Before running MyPDFSigner your system needs to meet a couple of requirements: a) your system has Java installed, and b) if using smart cards the application provided by your card provider is installed (this will install the drivers needed to interface with the card), and c) if using the PHP, Ruby or Python extensions (Linux only) your system needs to have OpenSSL, libpng, libcurl, zlib, libzip, libjson and libqpdf installed (generally all of these but libqpdf are installed by default).

Note that if you just want to use the PHP, Ruby or Python extensions you still need to start with MyPDFSigner to build the configuration file, mypdfsigner.conf, to use as input to the extensions. However, for a quick test you can just install it and then skip the configuration below and instead use the test configuration provided.

The first requirement, having Java installed is probably already met by your system, but see Troubleshooting below for more information. The second requirement only needs to be met if using PKCS#11 smart cards.

If you would like to try MyPDFSigner and you do not have a certificate yet you can get one from Cacert. Install the certificate into the browser and back it up to a *.p12 file that you can use with MyPDFSigner. For testing purposes you can also use the test key store provided.

If you intend to run MyDWFSigner instead of MyPDFSigner the only relevant sections in this manual are the ones related to configuration of the KeyStore (including the Evaluation KeyStore).

On Windows you need to install as Administrator (right click on the installer file and select "Run as Administrator"). On Mac OS X there are two apps, the MyPDFSigner.app and the optional MyPDFSigner-Tray.app. The "Tray" app is needed to test the Online Demo.

Before running MyPDFSigner with a smart card make sure the card reader is plugged to the computer and that the card is inserted in the card reader! This "step" can be obviously skipped when using PKCS#12 files or, in Windows and Mac OS X, when using certificates in the Windows Certificate Store or the Apple Keychain Store that are not associated with private keys stored in a smart card.

The first time MyPDFSigner is run it needs to have a certificate configured. This is done by choosing a Certificate Store from the top drop down menu and then clicking the "Change" button. The interface that appears then depends on the Certificate Store chosen.

Note: the configuration is saved to a file named ".mypdfsigner" (dot mypdfsigner) in your home directory:

There are some situations where you need to manually edit this file. Below is the test configuration file shipped with the installer (this example is for Mac OS X):

#MyPDFSigner test configuration file
certfile=/Applications/MyPDFSigner.app/Contents/Home/tests/mypdfsigner-test.p12
certalias=mypdfsigner test
certpasswd=47cabdb7b2b2dcc416a21cd0c4b6903e
certstore=PKCS12 KEYSTORE FILE
sigrect=[-170 -80 -40 -40]
sigimage=/Applications/MyPDFSigner.app/Contents/Home/tests/signature.png
tsaurl=http://adobe-timestamp.geotrust.com/tsa

Windows Certificate Store: On Windows, when using the Windows Certificate Store, the interface is very simple and consists of a drop down menu of the certificates registered in the system. Select one of them in the "Alias" drop down menu and click "Save".

certstore=WINDOWS CERTIFICATE STORE

Apple Keychain Store: Similarly on Mac OS X, when using the Apple Keychain Store, the interface consists of a drop down menu of the certificates registered in the system. Select one of them in the "Alias" drop down menu and click "Save". Note that the Keychain used is the "System" Keychain.

certstore=APPLE KEYCHAIN STORE

You will be challenged for credentials the first time you try to access the Keychain. If the "Always Allow" button does not work, i.e. you are still challenged for credentials after using it, then you can directly add MyPDFSigner to the list of allowed applications. To do this open Keychain Access (Utilities > Keychain Access), select the private key you will use for signing, open it (double click), select the "Access Control" tab, and add MyPDFSigner to the list of "Always allow access by these applications".

PKCS#11 Security Device: Fill in the the first two fields: name and module. The name is a descriptive name for the card and can be anything. The module is the path of the library used to interface with your card.

The module (library) name is indicated in the documentation of your card provider and is the same used to configure Firefox or Thunderbird to use your card. Very often, the library has the "word" pkcs11 as part of the name and the extension .dll (Windows), or .so (Linux) or .dylib (Mac OS X).

As an example, for the Portuguese Citizen Card the module name is:

Note: MyPDFSigner also supports the OpenSC module, but the configuration is a bit more complicated and needs some extra steps. See the section below.

