diff --git a/README.md b/README.md
index e579fc97..736013ef 100644
--- a/README.md
+++ b/README.md
@@ -35,6 +35,7 @@ Jsign is free to use and licensed under the [Apache License version 2.0](https:/
 * Build tools integration (Maven, Gradle, Ant)
 * Command line signing tool
 * Authenticode signing API ([Javadoc](https://javadoc.io/doc/net.jsign/jsign-core))
+* JCA security provider to use the keystores supported by Jsign with other tools such as jarsigner
 
 See https://ebourg.github.io/jsign for more information.
 
@@ -50,6 +51,7 @@ See https://ebourg.github.io/jsign for more information.
 * Only one call to the Google Cloud API is performed when the version of the key is specified in the alias parameter
 * JVM arguments can now be passed using the `JSIGN_OPTS` environment variable
 * API changes:
+  * New `net.jsign.jca.JsignJcaProvider` JCA security provider to be used with other signing tools such as jarsigner
   * The signature can be removed by setting a null signature on the `Signable` object
   * `Signable.computeDigest(MessageDigest)` has been replaced by `Signable.computeDigest(DigestAlgorithm)`
   * The value of the `http.agent` system property is now appended to the user agent string set when calling REST services
diff --git a/docs/index.html b/docs/index.html
index 9106c42d..6eda6be2 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -73,6 +73,7 @@ <h3>Features</h3>
   <li>Build tools integration (<a href="#maven">Maven</a>, <a href="#gradle">Gradle</a>, <a href="#ant">Ant</a>)</li>
   <li>Command line signing tool</li>
   <li>Authenticode signing API (<a href="https://javadoc.io/doc/net.jsign/jsign-core">Javadoc</a>)</li>
+  <li>JCA security provider to use the keystores supported by Jsign with other tools such as jarsigner</li>
 </ul>
 
 
@@ -686,6 +687,28 @@ <h3>API</h3>
 <p>See the <a href="https://javadoc.io/doc/net.jsign/jsign-core">Javadoc</a> for more details about the API.</p>
 
 
+<h3>JCA security provider</h3>
+
+<p>Jsign implements a JCA security provider that can be used to sign JAR files with the <code>jarsigner</code> tool.</p>
+
+<p>It requires Java 11 or later, and the syntax looks like this:</p>
+
+<pre>
+ jarsigner -J-cp -Jjsign-5.1.jar -J--add-modules -Jjava.sql \
+           -providerClass net.jsign.jca.JsignJcaProvider \
+           -providerArg &lt;keystore&gt; \
+           -keystore NONE \
+           -storetype &lt;storetype&gt; \
+           -storepass &lt;storepass&gt; \
+           -keypass &lt;keypass&gt; \
+           -certchain &lt;certfile&gt; \
+           application.jar &lt;alias&gt;
+</pre>
+
+<p>The <code>keystore</code> parameter must be set to <code>NONE</code>, the actual value of the keystore is specified
+with the <code>providerArg</code> parameter instead.</p>
+
+
 <h3 id="files">Downloads</h3>
 
