How to Create Custom Certificate Sets

ℹ️ Note: For information on how to digitally sign documents, please check out this guide.

With PSPDFKit for Windows, you can easily validate digital signatures embedded in PDF documents. Provided you have the feature enabled in your license, you only need to supply the root certificates that PSPDFKit for Windows should use for validation and call the corresponding API method to obtain the validation status of digital signatures embedded in a document.

You can even allow PSPDFKit for Windows to show the current document validation status in the UI using color coding for “wrong,” “warning,” and “OK” statuses.

Certificate stores can be encoded in either of these two formats:

  • PEM-encoded PKCS#7
  • PEM-encoded X.509

For PEM-encoded certificates, execute the following command in your shell:

1
openssl pkcs7 -noout -text -print_certs -in example.p7b

Providing Trusted Root Certificates

You need to provide a way for PSPDFKit to access the trusted root certificates you want to use for digital signature validation.

For this purpose, you can register an event handler with PSPDFKit.Sdk.TrustedCertificateAuthorityRequest. It will be fired whenever the framework needs the certificate or certificates. This event handler should set a list of PEM-encoded certificates to be used for validation.

Example Using a Dynamic List of Certificates:

Copy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
// Create an event handler for returning the certificate or certificates.
var getCACertificate = new TypedEventHandler<Deferral, CertificateAuthorities>(async (sender, args) =>
{
    try
    {
        var cert = await LoadFileAsync("TrustedRootCert.pem");

        args.Certificates = new List<string>
        {
            cert
        };
    }
    finally
    {
        // It is essential to complete the `Deferral`.
        sender.Complete();
    }
});

try
{
    // Register the event handler with PSPDFKit.
    Sdk.TrustedCertificateAuthorityRequest += getCACertificate;

    var file = await GetMyFileAsync("TrustedSignature.pdf");
    var source = DocumentSource.CreateFromStorageFile(file);
    var doc = await Document.OpenDocumentAsync(source);

    var signaturesInfo = await doc.GetSignaturesInfoAsync();
    Assert.AreEqual(DocumentValidationStatus.Valid, signaturesInfo.DocumentValidationStatus);
}
finally
{
    // Unregister the event handler.
    Sdk.TrustedCertificateAuthorityRequest -= getCACertificate;
}