Hello DocuSign Community,I am looking for clarification regarding supported digital certificates for Brazil (ICP-Brasil), specifically cloud-based certificates where the private key is not stored locally on the signer’s machine. I use an ICP-Brasil e-CPF cloud certificate, managed by a certified Trust Service Provider (TSP). The certificate is not installed in the Windows Certificate Store and is not exposed via PKCS#11 or CSP locally. The signing process works as follows: The user selects “cloud certificate” A local application is launched The signer authenticates using QR Code + 2FA (mobile approval) The cryptographic signing operation occurs remotely (HSM / remote key signing) This certificate works correctly on: Government portals Other Brazilian signing platforms Websites that require client certificate authentication However, when attempting to sign documents in DocuSign eSignature, the signing process cannot be completed, which suggests that DocuSign expects the certificate to be locally accessible via the Windows Certificate Store or a local token.

Question

Support for ICP-Brasil cloud digital certificates (remote signing / non-Windows Certificate Store)

Forum|Forum|1 month ago
December 16, 2025
6 replies
88 views

vkaicde
New Voice

Hello DocuSign Community,

I am looking for clarification regarding supported digital certificates for Brazil (ICP-Brasil), specifically cloud-based certificates where the private key is not stored locally on the signer’s machine.

I use an ICP-Brasil e-CPF cloud certificate, managed by a certified Trust Service Provider (TSP).
The certificate is not installed in the Windows Certificate Store and is not exposed via PKCS#11 or CSP locally.
The signing process works as follows:
- The user selects “cloud certificate”
- A local application is launched
- The signer authenticates using QR Code + 2FA (mobile approval)
- The cryptographic signing operation occurs remotely (HSM / remote key signing)

This certificate works correctly on:

Government portals
Other Brazilian signing platforms
Websites that require client certificate authentication

However, when attempting to sign documents in DocuSign eSignature, the signing process cannot be completed, which suggests that DocuSign expects the certificate to be locally accessible via the Windows Certificate Store or a local token.

vkaicde
Author
New Voice
Forum|Forum|1 month ago
December 17, 2025

Any response ?

+18

Hengfeng Ge
Hero
Forum|Forum|1 month ago
December 17, 2025

Have you try signer held :https://support.docusign.com/s/document-item?language=en_US&bundleId=yca1573855023892&topicId=tir1687888983224.html&_LANG=enus

I don't know whether it support remote HSM.

FreeLink/甫连信息

🌍 DocuSign Partner | Partner Profile
🌟The only DocuSign Partner globally with two Certified eSignature Technical Consultants

🏆 DocuSign 2025 APAC Growth Engine Partner of the Year
💡 Ranked #1 in the OG All Star category in DocuSign Community Wrapped 2024
📊 DocuSign Community Leaderboard Top 5 contributor
🚀 Expertise in DocuSign integrations with on-premises systems for leading enterprises across various industries
🔗 Connect with me on LinkedIn: https://www.linkedin.com/in/gehengfeng

📬 For business inquiries, feel free to connect via :

WeChat/微信: +86 1381880287

WhatsApp: +65 97796938

Welcome to the DocuSign Community! Your feedback is highly valued. If you find my response helpful, please give it a "Like" and consider marking it as the "Best Answer" to assist others with similar issues.

vkaicde
Author
New Voice
Forum|Forum|1 month ago
December 18, 2025

Based on the evidence and tests already performed, this scenario does not work as suggested.

Certificates such as VIDAAS are cloud-based certificates where the private key is never stored or exposed in the Windows Certificate Store, nor made available via CSP/KSP or local tokens. Instead, the signing operation is performed remotely through a cloud HSM, and each signature is authorized by the signer using a separate authentication flow (e.g., mobile app, QR code, OTP, or push approval).

DocuSign’s digital signature (PKI / Signer Held) model requires the signing certificate to be locally accessible by the DocuSign PKI agent, either from the operating system certificate store or from a physical token/smart card. There is no documented support for delegating the signing operation to an external remote HSM or consuming third-party signing APIs.

The certificate is not present in the Windows store

There is no integration between DocuSign and VIDAAS for example and as far as I know

The private key cannot be accessed or triggered by DocuSign

As a result, the signature cannot be completed.

Could you please confirm whether DocuSign supports any signing scenario where the certificate is not available in the OS certificate store and where there is no direct integration with the cloud certificate provider (remote HSM / cloud signing service)? If such a scenario exists, could you also clarify the expected technical flow and supported providers?

At this moment, all available documentation and community references indicate that remote cloud certificates such as VIDAAS are not supported for digital signatures in DocuSign.

+19

Alexandre.Augusto
Docusign Employee
Forum|Forum|1 month ago
December 18, 2025

Hello, @vkaicde

This article talks about best practices using ICP Brasil and ITI validator. Perhaps you can find some useful information.

https://support.docusign.com/s/articles/Best-practices-for-signing-documents-with-ICP-Brasil-digital-signatures-when-using-the-ITI-validator-VALIDAR-is-required?language=pt_BR&langSet=1

About your very specific questions, I would suggest to you contact our support team then ask to talk with a security specialist.

How to open a support case?

https://support.docusign.com/s/articles/How-Do-I-Open-a-Case-in-the-DocuSign-Support-Center?language=en_US&langSet=1

Best,

Alexandre

Your feedback is very appreciated! You can give a Like and mark this answer as the "Best Answer" for your issue. DocuSign University http://dsucustomers.docusign.com

vkaicde
Author
New Voice
Forum|Forum|1 month ago
December 18, 2025

The referenced article focuses on ICP-Brasil validation requirements (ITI / VALIDAR) after the signature is completed. It does not address nor enable signing scenarios using cloud-based certificates or remote HSM solutions such as VIDAAS. At this time, there is no documented or supported mechanism for DocuSign to perform digital signatures when the certificate is not available in the operating system certificate store.

+15

Melanie.Panguito
Community Moderator
Forum|Forum|1 month ago
December 24, 2025

Hi there @vkaicde,

It looks like you have already reached out to Customer Support, as @Alexandre.Augusto suggested. Is that right? If you still have questions or require additional assistance, please don't hesitate to let us know—we’re happy to help.

If the previous response helped clarify things or pointed you in the right direction, we’d appreciate it if you could mark it as the Best Answer ✅

If you discovered a solution, feel free to share it here and mark your reply as the Best Answer— so others can easily find it too.

Hope you’re having a great day!

Regards,

Melanie | Docusign Community Moderator

Sign up

You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.

Docusign Community

You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.

Scanning file for viruses.

This file cannot be downloaded