Introduction to Digital Signatures

A digital signature is an electronic fingerprint uniquely identifying the signing person. A digital signature on a PDF document is both reliable proof of the document’s origin and protection against modification by third parties. Be sure to check out our blog post about electronic signatures in a PDF, which explains how digital signatures work and when they are needed.

ℹ️ Note: For more information on digital signatures, please look at the Digital Signatures in a PDF guide by Adobe. You should also take a look at section 12.8 of Adobe’s PDF 1.7 specification. For general information on how digital signatures work, please read the digital signature entry on Wikipedia.


The supported signing method is:

  • CMS (adobe.pkcs7.detached)

Supported signing algorithms are:

  • RSA


Supported hashed algorithms include:

  • MD4

  • MD5

  • SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512, SHA-512-256)

A hashing algorithm is an algorithm that converts a large amount of data (your PDF document) to a fixed-length string. If someone changes one bit of data in your PDF document, the hashing algorithm produces a different string, so if you store that hash inside the PDF document, you could potentially know when it has been changed by a third party. However, as easy as it sounds, this approach is insecure. If someone knows the hashing algorithm that was used to sign the PDF, they could replace the hash inside the PDF so that it validates as authentic. To avoid this, PSPDFKit for Web works with encryption algorithms.

More specifically, PSPDFKit supports RSA, one of the most popular public key encryption algorithms. ECDSA, an algorithm based on elliptic curve cryptography, is also supported. Cryptographic systems based on ECDSA are becoming the de facto standard for messaging and systems security. You can use OpenSSL to generate a self-signed RSA certificate using this OpenSSL command:

  openssl req -x509 -sha256 -nodes -newkey rsa:2048 -extensions v3_req -keyout private-key.pem -out cert.pem

ECDSA certificates can be created using the openssl ecparam command.

You can use a self-signed certificate for testing purposes, but you will need to make sure the certificate is trusted by all the devices the PDF is opened on (including PCs/Macs with Acrobat). A self-signed certificate will probably also generate warnings about its keyUsage extension (the self-signed certificate must permit certificate signing — keyCertSign, see RFC 5280).

⚠️ Important: In production, always use a certificate from a valid certificate authority. Make sure the certificate’s keyUsage has the digitalSignature permission set (see RFC 5280).

How to Create Digital Signatures

To create a digital signature, you need two things.

  • First, you need an X.509 certificate that contains your public key and your signer information. PSPDFKit supports PEM-encoded and DER-encoded X.509 certificates, as well as DER-encoded PKCS#7 certificates. You can verify if a PKCS#7 certificate file is correctly PEM-encoded by using the OpenSSL command line tool as follows:

  openssl pkcs7 -noout -text -print_certs -in example.p7b

The above command will print an error message if “example.p7b” is not a PEM-encoded PKCS#7 certificate or certificate chain.

To verify if a PKCS#7 certificate file is correctly DER encoded, you can use this command instead:

openssl pkcs7 -inform der -noout -text -print_certs -in example.p7b

The above command will print an error message if “example.p7b” is not a DER-encoded PKCS#7 certificate or certificate chain.

  • Second, you need your private key. A self-signed private key and certificate pair can be created with the command shown in the previous section.

The signing process produces the signature by using a private key to encrypt the hash of the snapshot of the current state of the document. The certificate with its public key is added to the signature and saved in the PDF file.

To learn how to digitally sign a document using PSPDFKit for Web, please see this guide.

How to Validate a Digital Signature

PSPDFKit for Web is also able to validate signatures. The validation process consists of two steps.

  • In the first step, we check if the signature certificate embedded during signing can be trusted. In order to do this, we need to obtain the trusted certificate chain up to the root authority that issued it. Both the Server and Standalone setups of PSPDFKit for Web allow you to specify the certificates to use for validation. See this article for specific information on how to provide them in your setup.

  • In the second step, we verify the signature. This process essentially decrypts the signature with a public key from the certificate embedded in the PDF file on signing and compares it with the message digest built from the PDF file, excluding the signature itself.

Cryptography Terminology

There are certain key concepts and terminology you might find useful to familiarize yourself with when dealing with digital signatures and cryptography. Here is a basic overview of some of them. If you are interested in learning about any of them in depth, you will find many helpful resources online. For the purposes of this article, we’ve used definitions found on Wikipedia and the OpenSSL Wiki:

  • PKI (Public Key Infrastructure) — “A set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.”

  • PEM (Privacy-Enhanced Mail) — An ASCII “format for storing and sending cryptographic keys, certificates, and other data.”

  • DER (Distinguished Encoding Rules) — “A binary format for data structures described by ASN.1.”

  • X.509 — “A standard defining the format of public key certificates” and certificate revocation lists, among other things.

  • PKCS#7 (Public Key Cryptography Standards) — A standard used to “digitally sign, digest, authenticate or encrypt any form of digital data.”

For more information on how to use digital signatures in PSPDFKit for Web, please see this guide. To validate digitally signed documents using a specific set of certificates, please refer to this one.