# Creating self-signed certificates for digital signatures To apply a digital signature to your document, you’ll need a certificate and private key pair. For testing purposes, you can use a self-signed certificate, but validating a document signed with a self-signed certificate may generate warnings due to the inherent lack of trust in self-signed certificates. It may result in a yellow (warning) bar when validating it with Nutrient (see our guide on how to [view and validate a digital signature](https://www.nutrient.io/guides/web/signatures/digital-signatures/signature-lifecycle/validation.md) for more information) and third-party viewers. For organizations seeking a hassle-free digital signing solution, leveraging cloud services is an ideal choice. [Nutrient’s advanced eSignatures API](https://www.nutrient.io/api/signing-api/) is a robust, cloud-based alternative that eliminates the need to implement most parts of the signing workflow. This service uses [Adobe Approved Trust List (AATL)](https://helpx.adobe.com/en/acrobat/kb/approved-trust-list2.html) certificates, ensuring the highest level of trust and compliance. ## Creating a self-signed certificate The steps to create a self-signed certificate vary depending on your operating system. ### MACOS Here’s how to do it on macOS using the graphical user interface (GUI): 1. Search for Keychain Access in Spotlight by pressing **Command-Space bar**. 2. In the menu bar, click **Keychain Access**. Then choose **Certificate Assistant** and **Create a Certificate...**. 3. Provide a name for the certificate, ensure that the **Identity Type** field is set to **Self-Signed Root**, and click **Create**. This will generate a standard self-signed certificate using a secure 2048-RSA key. ### COMMAND LINE If desired, you can create a testing certificate using a command-line tool like OpenSSL. Follow these steps: 1. Install [OpenSSL](https://www.openssl.org/) on your computer. 2. Open a terminal window and run the following command: ```shell openssl req -x509 -sha256 -nodes -newkey rsa:2048 -extensions v3_req -keyout test-signer.key -out test-signer.cert ``` Follow the onscreen instructions to provide the required information for creating the certificate. This command will generate a self-signed certificate and private key named **cert.pem** in the current directory. To ensure that validation in Nutrient displays a green bar without warnings, you can create a certificate authority (CA) specifically for testing and place trust in it. ## Self-signed certification authority and signing a certificate More advanced configuration consists of creating a self-signed certificate authority and using it as a [root certificate](https://en.wikipedia.org/wiki/Root_certificate) to create a signing certificate. In a system that trusts such a CA certificate, it isn’t different from a certificate issued by a globally known root authority. ### OpenSSL in macOS Default OpenSSL configuration in macOS doesn’t set relevant options for certification authority generation. One of the ways to solve this is by updating the system configuration. To do this, add the following lines to `/etc/ssl/openssl.cnf`. For more information, refer to the [community recommendations](https://github.com/cert-manager/cert-manager/issues/279#issuecomment-365827793): ```ini [ v3_ca ] basicConstraints = critical,CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always ``` ### Creating a certification authority Generate a private key file named `test-ca.key`: ```shell openssl genrsa -out test-ca.key 2048 ``` Create and sign a certificate file named `test-ca.cert` for a CA with the common name (CN) `My Test CA v1`: ```shell openssl req \ -x509 -new -nodes -key test-ca.key \ -subj "/CN=My Test CA v1" \ -days 3650 -reqexts v3_req -extensions v3_ca \ -out test-ca.cert ``` ### Creating a signing certificate Generate a private key file named `test-signer.key` and a certificate signing request file named `test-signer.csr` with the CN `My Testing Document Signer`: ```shell openssl req \ -utf8 -nameopt oneline,utf8 -new -newkey rsa:2048 -nodes \ -subj "/CN=My Testing Document Signer" \ -keyout test-signer.key -out test-signer.csr ``` Create a signing certificate file from the request and name it `test-signer.cert`: ```sh openssl x509 \ -days 365 \ -CA test-ca.cert -CAkey test-ca.key -CAcreateserial \ -in test-signer.csr -req \ -out test-signer.cert ``` ### Outcome The process provides four important files: * `test-ca.cert` — A self-signed CA certificate (also the only component of the CA chain). This is what has to be trusted to accept child certificates. * `test-ca.key` — A self-signed CA private key that’s necessary to sign more certificates by the same CA. * `test-signer.cert` and `test-signer.key` — A signer certificate and a private key used for signing in the signing service — for example, [our signing service reference implementation](https://github.com/PSPDFKit/pspdfkit-web-signing-service-example). ## Obtaining a certificate from a trust service provider (TSP) Obtaining a certificate from a trusted provider ensures the verification of the signer’s identity. If you require a “trusted” certificate that’s recognized worldwide, you can: - Use Nutrient’s own [advanced eSignatures API](https://www.nutrient.io/api/signing-api/) (recommended). - Purchase one from a trust service provider (TSP). We provide an [integration with GlobalSign DSS](https://www.nutrient.io/guides/web/signatures/digital-signatures/integrations/globalsign.md), a qualified trust service provider that’s part of the Adobe Approved Trust List and offers qualified certificates. To choose a provider using the trusted list browser: 1. Visit the [trusted list browser](https://eidas.ec.europa.eu/efda/tl-browser/#/screen/search/type/1). 2. Under **Qualified trust services**, select **Qualified certificate for electronic signature** and click **Next step**. 3. Choose a country and click **Search**. 4. Explore the listed TSPs, and by clicking on each provider’s name, you can access detailed information about their services. Note that Trusted Lists are published by each Member State, and the provided link will offer additional details about the TSP and the products they offer. --- ## Related pages - [Add signature fields to PDFs using JavaScript](/guides/web/signatures/digital-signatures/signature-lifecycle/add-a-signature-field.md) - [Configure digital signature appearance: Visible vs. non-visible Signatures](/guides/web/signatures/digital-signatures/signature-lifecycle/configure-digital-signature-appearance.md) - [Sign a PDF via Document Engine using JavaScript](/guides/web/signatures/digital-signatures/signature-lifecycle/sign-a-pdf-document-document-engine.md) - [Implementing a secure digital signature lifecycle](/guides/web/signatures/digital-signatures/signature-lifecycle/signature-lifecycle-overview.md) - [Sign a PDF via DWS Processor API using JavaScript](/guides/web/signatures/digital-signatures/signature-lifecycle/sign-a-pdf-document-dws.md) - [Validating a digital signature using JavaScript](/guides/web/signatures/digital-signatures/signature-lifecycle/validation.md) - [Sign a PDF with a certificate in a browser](/guides/web/signatures/digital-signatures/signature-lifecycle/sign-a-pdf-document.md)