PDF XChange Forum

Just wanted to ask if it is possible to sign pdf documents with keys generated by GPG, which we also use to sign e-mails?

Hello Sleipner,

Thank you for the excellent question, we try to make our products compatible with as many certificates as possible, but it depends on the Certificate itself and its "intended purpose". As we do not have any GPG keys locally, I cannot guarantee this will work, but you will need to ensure that you signature certificate has an intended purpose of "document Signing", or it will certainly not work.

My suggestion would be to download the Free version of the software and test this, just to be certain of whether or not it will work personally.
https://www.pdf-xchange.com/product/downloads

Kind regards,

I do have the full version.

Just asking, because I couldn't find out how to do it.

Hi sleipner,

Thanks for the post - You can create a new signature using an existing certificate, either from a certificate file or from the Windows Store: If you do this using either method, is your certificate not available?

Thanks,

I'm really a novice regarding encryption and signing, but in those times we are in now I think we can't efford not to find out.

In your screenshot, there are 2 options. The first one is from System Store, and I do have one that I can pick. This certificate seems to be issued by "Communications Server", which I believe would be Windows itself. It's valid for 6 months.


The other choice would be more interesting - from file. In that case you do allow .pfx and .p12 extensions. I've read a bit through the Kleopatra manual and it looks like that .p12 files can only be generated from S/MIME and not from OpenPGP certificates (https://docs.kde.org/stable5/en/pim/kle ... l#menufile). But here I might be wrong as well, so that probably should be verified by someone else.

What I can generate are .asc, .gpg or .pgp files.

Hello Sleipner,

If you are able to see the one from the system store, than all should be in order for you to use that one there.

As for the "from file" option, at this time we do only support .pfx and .p12 formats, so if you cannot generate the certificate in one of these formats, we will not be able to make use of it under this selection.

Kind regards,

I think the answer very much lies in that article.

https://security.stackexchange.com/ques ... te-manager

OpenPGP certificates can't be used as X.509 certificates, and apparently PD-XChange Editor uses those.

Hi sleipner,

Thanks for that - It appears that you're correct and that OpenPGP certificates will not work with our software.

Sorry, but I have to take up that thread once again.

As we found out OpenPGP signatures apparently can't be used, and we can use certificate from System Store (I think those are generated by Windows).

My question is, what kind of procedure would be necessary to use certificates from a file. In that case I guess som kind of certificate authority would be issuing a certificate which we could use.

Any tips of where to start, would it be necessary to do that for each employee in the company?

Hello Sleipner,

Whether you plan to use the windows system store, or a file based option, the Editor is capable of creating signatures that are "self signed". Alternatively, you would need to contact a signing authority for details on the process for their signature certificates.

Generally speaking, If yo are creating the certificates within the Editor, creating a System store certificate is more secure, but yes it would need to be done once per user across the board. If creating one of our .pfx or .p12 extension signatures, you could quite easily distribute these to your users, to make continued use of the same signature, please see this article for details on that process.

Beyond that, I would advise making use of web resources to research available signing authorities, their options, and the like, as we are not an "all knowing" entity, and can only provide advice regarding our own software.

Kind regards,

Thanks for the repy.

One final question, because I still don't fully understand the concept of signing.

If I understand the concept correctly, a self signed certificate states that the file has not been tampered with between the sender and the receiver.

But it doesn't proof that the sender is what he says he is.

I could sign a contract with a self signed certificate, that I, Bill Gates, hereby sell my car to you for 1 Dollar. This certificate neither proves my identity nor my e-mail address nor anything else. Just that the document itself hasn't changed.

If I understand the concept correctly, a self signed certificate states that the file has not been tampered with between the sender and the receiver.

But it doesn't proof that the sender is what he says he is.

You do understand the concept correctly. Check what your client's requirements for digital signing are. IdenTrust, DigiCert and many other certification authorities (CA) will provide you with what you need.

Cheers Lev!