 <ul>
diff --git a/jsign-core/src/main/java/net/jsign/jca/AbstractKeyStoreSpi.java b/jsign-core/src/main/java/net/jsign/jca/AbstractKeyStoreSpi.java
new file mode 100644
index 00000000..b2cbda78
--- /dev/null
+++ b/jsign-core/src/main/java/net/jsign/jca/AbstractKeyStoreSpi.java
@@ -0,0 +1,105 @@
+/**
+ * Copyright 2023 Emmanuel Bourg
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.jsign.jca;
+
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.Key;
+import java.security.KeyStoreSpi;
+import java.security.cert.Certificate;
+import java.util.Collections;
+import java.util.Date;
+import java.util.Enumeration;
+
+/**
+ * Base class for JCA keystore implementations.
+ *
+ * @since 5.1
+ */
+abstract class AbstractKeyStoreSpi extends KeyStoreSpi {
+
+    @Override
+    public Certificate engineGetCertificate(String alias) {
+        Certificate[] chain = engineGetCertificateChain(alias);
+        return chain != null && chain.length > 0 ? chain[0] : null;
+    }
+
+    @Override
+    public Date engineGetCreationDate(String alias) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public void engineSetKeyEntry(String alias, Key key, char[] password, Certificate[] chain) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public void engineSetCertificateEntry(String alias, Certificate cert) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public void engineDeleteEntry(String alias) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public boolean engineContainsAlias(String alias) {
+        Enumeration<String> aliases = engineAliases();
+        while (aliases.hasMoreElements()) {
+            if (aliases.nextElement().equals(alias)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    @Override
+    public int engineSize() {
+        return Collections.list(engineAliases()).size();
+    }
+
+    @Override
+    public boolean engineIsKeyEntry(String alias) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public boolean engineIsCertificateEntry(String alias) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public String engineGetCertificateAlias(Certificate cert) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public void engineStore(OutputStream stream, char[] password) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public void engineLoad(InputStream stream, char[] password) {
+    }
+}
diff --git a/jsign-core/src/main/java/net/jsign/jca/JsignJcaProvider.java b/jsign-core/src/main/java/net/jsign/jca/JsignJcaProvider.java
new file mode 100644
index 00000000..6b657ac4
--- /dev/null
+++ b/jsign-core/src/main/java/net/jsign/jca/JsignJcaProvider.java
@@ -0,0 +1,140 @@
+/**
+ * Copyright 2023 Emmanuel Bourg
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.jsign.jca;
+
+import java.io.InputStream;
+import java.security.AccessController;
+import java.security.InvalidParameterException;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivilegedAction;
+import java.security.Provider;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+import java.util.Enumeration;
+
+import net.jsign.DigestAlgorithm;
+import net.jsign.KeyStoreBuilder;
+import net.jsign.KeyStoreType;
+
+/**
+ * JCA provider using a Jsign keystore and compatible with jarsigner.
+ *
+ * <p>The provider must be configured with the keystore parameter (the value depends on the keystore type).
+ * The type of the keystore is one of the names from the {@link KeyStoreType} enum.</p>
+ *
+ * <p>Example:</p>
+ * <pre>
+ * Provider provider = new JsignJcaProvider();
+ * provider.configure(vaultname)
+ * KeyStore keystore = KeyStore.getInstance(AZUREKEYVAULT.name(), provider);
