HSM and FIPS validation

At a glance

NextPDF Enterprise signing connects to hardware security modules (HSMs) through PKCS#11 and runs cryptography with Federal Information Processing Standards (FIPS)-validated modules. The private key behind a signature stays inside certified hardware, and the cryptography runs inside an independently validated module. You get the two assurance properties that regulated and high-value signing workflows depend on.

This page gives buyers proof and assurance. It explains the standards the signing integration follows, the device classes it works with, the interoperability posture, and the validation evidence you can request before you commit. It does not describe implementation details. For the standards conformance overview, see Compliance and conformance.

Hardware security module support

A hardware security module is a certified device that generates and holds private keys, and performs cryptographic operations for you, so key material never leaves the device. NextPDF Enterprise signs through these devices using PKCS#11. PKCS#11 is the widely adopted standard programming interface, also known as Cryptoki, for devices that hold cryptographic information and perform cryptographic functions. It also defines how keys are managed on a cryptographic token, which lets one standard integration reach a broad range of devices.

Because the integration follows PKCS#11 instead of a vendor-specific interface, it works across the common classes of hardware key custody:

Network and appliance HSMs used to centralize key custody for fleets of signing services.
Cloud HSM services that present a PKCS#11 interface to applications running in a managed environment.
Smart cards and signing tokens used when a signer holds the key on a personal device.

Hardware key custody pairs with the long-term archival signature profile, so a signature originates from a protected key and stays verifiable for years. See Compliance and conformance for the signature profiles and their standards.

FIPS-validated cryptography

For deployments with cryptographic assurance requirements, NextPDF Enterprise operates with FIPS-validated cryptographic modules. FIPS 140-3 is the United States standard for cryptographic module security requirements. It supersedes FIPS 140-2 and aligns with the international standard ISO/IEC 19790.

Validation is an independent process, not a vendor claim. A module’s conformance to the cryptographic module security requirements is established by accredited testing against a defined set of assertions. The validating authority lists validated modules. When you use a validated module, the cryptography behind a signature runs inside hardware that has passed that independent process, rather than in unverified code.

NextPDF Enterprise does not issue its own FIPS validation; it operates with validated modules so your signing inherits their assurance. The applicable module depends on the hardware or cloud service you deploy.

Interoperability and validation evidence

NextPDF Enterprise is built to interoperate with standards-conformant hardware, not a single vendor. The interoperability posture is:

Standard interface. Signing reaches hardware through the PKCS#11 standard, so devices with a conformant interface are supported as a class.
Validated modules. Cryptography runs with FIPS-validated modules whose validation is independently established.
Standards-based signatures. The signatures produced follow the PDF Advanced Electronic Signatures (PAdES) baseline profiles, including the long-term archival level for durable verifiability. See Compliance and conformance.

If you are a buyer or auditor and need to confirm this before committing, NextPDF can provide evidence on request, including:

The hardware security module classes the signing integration is tested against, and the interoperability posture for your target device.
The FIPS-validated modules in use, and how to confirm their validation with the validating authority.
The signature profiles produced, and how an independent verifier validates them.

Request a validation report

To request a validation report or discuss your hardware and assurance requirements before you buy, contact sales through the license portal. Tell us your target hardware security module or cloud key service and your FIPS assurance level. We will map your requirement to the supported device classes and the validation evidence available for it.