Sign a DOCX as PDF/UA

Digital signatures verify signer identity, protect document integrity, and support non-repudiation in PDF workflows.

This guide shows how to:

Convert a DOCX file to PDF/UA
Sign the resulting PDF with a P12/PFX certificate
Configure signature metadata, appearance, and cryptographic options

Prerequisites — Generate a PAdES-compliant certificate

Before you run the sample, create a certificate file named certificate.pfx with the password Nutrient answers all your document needs.

This guide uses PDF Advanced Electronic Signatures (PAdES), the PDF-specific profile of ETSI advanced electronic signatures.

Understand certificate trust in this sample

In this setup, certificate chain validation passes structurally but still shows as not trusted when you use a self-signed root.

Common reasons:

The root CA is self-signed and locally generated
No trusted root entry exists in your system trust store
This is expected in development environments

For production, use certificates from a public or enterprise CA that your target systems trust.

On Windows (PowerShell)

# Create a self-signed certificate with PADES extensions
$cert = New-SelfSignedCertificate -Subject "CN=Nutrient Digital Signature, O=Nutrient, L=Toulouse, S=Occitanie, C=FR" -KeyUsage DigitalSignature,NonRepudiation -KeyExportPolicy Exportable -CertStoreLocation "Cert:\CurrentUser\My" -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256

# Export certificate to PFX file with password
$password = ConvertTo-SecureString -String "Nutrient answers all your document needs" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath "certificate.pfx" -Password $password

# Export public certificate to CER file for verification
Export-Certificate -Cert $cert -FilePath "certificate.cer"

# Clean up certificate from store
Remove-Item -Path "Cert:\CurrentUser\My\$($cert.Thumbprint)"

On Linux/macOS (OpenSSL) with complete chain

# Step 1 — Create Root CA
openssl req -x509 -new -nodes -keyout root_ca_key.pem -sha256 -days 3650 -out root_ca_cert.pem \
  -subj "/C=FR/ST=Occitanie/L=Toulouse/O=Nutrient/OU=Certificate Authority/CN=Nutrient Root CA/emailAddress=ca@nutrient.io" \
  -extensions v3_ca -config <(
    echo "[req]"; echo "distinguished_name=req"; echo "[v3_ca]"
    echo "basicConstraints=critical,CA:TRUE"
    echo "keyUsage=critical,keyCertSign,cRLSign"
    echo "subjectKeyIdentifier=hash"
    echo "authorityKeyIdentifier=keyid:always,issuer"
  )

# Step 2 — Create Intermediate CA request
openssl req -new -nodes -keyout intermediate_ca_key.pem -out intermediate_ca_csr.pem \
  -subj "/C=FR/ST=Occitanie/L=Toulouse/O=Nutrient/OU=Intermediate CA/CN=Nutrient Intermediate CA/emailAddress=intermediate-ca@nutrient.io"

# Step 3 — Sign Intermediate CA with Root CA
openssl x509 -req -in intermediate_ca_csr.pem -CA root_ca_cert.pem -CAkey root_ca_key.pem \
  -CAcreateserial -out intermediate_ca_cert.pem -days 1825 -sha256 -extensions v3_ca -extfile <(
    echo "[v3_ca]"
    echo "basicConstraints=critical,CA:TRUE,pathlen:0"
    echo "keyUsage=critical,keyCertSign,cRLSign"
    echo "subjectKeyIdentifier=hash"
    echo "authorityKeyIdentifier=keyid:always,issuer"
  )

# Step 4 — Create signing certificate request
openssl req -new -nodes -keyout signing_key.pem -out signing_csr.pem \
  -subj "/C=FR/ST=Occitanie/L=Toulouse/O=Nutrient/OU=Document Processing/CN=Nutrient Digital Signature/emailAddress=sales@nutrient.io"

# Step 5 — Sign end-entity certificate with Intermediate CA
openssl x509 -req -in signing_csr.pem -CA intermediate_ca_cert.pem -CAkey intermediate_ca_key.pem \
  -CAcreateserial -out signing_cert.pem -days 365 -sha256 -extensions v3_req -extfile <(
    echo "[v3_req]"
    echo "keyUsage=critical,digitalSignature,nonRepudiation"
    echo "extendedKeyUsage=critical,codeSigning,emailProtection"
    echo "subjectKeyIdentifier=hash"
    echo "authorityKeyIdentifier=keyid:always,issuer"
    echo "subjectAltName=email:sales@nutrient.io"
  )

# Step 6 — Create certificate chain bundle
cat signing_cert.pem intermediate_ca_cert.pem root_ca_cert.pem > certificate_chain.pem

