigner.KeyProvider := vStore;
  finally
    vStore.Free;
  end;
end;
PROVIDER4 / 10

TsgcPKCS11Provider

PKCS#11 / Hardware Tokens. Smart cards, USB tokens, HSMs — SafeNet, YubiKey, Nitrokey, Thales. Required for Qualified Electronic Signatures in most EU jurisdictions.

  • CKM_RSA_PKCS and CKM_ECDSA_SHA256 mechanisms supported.
  • EnumerateSlots / EnumerateCertificates helpers for picking the right slot at runtime.
pkcs11.pas 
var
  vTok: TsgcPKCS11Provider;
begin
  vTok := TsgcPKCS11Provider.Create(nil);
  try
    vTok.LibraryPath := 'C:\token\pkcs11.dll';
    vTok.SlotIndex := 0;
    vTok.PIN := '1234';
    vTok.CertificateLabel := 'MyCert';
    vTok.Connect;
    // vSigner.KeyProvider := vTok;
  finally
    vTok.Free;
  end;
end;
PROVIDER5 / 10

TsgcAzureTrustedSigningProvider

Azure Trusted Signing. Microsoft's qualified code-signing service. Authenticode without buying an EV cert — Microsoft owns the certificate and provisions the signing key for you.

  • OAuth2 client credentials — Tenant ID + Client ID + Client Secret.
  • Private keys live entirely in Azure, never on the build agent.
azure-ts.pas 
var
  vAzure: TsgcAzureTrustedSigningProvider;
begin
  vAzure := TsgcAzureTrustedSigningProvider.Create(nil);
  try
    vAzure.TenantId := 'your-tenant-id';
    vAzure.ClientId := 'your-client-id';
    vAzure.ClientSecret := 'your-client-secret';
    vAzure.AccountName := 'mySigningAccount';
    vAzure.CertificateProfileName := 'default';
    vAzure.Connect;
    // vSigner.KeyProvider := vAzure;
  finally
    vAzure.Free;
  end;
end;
PROVIDER6 / 10

TsgcAWSKMSKeyProvider

AWS Key Management Service. Amazon's HSM-backed key custody service. Pair with an AWS-issued cert for in-cloud signing without exposing the private key.

  • AWS Signature Version 4 authentication, computed in-process.
  • KeyId accepts key ID, key ARN, or alias ARN.
aws-kms.pas 
var
  vAWS: TsgcAWSKMSKeyProvider;
begin
  vAWS := TsgcAWSKMSKeyProvider.Create(nil);
  try
    vAWS.AccessKeyId := 'AKIAIOSFODNN7EXAMPLE';
    vAWS.SecretAccessKey := 'wJalrXUtnFEMI/K7MDENG/...';
    vAWS.Region := 'us-east-1';
    vAWS.KeyId := 'arn:aws:kms:us-east-1:...:key/my-key';
    vAWS.Connect;
    // vSigner.KeyProvider := vAWS;
  finally
    vAWS.Free;
  end;
end;
PROVIDER7 / 10

TsgcGCloudKMSKeyProvider

Google Cloud KMS. Same operational model as AWS KMS. Service-account JSON file authenticates via JWT exchange to OAuth2 access token, then signs through the Cloud KMS API.

  • ProjectId + Location + KeyRing + Key + Version — matches the GCP resource hierarchy 1:1.
  • Asymmetric KMS keys only — HSM-backed when available, software-protected otherwise.
gcloud-kms.pas 
var
  vGCloud: TsgcGCloudKMSKeyProvider;
begin
  vGCloud := TsgcGCloudKMSKeyProvider.Create(nil);
  try
    vGCloud.ProjectId := 'my-project';
    vGCloud.LocationId := 'global';
    vGCloud.KeyRingId := 'my-key-ring';
    vGCloud.KeyId := 'my-signing-key';
    vGCloud.KeyVersion := '1';
    vGCloud.ServiceAccountJSON := 'C:\keys\sa.json';
    vGCloud.Connect;
    // vSigner.KeyProvider := vGCloud;
  finally
    vGCloud.Free;
  end;
end;
PROVIDER8 / 10

TsgcHashiCorpVaultKeyProvider

HashiCorp Vault. De Transit-secrets-engine van Vault voert de ondertekening uit. Het beste voor self-hosted, policy-gestuurd sleutelbeheer waarbij Vault al deel uitmaakt van de stack.

