Sign with PEM File

This guide will explain the process of signing a PDF file using a certificate chain and a private key that are extracted from PEM files.

Before you begin

You should get your API key from your UniCloud account.

If this is your first time using UniPDF SDK, follow this guide to set up a local development environment.

Project setup

Clone the project repository

In your terminal, clone examples repository using the following command: It contains the Go code we will be using for this guide.

git clone

Then navigate to the signatures folder in the unipdf-examples directory.

cd unipdf-examples/signatures

Configure environment variables

Configure your license key using the following command: Replace the UNIDOC_LICENSE_API_KEY with your API credentials from your UniCloud account.





How it works

The import section imports the UniPDF packages and other necessary Go libraries. The init function loads the metered license key form the system environment and sets the license using icense.SetMeteredKey(os.Getenv(`UNIDOC_LICENSE_API_KEY`)).

The main functions starts in line 60. In this function the inputPath, outputPath,certPath and privateKeyPath are parsed from the command line arguments in line 51-57.

The signing certificate and the certificate chains are loaded using loadCertificates(certPath). This function returns the certificate as x509.Certificate object and the certificate chain as a PDF array object. The private key is loaded using loadPrivateKey(privateKeyPath) from the provided private key path. Then using sign(inputPath, outputPath, signingCert, privateKey, pdfCerts) the input file is signed and written to output file.

The loadPrivateKey function loads the private key from file and returns it as rsa.PrivateKey. The function returns an error if the loading process fails.

The loadCertificates function defined in lines 102-148 loads the certificate from the input path provided in the function parameter. It returns x509.Certificate and core.PdfObjectArray types which are the signing certificate and the certificate chain respectively.

The sign function signs the input PDF file using the singing certificate and embeds the certificate chain, including the signing certificate itself, inside the generated PDF signature. In this function in lines 153-160, an anonymous signature function is defined and assigned to signFunc. This signing function is then used in the call to NewAdobeX509RSASHA1Custom method to get a handler as follows:

handler, err := sighandler.NewAdobeX509RSASHA1Custom(signingCert, signFunc)

A new PdfSignature object is created and its parameters are set as follows.

signature := model.NewPdfSignature(handler)
if err := signature.Initialize(); err != nil {
  return err

// Set signature fields.
signature.SetName("Test PEM Multicert Signature")
signature.SetDate(time.Now(), "")

// Set signature certificate chain.
signature.Cert = pdfCerts

In lines 183-196, signature field and appearance are created by leveraging the functions in the annotator package.

Then the document is signed in line 221, using appender.Sign(1, sigField) method. Finally, the document is written to file and the result of the write process is returned from the function.

Run the code

Run the code using the following command:

go run pdf_sign_pem_multicert.go in.pdf out.pdf certs.pem key.pem

Got any Questions?

We're here to help you.