# Step 7 — Create PFX with complete chain
openssl pkcs12 -export -out certificate.pfx -inkey signing_key.pem -in certificate_chain.pem \
  -name "Nutrient Digital Signature Certificate with Chain" \
  -passout pass:"Nutrient answers all your document needs"

# Step 8 — Extract public certificate to CER file for verification
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.cer \
  -passin pass:"Nutrient answers all your document needs"

# Step 9 — Clean up temporary files
rm *_key.pem *.csr *.srl signing_cert.pem intermediate_ca_cert.pem certificate_chain.pem

Certificate requirements for PAdES signatures

Use a certificate profile with:

DigitalSignature and NonRepudiation key usage
Suitable extended key usage for signing
RSA 2048-bit key size
SHA-256 signing algorithm
Subject alternative name (for example, email)

Certificate chain structure

A complete chain usually contains:

Root CA certificate
Intermediate CA certificate
End-entity signing certificate

This chain helps resolve NO_CERTIFICATE_CHAIN_FOUND during validation.

Certificate files generated

After generation, keep these files:

certificate.pfx — private key + certificate chain
certificate.cer — public certificate for verification/distribution
root_ca_cert.pem — root certificate for trust-store installation

Install the trust anchor

Install root_ca_cert.pem into a trusted root store to mark signatures as trusted.

On Windows

# Import root CA into Trusted Root Certificate Authorities store
Import-Certificate -FilePath "root_ca_cert.pem" -CertStoreLocation "Cert:\LocalMachine\Root"

# Or for current user only
Import-Certificate -FilePath "root_ca_cert.pem" -CertStoreLocation "Cert:\CurrentUser\Root"

On macOS

# Add root CA to system keychain (requires admin password)
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain root_ca_cert.pem

# Or add to user keychain
security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain root_ca_cert.pem

On Linux

# Ubuntu/Debian
sudo cp root_ca_cert.pem /usr/local/share/ca-certificates/nutrient-root-ca.crt
sudo update-ca-certificates

# CentOS/RHEL/Fedora
sudo cp root_ca_cert.pem /etc/pki/ca-trust/source/anchors/nutrient-root-ca.crt
sudo update-ca-trust

After trust-store installation, validators can build and trust the full chain.

Prepare the project

Initialize licensing before conversion and signing:

using GdPicture14;
using GdPicture14.Imaging;

LicenseManager license = new LicenseManager();
license.RegisterKEY("");

Convert DOCX to PDF/UA

Convert the input DOCX first so the signed output stays PDF/UA-compliant:

using GdPictureDocumentConverter converter = new GdPictureDocumentConverter();
converter.LoadFromFile("input.docx");
converter.SaveAsPDF("output_pdfa.pdf", PdfConformance.PDF_UA_1);

Load the PDF and create the signature field

Load the converted PDF, add a signature form field, and attach the accessibility tag:

using GdPicturePDF pdf = new GdPicturePDF();

pdf.LoadFromFile("output_pdfa.pdf", false);
var ffId = pdf.AddSignatureFormField(400, 600, 100, 50, "sig");
pdf.SetFormFieldAlternateTitle(ffId, "Signature");
var rootid = pdf.GetTagRootID();
var newtagid = pdf.NewTag(rootid, "Form");
pdf.AttachTagToFormField(newtagid, ffId);
pdf.SetSignaturePosFromPlaceHolder("sig");

Configure the signing certificate

Load certificate and font resources:

pdf.SetSignatureCertificateFromP12("certificate.pfx", "Nutrient answers all your document needs");
var frn = pdf.AddTrueTypeFontU("Arial", false, false, true);

Configure signature metadata and appearance

Set signature metadata (signer, reason, location, contact) and visual settings:

pdf.SetSignatureText("Signature", frn, 14, GdPictureColor.Red, TextAlignment.TextAlignmentCenter, TextAlignment.TextAlignmentCenter, true);

Optional: Add a stamp image and validation mark if your workflow needs visual indicators.

Configure signature security options

Optional settings include certification level and hash algorithm:

//pdf.SetSignatureCertificationLevel(PdfSignatureCertificationLevel.NoChanges);

//pdf.SetSignatureHash(PdfSignatureHash.SHA512);

Apply the signature

Write the signed document with Adobe CAdES signature mode:

pdf.ApplySignature("signed.pdf", PdfSignatureMode.PdfSignatureModeAdobeCADES, false);

Verify certificates

Use certificate.cer to inspect and verify certificate data:

# View certificate details
openssl x509 -in certificate.cer -text -noout

# Verify certificate validity
openssl verify certificate.cer

Summary

This guide combines PDF/UA conversion with digital signing. It covers certificate creation, trust setup, signature field/tag configuration, and final signing with PAdES-compatible mode.