Once the module name is provided, the certificate alias drop down menu is loaded with the aliases values stored in your card. Select the one corresponding to your certificate for signing (click the "Display" button next to it to view its information) and click the "Save" button.

If the above step fails to work that may be due to the fact that the software that comes with your card does not provide a PIN Entry Dialog and instead expects the application (MyPDFSigner in this case) that interfaces with card to provide the PIN Entry Dialog. Add pindialog=on to the configuration file and try again to see if makes a difference. The configuration file is in your home directory and is named ".mypdfsigner".

Note that the aliases values are the values associated with the private keys in your card. Usually for every private key in the card there is an associated certificate in the card but there are cases where that does not happen (the certificate in those cases is held by the authority that issued your card). On those cases the "Display" button will obviously fail to show the certificate. But the alias that was indicated by your card issuer authority as being the one to use for signing will always have the associated private key in the card.

The certificate configuration has an "optional" certificate store. Whether it is optional or not really depends on your card. You can start by assuming that it is optional; then sign a PDF document and check whether the certification path is complete or not. If the path is not complete then you should configure the Certificates Store Path. The reason this step is usually necessary is due to the fact that most cards do not store all the certificates of the certification path in its chip. Instead, the missing certificates are provided as part of the application that came with the card (this is the approach suggested by the PKCS#11 standard). Signing a PDF document with a incomplete certification path is possible but unless you configure your PDF viewer to trust one of the intermediate certificates the signed document will always be flagged as having issues with its digital signature.

If you need to configure the Certificates Store Path look under the installation directory of your card application for a folder with the certificates (files that usually have the extensions .der, .cer or .pem). The path of that folder is the one that needs to be configured in the Certificate Configuration dialog of MyPDFSigner.

As an example, for the Portuguese Citizen Card the Certificates Store Path is:

Note: under Mac OS X the path is "under" an application "file", i.e., a folder that has the .app extension and looks like a file; use the terminal or "right click + Show Package Contents" to look inside.

# library is the path to the PKCS11 module (a .dll, .dylib or .so file)
# pindialog is usually not needed if your pkcs11 module provides a PIN entry window
certstore=PKCS11 SECURITY DEVICE
library=/path/to/pkcs11.so
name=Smart Card Name
certsdir=/path/to/extra/certs/
pindialog=on

PKCS#11 Security Device with OpenSC: The OpenSC project provides a module that works with many smart cards. If it works with your card then you can use it instead of the module provided by your card provider. This is relevant if your card provider does not provide a module for your operating system or if you want to do batch signing and the module provided by your card provider does not cache the PIN (i.e., always pops up the PIN entry dialog before each signing). Although there are good reasons why the module provided by your card provider always requires that a PIN be manually entered for every use of the private key there are also valid situations where having the application that interfaces with the card cache the PIN is desirable. MyPDFSigner provides that functionality.

Configuration of MyPDFSigner with the OpenSC module starts the same way as with the module provided by your card provider but may require one or two extra steps. One of them is that you will be required to login to the card during the configuration (MyPDFSigner will pop up a dialog to enter the PIN). The second possible extra step is that you may need to manually configure the slot to use since by default MyPDFSigner uses the slot 1 and the token you want to use may be in a different slot. To find out which slot you want to use, open a terminal, insert your smart card in the card reader and run the pkcs11-tool with the -L switch:

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe -L
Available slots:
Slot 0 (0xffffffff): Virtual hotplug slot
  (empty)
Slot 1 (0x1): Gemplus USB Smart Card Reader 0
  token label:   KryptoKoder Support (User PIN)
  token manuf:   EnterSafe
  token model:   PKCS#15
  token flags:   rng, login required, PIN initialized, token initialized
  serial num  :  2986055013181210
Slot 2 (0x2): Gemplus USB Smart Card Reader 0
  (empty)
Slot 3 (0x3): Gemplus USB Smart Card Reader 0
  (empty)
Slot 4 (0x4): Gemplus USB Smart Card Reader 0
  (empty)

In the example above the only non empty slot is slot 1. In cases where the smart card has more than one PIN (say, one for authentication and another for signing) there will be a corresponding number of non empty slots. For instance, for the Portuguese Citizen Card (Cartão de Cidadão) the authentication PIN is in slot 0 and the signing PIN is in slot 1.

