BYO-DSC signing isn't a file upload. Here's what changed in 2021.
Class 3 certificates moved to non-exportable hardware tokens years ago. Most procurement conversations haven't caught up.
A checkbox feature with a footnote nobody reads
Most document-signing platforms list "bring your own DSC" somewhere on the integrations page, usually next to Aadhaar eSign and bulk send. It reads like any other checkbox: drag in your certificate file, the platform signs with it, done. For a feature with that much weight on a procurement call, surprisingly few buyers ask what "your own DSC" is actually made of in 2026.
The honest answer changes how BYO-DSC signing has to be built. A new Class 3 digital signature certificate issued by a licensed Indian Certifying Authority cannot exist as a standalone file the way it could a few years ago. That has been true since January 2021, and it is the single most common gap between what a feature list promises and what an integration team discovers a few weeks into a rollout.
What January 2021 actually changed
Until then, Indian Certifying Authorities issued three classes of digital signature certificate, with Class 2 carrying most of the everyday filing and signing volume. The Controller of Certifying Authorities discontinued Class 1 and Class 2 issuance entirely that year. Class 3 became the only certificate class a licensed CA could issue, covering everything from MCA filings to e-tenders to income tax returns for companies.
That consolidation came with a custody rule that matters more than the renaming. CCA guidelines require a Class 3 private key to be generated directly on a FIPS-certified hardware USB token and to stay there. The token enforces a PIN, refuses to let the key be copied out, and doesn't even let the holder reset that PIN independently the way a password manager would. A PKCS#12 file, the .pfx format most "upload your certificate" features still expect, is built to do the opposite: it's a portable container designed to be copied, emailed, and moved between machines. The two aren't different versions of the same thing. They're different answers to whether a private key is allowed to leave the device it was created on.
CCA’s own application integration guidelines (PDF) spell out the certificate and token handling rules that any platform in this space has to design around.
Certificates issued before the cutover haven't vanished. A handful of pre-2021 file-based DSCs are still sitting in production systems, valid until they expire. That's why "I have a .pfx DSC" isn't an impossible sentence to hear from a customer. It just describes a certificate on its way out, not a format you can design a new integration around.
The token requirement also changes what happens when something goes wrong. Losing a password-protected .pfx file used to mean a re-export from wherever the original certificate was generated. Losing a USB token means the key is gone for good, by design, and the certificate has to be revoked and reissued rather than recovered. That's a feature of the model, not a bug in it, but it's an operational detail that rarely makes it into a procurement conversation until the first lost token forces the question.
PKCS#12 was never the problem. PKCS#11 was always the answer.
It helps to separate two acronyms that get used almost interchangeably in vendor decks. PKCS#12 is a file format: a certificate, its chain, and a private key, encrypted together and unlocked with a password. PKCS#11 is something else entirely, an interface for talking to a cryptographic token or hardware security module without the key ever crossing into the calling application's memory. A server-side BYO-DSC flow built around "accept the file, decrypt it with the supplied password, sign, discard the key from memory" is a PKCS#12 flow. For any Class 3 certificate issued after January 2021, it's also a flow with no valid input, because there is no file to accept.
That forces the signing operation to happen wherever the token physically is, or wherever the issuing CA holds the key on the certificate holder’s behalf. Either way, it stops being something a server can do unaided, which is precisely the property the hardware requirement was designed to enforce.
Two architectures that actually satisfy BYO-DSC signing today
Local bridge plus USB token
The pattern several government portals and Certifying Authorities already ship looks like this: a small signing service runs on the certificate holder's own machine, listens on a local port, and talks to the USB token over PKCS#11. NIC's own DSC Signer utility, used for portals like PFMS and eGramSwaraj, works exactly this way. It's the bridge between the physical token and whatever is running in the browser. The browser hands the local service a hash of the document to be signed, and the local service returns a signature blob and the certificate chain. The platform's server never touches the password, the PIN, or the key. It receives a signed hash and verifies it.
// Browser -> local bridge (localhost, e.g. 127.0.0.1:9090)
{
"operation": "sign",
"documentHash": "8f2a1c9e...e41b",
"hashAlgorithm": "SHA-256"
}
// Local bridge -> browser, after the token's PIN is entered
{
"signature": "MIIBIjANBg...kqhkiG9w0B",
"certificateChain": ["MIIDdTCCA...", "MIIDXTCCA..."],
"signedAt": "2026-06-22T09:41:12Z"
}The server only ever sees the second payload, plus whatever metadata it logs about the request itself.
