Signing PDFs with Self-Signed Certificates

Requirements: Secure PDF

Introduction

This article shows how to create a self-signed X.509 certificate using the CertMgr component and then use that certificate to sign a PDF with the PDFSign component. Self-signed certificates are useful for development, testing, and demonstration environments. For production or public-facing workflows, it is recommended to use a certificate issued by a trusted CA. See the CertMgr documentation for more detailed information.

Creating a Self-Signed Certificate with CertMgr

CertMgr can create certificates in the Windows certificate store or directly as files (PFX/PEM) on disk or in memory.

Create in the Windows User Store

// Create a self-signed cert in Current User\MY CertMgr cm = new CertMgr(); cm.CertStoreType = CertStoreTypes.cstUser; // Current user store cm.CertStore = "MY"; // Optional: pick signing algorithm for the certificate cm.Config("CertSignatureAlgorithm=SHA256"); cm.CreateCertificate("CN=PDF Test Signer", 1);

Create a PFX on Disk

CertMgr cm = new CertMgr(); cm.CertStoreType = CertStoreTypes.cstPFXFile; cm.CertStore = "C:\\certs\\pdf-signer.pfx"; cm.CertStorePassword = "changeit"; // protect the private key cm.Config("CertSignatureAlgorithm=SHA256"); cm.CreateCertificate("CN=PDF Test Signer", 1);

Create a PFX in Memory (for secure in-app storage)

CertMgr cm = new CertMgr(); cm.CertStoreType = CertStoreTypes.cstPFXBlob; cm.CertStorePassword = "changeit"; cm.Config("CertSignatureAlgorithm=SHA256"); cm.CreateCertificate("CN=PDF Test Signer", 1); // Access the PFX bytes via CertStoreB if needed byte[] pfxBytes = cm.CertStoreB;

Create a PEM on Disk (public/private key pair in PEM)

CertMgr cm = new CertMgr(); cm.CertStoreType = CertStoreTypes.cstPEMKeyFile; cm.CertStore = "C:\\certs\\pdf-signer.pem"; // CreateCertificate writes to the PEM file cm.CreateCertificate("CN=PDF Test Signer", 1);

Using the Self-Signed Certificate with PDFSign

Once you have a self-signed certificate, load it into PDFSign and create a signature.

.NET Framework Example (PFX on disk)

using nsoftware.SecurePDF;
PDFSign signer = new PDFSign(); signer.Overwrite = true; signer.InputFile = @"C:\docs\in.pdf"; signer.OutputFile = @"C:\docs\signed.pdf";
// Load the self-signed certificate from PFX signer.SigningCert = new Certificate( CertStoreTypes.cstAuto, @"C:\certs\pdf-signer.pfx", "changeit", "*" // subject (or * to pick the only one) );
// Optional metadata and hash algorithm signer.SignatureAuthorName = "Test Signer"; signer.SignatureReason = "Development Signing"; signer.SignatureHashAlgorithm = "SHA256";
signer.Sign();

.NET Framework Example (PEM on disk)

using nsoftware.SecurePDF;
PDFSign signer = new PDFSign(); signer.Overwrite = true; signer.InputFile = @"C:\in.pdf"; signer.OutputFile = @"C:\signed.pdf";
// Load PEM that contains certificate and private key signer.SigningCert = new Certificate( CertStoreTypes.cstAuto, @"C:\certs\pdf-signer.pem", "", // password if the key is encrypted "*" );
signer.SignatureAuthorName = "Test Signer"; signer.SignatureReason = "Development Signing"; signer.SignatureHashAlgorithm = "SHA256";
signer.Sign();

Tips and Considerations

Self-signed certificates are not trusted by default; they are ideal for development and testing, but for production you should use a certificate issued by a trusted CA so that recipients' PDF readers will show a trusted status. When creating or updating long-term validation (LTV) signatures, configure timestamping and an appropriate validation policy in PDFSign. For enumeration and conversion tasks, see the broader Getting Started with CertMgr guide, and for complete details and advanced configuration options refer to the CertMgr documentation.