Creating certificate for itext pdf digital signature

Posted: February 19, 2013 in web

Submitted by Bruno Lowagie on Wed, 02/16/2011 – 11:33.

Install your certificates in your browser (I use Firefox):

  1. I go to and I log in.
  2. Choose “Client Certificates” and click “New”.
  3. Pick the e-mail address for which you want to create a new certificate; choose to include your name; and click “next”.
  4. Choose a keysize and click “Create Certificate Request” (this takes a while).
  5. Click on the link “Click here to install”.

Obtain the certificates from your browser (in Firefox):

  1. Go to Options in the Extra menu, and choose Advanced (Encryption).
  2. Open the certificates dialog and look at your certificates (first tab).
  3. Click on the button that makes a copy of your certificate.
  4. Save the keystore as a .p12 file and choose a keystore password (you’ll need this password in your iText code).

You now have a keystore (for instance my_cacert.p12 with password my_pass) with your CAcert private key and public certificate. You can use this .p12 file in your code as follows:
    KeyStore ks = KeyStore.getInstance("pkcs12", "BC");
ks.load(new FileInputStream("my_cacert.p12"), "my_pass".toCharArray());
String alias = (String)ks.aliases().nextElement();
PrivateKey key = (PrivateKey) ks.getKey(alias, "my_pass".toCharArray());
Certificate[] chain = ks.getCertificateChain(alias);

The rest of the code is identical to what’s in the book.

IMPORTANT: depending on the keylength you chose, you may need to replace the encryption libraries as explained in the FAQ on page 392.


Submitted by Bruno Lowagie on Fri, 02/18/2011 – 09:14.

The message “The validity of the document certification is UNKNOWN. The author could not be verified” is to be expected because the root certificate of CAcert isn’t shipped with Adobe Reader. I’ve explained this on my blog.

  1. Go to, select CAcert Root Certificates. Choose Class 1 PKI Key and right-click Root Certificate (PEM Format)to download and save the file root.crt.
  2. Open Adobe Reader, go to Edit > Protection > Manage Trusted Identities and click the “Add Contacts” button. Browse for root.crt and add it.
  3. Select that new entry (CA Cert Signing Authority) and click the “Edit Trust” button. You need to make sure that the certificate can be used as a trusted root

This solves the problem: you’ll now get the message “Signer’s identity is valid”.


  1. mohanmahtha says:

    This website is really a walk-through for all of the info you wanted about this and didn’t know who to ask. Glimpse here and you’ll definitely discover it. WONDERFUL Post! Thanks for sharing Creating certificate for itext pdf digital signature Certificate.. I will wait for more qualitative information..

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s