  • De Transit-engine beheert alleen de sleutel — lever het certificaat aan via SetCertificateFromFile.
  • Token-gebaseerde authenticatie; het standaard mount-path is 'transit'.
vault.pas 
var
  vVault: TsgcHashiCorpVaultKeyProvider;
begin
  vVault := TsgcHashiCorpVaultKeyProvider.Create(nil);
  try
    vVault.VaultAddress := 'https://vault.example.com:8200';
    vVault.Token := 's.myVaultToken';
    vVault.MountPath := 'transit';
    vVault.KeyName := 'my-signing-key';
    vVault.Connect;
    vVault.SetCertificateFromFile('C:\certs\signing-cert.pem');
    // vSigner.KeyProvider := vVault;
  finally
    vVault.Free;
  end;
end;
PROVIDER9 / 10

TsgcCertumSimplySignProvider

Certum SimplySign. Poolse QTSP. Gekwalificeerde elektronische handtekeningen via een PIN die wordt geautoriseerd door een mobiele app, zonder USB-token. Een veelgekozen optie voor Poolse KSeF- en ZUS-workflows.

  • OAuth2-client-credentials + SimplySign-account-gebruikersnaam/wachtwoord + PIN.
  • ListCertificates toont elk certificaat dat in het account beschikbaar is.
certum.pas 
var
  vCertum: TsgcCertumSimplySignProvider;
begin
  vCertum := TsgcCertumSimplySignProvider.Create(nil);
  try
    vCertum.ClientId := 'your-client-id';
    vCertum.ClientSecret := 'your-client-secret';
    vCertum.Username := 'user@example.com';
    vCertum.Password := 'account-password';
    vCertum.PIN := '123456';
    vCertum.BaseURL := 'https://cloudsign.certum.pl';
    vCertum.Connect;
    // vSigner.KeyProvider := vCertum;
  finally
    vCertum.Free;
  end;
end;
PROVIDER10 / 10

TsgcCSCKeyProvider

Cloud Signature Consortium API v2. Generieke interface naar elke QTSP die CSC v2 implementeert — Universign, D-Trust sign-me, A-Trust, FNMT Cl@ve Firma, Evrotrust, Intesi Group. De provider bewaart de gekwalificeerde sleutel in een remote QSCD; sgcSign stuurt alleen de document-hash.

  • Drie auth-modi: cscBasic, cscOAuth2, cscOTP (one-time password voor two-factor).
  • Roept credentials/authorize + signatures/signHash aan volgens de CSC v2-specificatie.
csc-v2.pas 
var
  vCSC: TsgcCSCKeyProvider;
  vCreds: TStringArray;
begin
  vCSC := TsgcCSCKeyProvider.Create(nil);
  try
    vCSC.BaseURL := 'https://api.qtsp.example/csc/v2';
    vCSC.AuthMethod := cscBasic;
    vCSC.Username := 'alice';
    vCSC.Password := 'secret';
    vCreds := vCSC.ListCredentials;
    vCSC.CredentialID := vCreds[0];
    vCSC.PIN := '123456';
    vCSC.OTP := '987654';
    vCSC.LoadCredentialInfo;
    // vSigner.KeyProvider := vCSC;
  finally
    vCSC.Free;
  end;
end;
GEMEENSCHAPPELIJKE INTERFACE

Wissel met één regel

Elke provider implementeert IsgcKeyProvider. De signer-code weet nooit of de sleutel op schijf staat, op een token, in Azure of achter een CSC v2-API.

Eén signer, tien providers

  • Ontwikkel met een lokale PFX. Test met de Windows-store. Deploy naar Azure Trusted Signing.
  • Landprofielen, handtekeningniveaus, OCSP, tijdstempels — al het andere blijft hetzelfde.
  • De sgcSign Server gebruikt intern dezelfde providers — centraliseer eerst lokaal en schaal later op naar een daemon.
swap-providers.pas 
function SignWithAnyProvider(
  aProvider: IsgcKeyProvider; const aXML: string): string;
var
  vSigner: TsgcXAdESSigner;
begin
  vSigner := TsgcXAdESSigner.Create(nil);
  try
    vSigner.KeyProvider := aProvider;
    vSigner.Profile.LoadProfile(spEmploymentDE);
    Result := vSigner.SignXML(aXML);
  finally
    vSigner.Free;
  end;
end;

// Caller picks the provider; signer doesn't care.
SignWithAnyProvider(vPFX, vXML);
SignWithAnyProvider(vAzure, vXML);
SignWithAnyProvider(vCSC, vXML);

Kies de juiste provider voor je vertrouwensmodel

Van een lokale .pfx tot een HSM op een ander continent — de ondertekencode blijft hetzelfde.

Snelstart sgcSign Server