My organization has a requirement to programmatically sign PDFs with HSPD-12 PIV Cards (embedded X509-2 Certs). Signing PDFs works fine via AEM Forms where the PDF is rendered to the user, they pick a cert (physical or otherwise) from the windows certificate selection list and submit the form back to the workflow / web service which handles verification. My question is whether or not I can use the WSDL signature services in order to apply a certificate signature programmatically. The problem would be getting the certificate, which I can do with an IIS Application running with Client Certificate Mapping. So far my research has led me to the stumping point where the certificate has to be physically loaded into the cert store managed by AEM. The service expects an aliased, stored certificate name; there's no way to provide already-encrypted bytestream data. That is not going to work because the private keys are not exportable. Are there any approaches that I am missing?