Cloud HSM, gated by app or OTP
The newer pattern keeps the private key inside the issuing CA's own hardware security module instead of a token the user carries. The user approves each signing request through an app push or an OTP, the CA's infrastructure performs the cryptographic operation, and the platform calls an API rather than a local bridge. It's popular with Chartered Accountants and Company Secretaries who sign dozens of filings a week and would rather not carry a USB token between machines. It's still a Class 3 certificate under the same CCA framework. Only the custody of the key has moved, from a device the user holds to infrastructure the CA operates.
| Architecture | Where the private key lives | What the platform's server sees | Still being issued? |
|---|---|---|---|
| Legacy file-based DSC (.pfx) | A password-protected file on the user's disk | The file itself, briefly, if uploaded | No, Class 1/2 discontinued Jan 2021; existing certs valid until expiry |
| USB token + local bridge | Non-exportable hardware token, PIN-locked | Only the signed hash and certificate chain | Yes, the default path for Class 3 today |
| Cloud HSM (app/OTP) | The CA's own HSM infrastructure | An API response and an OTP/app confirmation event | Yes, growing, especially among CAs and CS professionals |
| Aadhaar eSign (for contrast) | A UIDAI-empanelled provider's HSM, momentarily, per signature | An OTP or biometric confirmation event | Yes, a separate legal framework, not a Class 3 DSC at all |
What changes in your audit trail
Local-bridge signing is, in one sense, a better privacy story than the old file-upload model: the platform never custodies a key or a password, so there's nothing to leak from its side. But it also means the audit trail can only attest to what it actually saw. It can prove that a particular certificate and chain produced a valid signature over a particular document hash, and it can log the surrounding events, including the timestamp, the IP address, and the handshake with the local bridge or the CA's API. It can't attest to what happened inside the token, because it was never let in that far.
Cloud HSM signing adds a second dependency to that chain: the audit trail is only as good as the proof the CA's API hands back for the approval event. If that API returns nothing more than a signature blob, the evidence that "the certificate holder personally approved this" is thinner than it looks, no matter how strong the cryptography underneath it is. Worth asking the CA directly what their API actually returns, rather than assuming it matches what the signing platform's dashboard shows.
The rollout problem nobody budgets for
The gap rarely shows up as a security incident. It shows up as a missed go-live date. A buyer signs off on "BYO-DSC support" assuming it means what file upload always meant, then their IT team's first real test reveals that every signing user needs a local utility installed and a port whitelisted on their laptop. Sometimes that goes through a software inventory process that takes longer than the rest of the integration combined, and the helpdesk ends up fielding the same "why won't my token sign" ticket from a dozen different departments before anyone documents the fix.
This isn’t a flaw unique to any one vendor. Every platform in this category, DocuSign, Zoho Sign, Leegality, Digio, and FlowVerify among them, signs against whatever a CCA-licensed CA actually issues. None of them can override the certificate format the regulator settled on, and none of them can make a USB token behave like a file just because a feature page implies it.
It also catches international teams off guard more often than domestic ones. A SaaS company building for an Indian customer base for the first time tends to read "DSC support" as a backend integration line item, the same shape as adding a payment gateway. It's closer to adding support for a hardware peripheral, with all the desktop-compatibility and IT-policy questions that implies, and that's worth budgeting for at the scoping stage rather than discovering during user acceptance testing.
“A "bring your own DSC" feature that accepts a file upload is either built for certificates that can no longer be issued, or it isn’t doing what its name implies.”
What to ask before the integration starts
- Does this require installing anything on every signing user’s machine, or only on the certificate holder’s?
- What does your server log when a signature comes back: a password, a key, or a hash and a certificate chain?
- If a user moves from a USB token to a cloud HSM certificate later, does the audit trail format change underneath them?
- What happens to an in-progress signing session if the local bridge breaks after a routine operating-system update?
As cloud HSM and app-based DSCs spread, particularly among professionals who sign often enough to resent carrying a token, the harder question for any platform in this space stops being where the certificate file lives. It becomes where the approval event lives, and how convincingly that event can be reconstructed months later when someone disputes a signature.
Frequently asked questions
Related reading
Coinbase's AWS outage lasted 18 hours. The postmortem shows why multi-AZ didn't help.
A single AWS zone failure turned into an 18-hour Coinbase outage. The postmortem reveals two specific ways 'multi-AZ' architecture quietly wasn't, and how to check your own systems for the same gap.
Idempotency keys in production: what the tutorials don't cover
Most idempotency key implementations handle the happy path and fail in three specific ways: a race condition between check and claim, a dedup table bottleneck at scale, and key scoping that breaks in fan-out systems.
TypeScript 7's Go compiler is 10x faster. Here is what actually breaks.
TypeScript 6.0 shipped as the last JavaScript-based release. TypeScript 7.0 brings a Go-native compiler with genuine 10x build speedups and removes the Compiler API that a surprising share of tooling depends on.