How to Create Custom Certificate Sets

ℹ️ Note: For information on how to digitally sign documents, please check out this guide.

With PSPDFKit for Web, you can easily validate digital signatures embedded in PDF documents. Provided you have the feature enabled in your license, you only need to supply the root certificates that PSPDFKit for Web should use for validation and call the corresponding API method to obtain the validation status of digital signatures embedded in a document.

You can even allow PSPDFKit for Web to show the current document validation status in the UI using color coding for “wrong,” “warning,” and “OK” statuses.

Certificate stores can be encoded in either of these two formats:

  • DER- or PEM-encoded PKCS#7

  • DER- or PEM-encoded X.509

For PEM-encoded certificates, execute the following command in your shell:

openssl pkcs7 -noout -text -print_certs -in example.p7b

For DER-encoded certificates, execute the following command in your shell:

openssl pkcs7 -inform der -noout -text -print_certs -in example.p7b

If you’re unsure about the format of your certificate, try to load it with the format specified directly (learn more):

openssl x509 -inform pem -in cerfile.cer -noout -text
openssl x509 -inform der -in cerfile.cer -noout -text

Let’s now see how to perform validation of digital signatures in the different deployment modes.

Server-Backed Deployment

PSPDFKit Server will search for certificate stores at the /certificate-stores path inside its container. You can mount a folder from the host machine containing your certificates. As an example, you can update the configuration in the Docker Compose file by adding the needed volume:

    - "./path-on-the-host:/certificate-stores"

Note that for performance reasons, PSPDFKit Server defers loading certificate files until a signature needs to be validated, so you will need to open a signed document to test that the files are loaded as expected.

Standalone Deployment

When using Standalone mode, you need to provide a way for PSPDFKit to access the trusted root certificates you want to use for digital signature validation.

For this purpose, you can set PSPDFKit.Configuration#trustedCAsCallback when loading. This callback should return a Promise object that resolves to the Array of certificates to be used for validation. If the certificate is DER encoded, you need to return it as an ArrayBuffer. If it’s PEM encoded, you need to return it as a string.

In order to retrieve the certificate list, PSPDFKit for Web calls the function assigned to PSPDFKit.Configuration#trustedCAsCallback when an instance is loaded.

Example Using a Dynamic List of Certificates:

  trustedCAsCallback: async () => {
    let res;
    let arrayBuffer;
    try {
      res = await fetch(myCertificateStore);
      // Use `res.text()` instead for a PEM-encoded certificate.
      arrayBuffer = await res.arrayBuffer();
    } catch (e) {
      throw `Error ${e}`;
    if (!res.ok) {
      throw `HTTP Error ${res.statusCode}`;

    return [arrayBuffer];