Bridge your browser
to Windows certificates.
Lightweight desktop service that connects any web application to the Windows Certificate Store over localhost HTTPS. Sign PDFs with hardware DSC tokens directly from the browser.
From unsigned PDF to legally valid in milliseconds
Scroll to follow the document through each step
1const hash = await computeHash(pdfBytes); 2const certs = await fetch( 3 "https://localhost:9555/certificates" 4); 5// User picks a certificate...
Service_Agreement_2026.pdf
2.4 MB · 12 pages
Rajesh Kumar
SELECTEDeMudhra Sub CA · USB Token
Acme Corp
n-Code Solutions · PFX File
Priya Sharma
Capricorn CA · Smart Card
Private Key Protected
The private key signed on-device. Never exported or transmitted.
Rajesh Kumar
Signed via USB DSC · eMudhra CA
Your web app prepares the document
The user opens a PDF in your web portal. Your JavaScript computes the document hash and calls SignBridge on localhost.
SignBridge discovers certificates
SignBridge scans the Windows Certificate Store, detects USB tokens and smart cards, and returns the list to your browser.
Hash is signed on the hardware token
SignBridge sends the hash to Windows CryptoAPI. The private key signs the hash directly on the USB token — the key never leaves the device.
Signed PDF returned to your app
The digital signature is embedded into the PDF. The document is now legally valid, tamper-evident, and verifiable by any PDF reader.
From unsigned PDF to legally valid
Your web app prepares the document
The user opens a PDF in your web portal. Your JavaScript computes the document hash and calls SignBridge on localhost.
1const hash = await computeHash(pdfBytes); 2const certs = await fetch( 3 "https://localhost:9555/certificates" 4); 5// User picks a certificate...
Service_Agreement_2026.pdf
2.4 MB · 12 pages
SignBridge discovers certificates
SignBridge scans the Windows Certificate Store, detects USB tokens and smart cards, and returns the list to your browser.
Rajesh Kumar
SELECTEDeMudhra Sub CA · USB Token
Acme Corp
n-Code Solutions · PFX File
Priya Sharma
Capricorn CA · Smart Card
Hash is signed on the hardware token
SignBridge sends the hash to Windows CryptoAPI. The private key signs the hash directly on the USB token — the key never leaves the device.
Private Key Protected
The private key signed on-device. Never exported or transmitted.
Signed PDF returned to your app
The digital signature is embedded into the PDF. The document is now legally valid, tamper-evident, and verifiable by any PDF reader.
Rajesh Kumar
Signed via USB DSC · eMudhra CA
Works in any browser
Chrome, Edge, Firefox, Safari
No extensions needed
Standard fetch() API
Keys stay on device
Hardware token isolation
Localhost only
Zero network exposure
Every certificate, one bridge
This browser based DSC signing tool works with any certificate in the Windows Certificate Store: USB tokens, smart cards, and PFX files. No custom drivers or browser extensions required for web portal digital signature integration.
Auto-Discovery
SignBridge automatically detects all certificates in the Windows Certificate Store. USB tokens and smart cards are recognized the moment they are inserted.
Certificate Selection
Web applications can query available certificates and let users choose which one to sign with. Filter by issuer, key usage, or expiry date.
Supported Certificate Types
USB DSC Tokens
eMudhra, Sify, n-Code, Capricorn, PantaSign
Hardware tokens from any CCA-certified provider via PKCS#11 or CSP
PFX / P12 Files
Software-based certificates
Password-protected certificate files imported into Windows Certificate Store
Smart Cards
Gemalto, Thales, SafeNet
PKI smart cards accessed through Windows CryptoAPI minidriver
Frequently asked questions
Everything you need to know about SignBridge and browser-to-certificate signing.
SignBridge is a lightweight Windows desktop service (built with Tauri/Rust) that creates an HTTPS bridge between web browsers and the Windows Certificate Store. Browsers cannot directly access USB DSC tokens or local certificates for security reasons. SignBridge runs as a local service on port 9555 and exposes a secure REST API that web applications can call to sign documents using DSC online, without browser extensions or Java applets.
SignBridge uses multiple layers of security: (1) It only listens on localhost (127.0.0.1), so no external network can reach it. (2) Origin validation ensures only whitelisted domains can communicate. (3) CORS headers block unauthorized cross-origin requests. (4) Private keys never leave the hardware token — only the hash is signed. A malicious website cannot pass origin checks or access your certificates.
SignBridge works with any certificate accessible through the Windows Certificate Store, including USB DSC tokens (eMudhra, Sify, n-Code, Capricorn, PantaSign), PFX/P12 software certificates, and smart cards (Gemalto, Thales, SafeNet). Any certificate with a Windows CSP/KSP driver is supported.
Private keys never leave the hardware token or Windows Certificate Store. SignBridge receives a hash (digest) of the document from the web application, passes it to the Windows CryptoAPI for signing, and returns the signed hash. The actual private key is never exposed to the browser, the web application, or even to SignBridge itself.
No. SignBridge works entirely through standard HTTPS fetch() calls from the browser. No extensions, plugins, Java applets, or ActiveX controls are required. Any modern browser (Chrome, Edge, Firefox, Safari) can communicate with SignBridge out of the box.
SignBridge currently supports Windows 10 (version 1903 and later) and Windows 11, both 64-bit. Windows is the primary target because USB DSC tokens and the Windows Certificate Store are Windows-centric. macOS and Linux support may be added in future versions.
Integration involves three steps: (1) Your frontend JavaScript calls fetch("https://localhost:9555/certificates") to list available signing certificates. (2) The user selects a certificate and your app calls fetch("https://localhost:9555/sign") with the document hash. (3) Your backend receives the signed hash and embeds the signature into the PDF. We provide a JavaScript SDK and code examples for common frameworks.
If SignBridge is not running, the fetch() call to localhost:9555 will fail with a network error. Your web application should detect this and show a prompt to download and install SignBridge. We provide a detection script that checks availability and displays appropriate instructions.
SignBridge is available as a free download for use with SignSecure products (SignPad, SignLift). For standalone enterprise deployment with custom origin whitelisting and dedicated support, contact our sales team for licensing options.
Yes. SignBridge handles concurrent requests from multiple browser tabs and applications. Each request is validated independently. As long as the origin is whitelisted, requests from different applications are processed in parallel.
Bridge your browser to certificates
Download SignBridge and enable web-based digital signing with hardware DSC tokens. Free with SignSecure products, enterprise licensing available.
Windows 10/11 · Localhost HTTPS · Works with any browser · No extensions required