AmbiSecure PKCS Signature Suite
A hardware signature token plus cross-platform PKCS#11 / PKCS#15 middleware. The token holds the signing key in a secure element; the middleware exposes it to Acrobat, Office, Mozilla, OpenSC, Windows BaseCSP, and macOS Keychain through standard interfaces. Sign a contract, a CSR, or a build artefact — the application never sees the private key.
A signing token without middleware is a paperweight.
Hardware-backed
Signing keys are generated inside the secure element. RSA 2048 / 3072 and ECC P-256 / P-384. The private key never crosses the USB boundary.
Standards-aligned
PKCS#11 v2.40 for cryptographic apps that speak the OASIS interface. PKCS#15 file structure on-token for cross-vendor middleware compatibility.
Cross-platform middleware
Windows minidriver + BaseCSP. macOS Keychain CTK. Linux opensc-pkcs11. Mozilla NSS module. The same token works the same way everywhere.
Application coverage
Adobe Acrobat for PDF signing. Microsoft Office for document signing. Mozilla Thunderbird / Firefox for S/MIME and TLS-client auth. signtool / jarsigner / cosign for build artefacts.
Multi-slot
Four cryptographic slots per token. Run distinct certificates for signing, encryption, and authentication without re-issuing the device.
Production-ready issuance
Tokens are personalised on the AmbiSecure line. AAGUID and attestation per batch. Existing issuance CAs plug in without modification.
What is in the token and the middleware.
| Token form factor | USB-A or USB-C device, CCID-compliant smart-card class. ISO/IEC 7816 contact via the embedded reader. |
|---|---|
| Token chip | JavaCard 3.x on a Common Criteria EAL5+ secure element. |
| Token crypto | RSA 2048 / 3072 / 4096; ECC P-256 / P-384; SHA-256 / SHA-384 / SHA-512; on-card key generation; PIN policy. |
| Middleware — Windows | Smart card minidriver + BaseCSP. Compatible with CryptoAPI / CNG. Installer signed. |
| Middleware — macOS | CryptoTokenKit (CTK) extension. Keychain-visible identities; usable from any CryptoTokenKit-aware app. |
| Middleware — Linux | opensc-pkcs11 module + a custom PKCS#11 .so for direct integration. |
| Middleware — Mozilla | PKCS#11 module loadable in Firefox and Thunderbird security devices panel. |
| On-token file system | PKCS#15 directory layout. Cross-vendor middleware reads slot metadata without proprietary tooling. |
| Volume | Pilot lots from 50 tokens; production from 500. |
Where this fits in the bigger picture.
Product: Digital signature token
The hardware token primitive without the bundled middleware — the legacy SKU.
Product: Secure Mail Suite
Where the signing token plugs in for email and document signing workflows.
Blog: Designing signing platforms
Cornerstone read — S/MIME, PDF/PKCS#7, Long-Term Validation, the trust-list problem.
Blog: PIV vs USB vs embedded
Decision matrix for hardware-backed workforce signing credentials.
Reference: ISO 7816
The contact-card command set the token speaks.
Reference: ASN.1
The encoding underneath every certificate and signed blob the suite handles.
Pilot the PKCS Signature Suite.
Tell us your target operating systems, application stack (Adobe? Office? signtool?), and certificate authority. We can ship pilot tokens with the middleware installer in 4–6 weeks.