+ * keystore.load(null, accessToken);
+ * </pre>
+ *
+ * @since 5.1
+ */
+public class JsignJcaProvider extends Provider {
+
+    private String keystore;
+
+    public JsignJcaProvider() {
+        super("Jsign", 1.0, "Jsign security provider");
+
+        AccessController.doPrivileged((PrivilegedAction<Object>) () -> {
+            for (KeyStoreType type : KeyStoreType.values()) {
+                putService(new ProviderService(this, "KeyStore", type.name(), JsignJcaKeyStore.class.getName(), () -> new JsignJcaKeyStore(type, keystore)));
+            }
+            for (String alg : new String[]{"RSA", "ECDSA"}) {
+                for (DigestAlgorithm digest : DigestAlgorithm.values()) {
+                    if (digest != DigestAlgorithm.MD5) {
+                        String algorithm = digest.name() + "with" + alg;
+                        putService(new ProviderService(this, "Signature", algorithm, SigningServiceSignature.class.getName(), () -> new SigningServiceSignature(algorithm)));
+                    }
+                }
+            }
+            return null;
+        });
+    }
+
+    public Provider configure(String configArg) throws InvalidParameterException {
+        this.keystore = configArg;
+
+        return this;
+    }
+
+    static class JsignJcaKeyStore extends AbstractKeyStoreSpi {
+
+        private KeyStoreBuilder builder = new KeyStoreBuilder();
+        private KeyStore keystore;
+
+        public JsignJcaKeyStore(KeyStoreType type, String keystore) {
+            builder.storetype(type);
+            builder.keystore(keystore);
+            builder.certfile("");
+        }
+
+        private KeyStore getKeyStore() throws KeyStoreException {
+            if (keystore == null) {
+                keystore = builder.build();
+            }
+
+            return keystore;
+        }
+
+        @Override
+        public Key engineGetKey(String alias, char[] password) throws UnrecoverableKeyException {
+            if (password != null) {
+                builder.keypass(new String(password));
+            }
+            try {
+                return getKeyStore().getKey(alias, password);
+            } catch (UnrecoverableKeyException e) {
+                e.printStackTrace(); // because jarsigner swallows the root cause and hides what's going on
+                throw e;
+            } catch (KeyStoreException | NoSuchAlgorithmException e) {
+                throw new RuntimeException(e);
+            }
+        }
+
+        @Override
+        public Certificate[] engineGetCertificateChain(String alias) {
+            try {
+                return getKeyStore().getCertificateChain(alias);
+            } catch (KeyStoreException e) {
+                return null;
+            }
+        }
+
+        @Override
+        public Enumeration<String> engineAliases() {
+            try {
+                return getKeyStore().aliases();
+            } catch (KeyStoreException e) {
+                throw new RuntimeException(e);
+            }
+        }
+
+        @Override
+        public void engineLoad(InputStream stream, char[] password) {
+            if (password != null) {
+                builder.storepass(new String(password));
+            }
+        }
+    }
+}
diff --git a/jsign-core/src/main/java/net/jsign/jca/SigningServiceKeyStore.java b/jsign-core/src/main/java/net/jsign/jca/SigningServiceKeyStore.java
index 9aec2c16..9bf9019e 100644
--- a/jsign-core/src/main/java/net/jsign/jca/SigningServiceKeyStore.java
+++ b/jsign-core/src/main/java/net/jsign/jca/SigningServiceKeyStore.java
@@ -16,19 +16,14 @@
 
