Sign PDF files digitally from CLI or your webserver

an illustration showing a signed pdf file on mobile, tablet and desktop

Easily sign PDF files from your command line.
No special certificates needed, you can just reuse your already existing certificates, e.g. from Let's Encrypt.

Features

a symbolized certificate

Digital Signature

Cryptographically sign your PDF files in PAdES-B and PAdES-T. This lets your site visitors know that PDFs were actually served by your server.

certificates in different colors

Customization

Customize the signature to your liking. You can append a visible or invisible signature. Visible signatures can be further customized.

Docs
a server running open-pdf-sign software

Integrations

open-pdf-sign easily integrates with your existing Nginx web server or can be used in your Node.JS projects

nginx npm module

Sign PDFs from your Command Line

The CLI can be easily invoked. Just run

java -jar open-pdf-sign.jar -i input.pdf -o output.pdf \
     -c /etc/letsencrypt/live/openpdfsign.org/fullchain.pem \
     -k /etc/letsencrypt/live/openpdfsign.org/privkey.pem

That's it! 🎉

For signature you can use e.g. your domain certificate, or any other certificate.

In its default settings, the document is signed using an invisible electronic signature. In case you want to add a visible signature to the signed documents, you can use the --page, --image, --hint and other options.

java -jar open-pdf-sign.jar -i input.pdf -o output.pdf \
     -c /etc/letsencrypt/live/openpdfsign.org/fullchain.pem \
     -k /etc/letsencrypt/live/openpdfsign.org/privkey.pem \
     --page -1 --image mylogo.png \
     --hint "You can check the validity at signaturpruefung.gv.at"

Will sign your PDF on the last page with a textblock containing your given image:

a signed PDF document


Let's sign every PDF that is served by your server.

While you can use open-pdf-sign to sign single PDFs, you can also use the open-pdf-sign-configurator to just sign every single PDF that your nginx server hosts on the fly.

But why?
Users that access PDFs of your website directly can be sure of the authenticity of the served PDFs because of the TLS connection.
With the open-pdf-sign server installed, every PDF served is automatically and invisibly signed with the certificate already used for the TLS connection. This allows downstream recipients of the PDF to verify that the PDF actually came from your server.

A workflow showing how open-pdf-sign improves communication. While TLS secures all pdf files from server to downloader, with open-pdf-sign this authenticity is expended also when the PDF file is forwarded outside the TLS connection. A workflow showing how open-pdf-sign improves communication. While TLS secures all pdf files from server to downloader, with open-pdf-sign this authenticity is expended also when the PDF file is forwarded outside the TLS connection.

Questions and answers

What is open-pdf-sign and what is it used for?

Open-pdf-sign is a software package that allows for the automatic signing of PDF documents. It is designed to be easy to use for developers, and is released under an permissive Open Source license.

Is open-pdf-sign Open Source?

Yes, open-pdf-sign is released under the Apache 2.0 Open Source license, allowing anyone to use and modify the code.

What platforms does open-pdf-sign support?

As a Java CLI application, open-pdf-sign supports Windows, Linux and Mac OS, as long as a Java JRE at minimum version 8 is available.

Do I need a special certificate for signing?

In general, you can use any certificate/key for signatures, even domain keys such as Let's Encrypt. Be aware that with these certificates, some legal consequences of the signature may not be present due to the non-repudiation bit not being set.

Can I attach visible signatures using my own logo?

Yes, the signature may also be a visible signature, using user-provided text or graphics. Please refer to the documentation for more information and examples.

What servers does open-pdf-sign-configurator support?

The open-pdf-sign-configurator package allows an easy integration with nginx web servers. But it can be installed on other servers.

Is open-pdf-sign free to use?

Yes, open-pdf-sign is free to use and distribute.

Can open-pdf-sign be used to sign PDFs on a webserver?

Yes, open-pdf-sign is designed to be used on a webserver to sign PDFs automatically.

How do I install open-pdf-sign-configurator on my server?

Please refer to the installation instructions in the open-pdf-sign documentation for specific instructions on how to install the software on your server.

Is support available for open-pdf-sign?

Yes, support is available for open-pdf-sign through the project's GitHub page, where you can submit issues and ask questions.

Can I contribute to the development of open-pdf-sign?

Yes, open-pdf-sign is Open Source and anyone is welcome to contribute to the development of the software.