Preparing Certificates for Digital Signatures


PSPDFKit Server has been deprecated and replaced by PSPDFKit Document Engine. All PSPDFKit Server and PSPDFKit for Web Server-Backed licenses will work as before and be supported until 15 May 2024 (we will contact you about license migration). To start using Document Engine, refer to the migration guide. With Document Engine, you’ll have access to robust new capabilities (read the blog for more information).

To apply a digital signature to your document, you’ll need a certificate and private key pair.

For testing purposes, you can use a self-signed certificate, but validating a document signed with a self-signed certificate may generate warnings due to the inherent lack of trust in self-signed certificates. It may result in a yellow (warning) bar when validating it with PSPDFKit (see our guide on how to view and validate a digital signature for more information) and third-party viewers.

Creating a Self-Signed Certificate

The steps to create a self-signed certificate vary depending on your operating system.

Here’s how to do it on macOS using the graphical user interface (GUI):

  1. Search for Keychain Access in Spotlight by pressing Command-Space bar.

  2. In the menu bar, click Keychain Access. Then choose Certificate Assistant and Create a Certificate….

  3. Provide a name for the certificate, ensure that the Identity Type field is set to Self-Signed Root, and click Create.

This will generate a standard self-signed certificate using a secure 2048-RSA key.

If desired, you can create a testing certificate using a command-line tool like OpenSSL. Follow these steps:

  1. Install OpenSSL on your computer.

  2. Open a terminal window and run the following command:

openssl req -x509 -sha256 -nodes -newkey rsa:2048 -extensions v3_req -keyout test-signer.key -out test-signer.cert

Follow the onscreen instructions to provide the required information for creating the certificate. This command will generate a self-signed certificate and private key named cert.pem in the current directory.

To ensure that validation in PSPDFKit displays a green bar without warnings, you can create a certificate authority (CA) specifically for testing and place trust in it.

Self-Signed Certification Authority and Signing a Certificate

More advanced configuration consists of creating a self-signed certificate authority and using it as a root certificate to create a signing certificate. In a system that trusts such a CA certificate, it isn’t different from a certificate issued by a globally known root authority.

OpenSSL in macOS

Default OpenSSL configuration in macOS doesn’t set relevant options for certification authority generation. One of the ways to solve this is by updating the system configuration.

To do this, add the following lines to /etc/ssl/openssl.cnf. For more information, refer to the community recommendations:

[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

Creating a Certification Authority

Generate a private key file named test-ca.key:

openssl genrsa -out test-ca.key 2048

Create and sign a certificate file named test-ca.cert for a CA with the common name (CN) My Test CA v1:

openssl req \
  -x509 -new -nodes -key test-ca.key \
  -subj "/CN=My Test CA v1" \
  -days 3650 -reqexts v3_req -extensions v3_ca \
  -out test-ca.cert

Creating a Signing Certificate

Generate a private key file named test-signer.key and a certificate signing request file named test-signer.csr with the CN My Testing Document Signer:

openssl req \
  -utf8 -nameopt oneline,utf8 -new -newkey rsa:2048 -nodes \
  -subj "/CN=My Testing Document Signer" \
  -keyout test-signer.key -out test-signer.csr

Create a signing certificate file from the request and name it test-signer.cert:

openssl x509 \
  -days 365 \
  -CA test-ca.cert -CAkey test-ca.key -CAcreateserial \
  -in test-signer.csr -req \
  -out test-signer.cert


The process provides four important files:

  • test-ca.cert — A self-signed CA certificate (also the only component of the CA chain). This is what has to be trusted to accept child certificates.

  • test-ca.key — A self-signed CA private key that’s necessary to sign more certificates by the same CA.

  • test-signer.cert and test-signer.key — A signer certificate and a private key used for signing in the signing service — for example, our signing service reference implementation.

Obtaining a Certificate from a Trust Service Provider (TSP)

Obtaining a certificate from a trusted provider ensures the verification of the signer’s identity. If you require a “trusted” certificate that’s recognized worldwide, you can purchase one from a trust service provider (TSP).

To choose a provider using the trusted list browser:

  1. Visit the trusted list browser.

  2. Under Qualified trust services, select Qualified certificate for electronic signature and click Next step.

  3. Choose a country and click Search.

  4. Explore the listed TSPs, and by clicking on each provider’s name, you can access detailed information about their services.

Please note that Trusted Lists are published by each Member State, and the provided link will offer additional details about the TSP and the products they offer.