 package net.jsign.jca;
 
-import java.io.InputStream;
-import java.io.OutputStream;
 import java.security.Key;
 import java.security.KeyStoreException;
-import java.security.KeyStoreSpi;
 import java.security.UnrecoverableKeyException;
 import java.security.cert.Certificate;
-import java.util.Collections;
-import java.util.Date;
 import java.util.Enumeration;
 import java.util.Vector;
 
-class SigningServiceKeyStore extends KeyStoreSpi {
+class SigningServiceKeyStore extends AbstractKeyStoreSpi {
     
     private final SigningService service;
 
@@ -50,36 +45,6 @@ public Certificate[] engineGetCertificateChain(String alias) {
         }
     }
 
-    @Override
-    public Certificate engineGetCertificate(String alias) {
-        throw new UnsupportedOperationException();
-    }
-
-    @Override
-    public Date engineGetCreationDate(String alias) {
-        throw new UnsupportedOperationException();
-    }
-
-    @Override
-    public void engineSetKeyEntry(String alias, Key key, char[] password, Certificate[] chain) {
-        throw new UnsupportedOperationException();
-    }
-
-    @Override
-    public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain) {
-        throw new UnsupportedOperationException();
-    }
-
-    @Override
-    public void engineSetCertificateEntry(String alias, Certificate cert) {
-        throw new UnsupportedOperationException();
-    }
-
-    @Override
-    public void engineDeleteEntry(String alias) {
-        throw new UnsupportedOperationException();
-    }
-
     @Override
     public Enumeration<String> engineAliases() {
         try {
@@ -88,44 +53,4 @@ public Enumeration<String> engineAliases() {
             throw new RuntimeException(e);
         }
     }
-
-    @Override
-    public boolean engineContainsAlias(String alias) {
-        Enumeration<String> aliases = engineAliases();
-        while (aliases.hasMoreElements()) {
-            if (aliases.nextElement().equals(alias)) {
-                return true;
-            }
-        }
-        return false;
-    }
-
-    @Override
-    public int engineSize() {
-        return Collections.list(engineAliases()).size();
-    }
-
-    @Override
-    public boolean engineIsKeyEntry(String alias) {
-        throw new UnsupportedOperationException();
-    }
-
-    @Override
-    public boolean engineIsCertificateEntry(String alias) {
-        throw new UnsupportedOperationException();
-    }
-
-    @Override
-    public String engineGetCertificateAlias(Certificate cert) {
-        throw new UnsupportedOperationException();
-    }
-
-    @Override
-    public void engineStore(OutputStream stream, char[] password) {
-        throw new UnsupportedOperationException();
-    }
-
-    @Override
-    public void engineLoad(InputStream stream, char[] password) {
-    }
 }
diff --git a/jsign-core/src/test/java/net/jsign/jca/JsignJcaProviderTest.java b/jsign-core/src/test/java/net/jsign/jca/JsignJcaProviderTest.java
new file mode 100644
index 00000000..2b23bab4
--- /dev/null
+++ b/jsign-core/src/test/java/net/jsign/jca/JsignJcaProviderTest.java
@@ -0,0 +1,68 @@
+/**
+ * Copyright 2023 Emmanuel Bourg
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.jsign.jca;
+
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.Signature;
+
+import org.junit.Test;
+
+import net.jsign.DigestAlgorithm;
+import net.jsign.KeyStoreType;
+
+import static org.junit.Assert.*;
+
+public class JsignJcaProviderTest {
+
+    @Test
+    public void testServices() {
+        JsignJcaProvider provider = new JsignJcaProvider();
+
+        for (KeyStoreType type : KeyStoreType.values()) {
+            assertNotNull("KeyStore " + type.name(), provider.getService("KeyStore", type.name()));
+        }
+
+        for (String alg : new String[]{"RSA", "ECDSA"}) {
+            for (DigestAlgorithm digest : DigestAlgorithm.values()) {
+                if (digest != DigestAlgorithm.MD5) {
+                    String algorithm = digest.name() + "with" + alg;
+                    assertNotNull("Signature " + algorithm, provider.getService("Signature", algorithm));
+                }
+            }
+        }
+    }
+
+    @Test
+    public void testKeyStore() throws Exception {
+        JsignJcaProvider provider = new JsignJcaProvider();
+        provider.configure("https://cs-try.ssl.com");
+
+        KeyStore keystore = KeyStore.getInstance("ESIGNER", provider);
+        keystore.load(null, "esigner_demo|esignerDemo#1".toCharArray());
+        String alias = keystore.aliases().nextElement();
+
+        PrivateKey key = (PrivateKey) keystore.getKey(alias, "RDXYgV9qju+6/7GnMf1vCbKexXVJmUVr+86Wq/8aIGg=".toCharArray());
+        assertNotNull("key not found", key);
+
+        Signature signature = Signature.getInstance("SHA256withRSA", provider);
+        signature.initSign(key);
+        signature.update("Lorem ipsum dolor sit amet".getBytes());
+
+        assertNotNull("Signature", signature.sign());
+    }
+}
diff --git a/jsign/src/main/java/net/jsign/MavenShadePluginHelper.java b/jsign/src/main/java/net/jsign/MavenShadePluginHelper.java
index 30bff6c2..3b10fdca 100644
--- a/jsign/src/main/java/net/jsign/MavenShadePluginHelper.java
+++ b/jsign/src/main/java/net/jsign/MavenShadePluginHelper.java
@@ -16,6 +16,8 @@
 
 package net.jsign;
 
+import net.jsign.jca.JsignJcaProvider;
+
 /**
  * Bogus class holding a reference to the entry points to help the minimizing
  * process of the shade plugin. This class is removed from the final jar.
@@ -30,5 +32,6 @@ class MavenShadePluginHelper {
         JsignTask.class.getName();
         PESignerTask.class.getName();
         KeyStoreUtils.class.getName();
+        JsignJcaProvider.class.getName();
     }
 }