When we send PDF to others, sometimes we need to protect it from modification.

We can add password to PDF to setup permission. But there are some weird ways to bypass this to make modifications.(Use Foxit PDF Editor 2.1 to modify direcly)。So permission is not trustable.

Digital Signature is the common method for protecting files, PDF supports it. But self-issued certs cannot be verified by system (because the self-issued CA is not trusted by receiver). Purchasing a dedicated PDF cert is expensive, obviously it is not for personal use.

So I want to introduce how I protect my PDF files: Sign PDF with private key issued for my domain by Let’s Encrypt. HTTPS Certs have short validity, for example the certs issued from ACME have validity of 3 months. But the CA is valid, so this file still can be verified.

If you own a long-term domain, I will recomment you this way. If your domain is just for temporary use, your domain will not have a strong bind with your identity, you can sign the file but maybe it is not a good idea for anti-modification. (tip: maybe you can issue a cert for name.pdf-verify.example.org to state the usage of cert.)

Disadvantages:

  1. Cery Key usage is for https auth. But it’s usable.
  2. Because of above, adobe acrobat doesn’t support signing file with this, or verifing the validity of the cert. We can sign with other PDF softwares. So if this file is opened by Acrobat users, it seems not good.

1 two steps to make things prettier

  • https://imgtool.net/pdf-metadata/ use this tool to modify PDF Metadata, such as creater, author, tools, to our domains, name, or anything. Also the creation time and modify time, should be reasonable.
  • Add a password for preventing modification PDF. You can pass this because this is meaningless, it is easy to be unlocked, so it is almost impossible to prevent copying (converting to svg/images is not a good idea I think).

2 Certificate Application
You need a domain, and you are able to modify its DNS record, or put a file under its webroot, this is required to verify you are the domain holder.

Then we get the cert and privkeys for your domain.

You may check out Let’s Encrypt Docs
Let’s encrypt officially recommends Certbot to issue keys, you can Download for windows, or get more from Certbot.

After installation, open certbot from start menu.
Enter command:

Certbot certonly –manual

You may try more detailed command like this:

certbot certonly -d "pdfsign-xxx.example.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Then follow the guide to enter Email(for renew notification, not necessary, and no verification needed), and domain name.

Next verify DNS (from the command-line I wrote challenge with DNS), or you may need to put a file under webroot. You can refer to more infos about this cert application from search engines.

Finally we will get some files in:
C:\Certbot\live\example.com\

Successfully received certificate.
Certificate is saved at: C:\Certbot\live\pdfsign-xxx.inko.lv\fullchain.pem
Key is saved at:         C:\Certbot\live\pdfsign-xxx.inko.lv\privkey.pem
This certificate expires on 2024-01-22.
These files will be updated when the certificate renews.

Open a command prompt(cmd.exe), enter this folder

cd C:\Certbot\live\example.com\

(Reference: https://zhuanlan.zhihu.com/p/627526278 , and about renewal, blabla)

3 pfx generation
on Linux it’s easy, install openssl (I think it is preinstalled)
on Windows We need to install:
https://slproweb.com/products/Win32OpenSSL.html
Choose Win64 OpenSSL x.x.x Light
Below is the commands to setup environment and to generate pfx.

set PATH=C:\Program Files\OpenSSL-Win64\bin;%PATH%
cd C:\Certbot\live\example.com\
openssl pkcs12 -export -out signpdf.pfx -inkey privkey.pem -in fullchain.pem

It will ask you to enter a password, remember the password(or leave blank, but I don’t recommend this.). Then we get C:\Certbot\live\example.com\signpdf.pfx.

4 Sign
Now we have a priv-key to sign PDF.

// The editor I use is PDF X-Change Editor

Open the PDF, on the ribbon bar click Protect - Certify(invisible). (or other ways you may try)

Select: Use Certificate from File, choose the pfx we got above, then enter password.

Below Details, the reason for signing you should enter.

  • First Initial (by xxx)
  • Form Filled (by xxx)
    And other infos you may enter if you want.
    The permissions is important, we have below options:
  • No Changes allowed
  • Allow Form Filling, Doc (Dual) Signing, Creation of Page templates
  • Above all, and Commenting

We have different scenarios for permissions:

  • Dual signing means, for example we have a file need to be signed by different people, I sign the file, then give this to next people, he sign with the same way. Then this file will have two signatures.
  • Commenting is not recommend, because it is easy to forge some contents. Form is a good way I think.
  • If a file is final, no modification is needed, choose No Changes allowed.

Sign Template If you didn’t choose invisible sign, you can custom a stamp.

Tempstamp Server is Mandatory
choose a common tempstamp server, below are available:
http://timestamp.digicert.com/
http://timestamp.sectigo.com
With timestamp we can verify the signature after the cert is expired.

Then save, open the PDF with Edge we can see the file is signed and verified (if you choosed invisible certify).

Finally this file is trusted on Internet.

Please keep the private keys like keeping your passwords.