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe -L
Available slots:
Slot 0 (0x0): Gemplus USB Smart Card Reader 0
  token label        : CARTAO DE CIDADAO (Auth PIN)
  token manufacturer : GEMALTO
  token model        : PKCS#15 emulated
  token flags        : login required, PIN initialized, token initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 0000012736981650
Slot 1 (0x1): Gemplus USB Smart Card Reader 0
  token label        : CARTAO DE CIDADAO (Sign PIN)
  token manufacturer : GEMALTO
  token model        : PKCS#15 emulated
  token flags        : login required, PIN initialized, token initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 0000012736981650
Slot 2 (0x2): Gemplus USB Smart Card Reader 0
  token label        : CARTAO DE CIDADAO (Address PIN)
  token manufacturer : GEMALTO
  token model        : PKCS#15 emulated
  token flags        : login required, PIN initialized, token initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 0000012736981650

Once you know the slot to use, open the .mypdfsigner configuration file in your home directory and change the slotindex entry to the corresponding value. If you then restart MyPDFSigner and try to configure it again to use the OpenSC module you should see the expected alias in the "Alias" drop down menu.

# this is needed if the private key for your signing certificate is not in slot 1
slotindex=2

PKCS#12 KeyStore File: Fill in the File field by entering the location of your *.p12 (or *.pfx) file. The file is protected by a password so you also need to enter one. Next to the Password field there is a checkbox that you can check if you want to save the password to the MyPDFSigner configuration file (the .mypdfsigner file in your home directory).

Note that if you choose to save the password it will be encrypted and thus safe from the prying eyes. However anyone with access to your *.p12 file and your .mypdfsigner configuration file will be able to sign PDF documents on your behalf. If you choose not to save the password you can still sign PDF documents for that session (the next time you run MyPDFSigner you will need to enter the password again).

Once the password is entered you can select a certificate from the "Alias" drop down menu and click "Save".

certpasswd=47cabdb7b2b2dcc416a21cd0c4b6903e
certstore=PKCS12 KEYSTORE FILE
certfile=/path/to/keystore/file.p12

The password can also be encrypted from the command line using the mypdfsigner command:

$ mypdfsigner -e password

Signature Attributes: To avoid the repetitive task of entering attributes that are usually the same for every signed document, like the location attribute and the placement of visible signatures, one can define a signing profile. Besides the "Location", "Reason" and "Contact" attributes, a signing profile can also include the page and position for visible signatures, an optional "watermark" image, and a customizable text template. The page attribute can be a positive or negative value; a negative value means the pages are counted backwards from the last page. For instance a value of -1 (sigpage=-1 in the configuration file) places the signature on the last page. You can also set the page value to * and then the signature will be visible in all pages.

# general signature parameters
# to place signature on last page use value -1
sigpage=-1
sigloc=Location
sigreason=Evaluating MyPDFSigner
sigcontact=support@kryptokoder.com

The template consists of free text plus some placeholders that will be replaced by attributes at signing time. There are four placeholders: %N which will be replaced by the "CN" attribute in the certificate (if "CN" or "cn" is missing, then the following are tried in this order: "GN" plus "SN", "O", "OU", "emailAddress"); %L, which is optional and corresponds to the "Location"; %R, which is optional if a license key is present (otherwise becomes mandatory), and corresponds to the "Reason"; and %D, %T, %Z or %C which correspond to either the date (yyyy.MM.dd), or date plus time (yyyy.MM.dd HH:mm:ss), or date plus time plus time zone (yyyy.MM.dd HH:mm:ss ZHH'mm') or a custom date and time. The custom date can be chosen using the C language date formatting rules. Note that except for the %Z placeholder, all the other date and time placeholders require a valid license.

# visible signature parameters
# the sigtext template below is enforced if a valid license is not present
sigtext=Signed by %N\nReason\: %R\nLocation\: %L\nDate\: %Z
sigdateformat=%c

The visible signature text may use glyphs that are not present in the Helvetica default font. In that case the font will be replaced by Arial assuming the font file is present in the local computer in the default location. If that is not the case, or a different font is preferred, the sigfont entry can be used to specify the font file to use.

# visible signature parameters
sigfont=/path/to/fontfile.ttf

The signature rectangle is the rectangle in the page where the visible signature will be displayed. The rectangle consists of four values inside square brackets [], corresponding to the left, bottom, right and top coordinates of the rectangle. The values are units in a "72 units per inch" scale with the origin being the lower left corner of the page. In these units, a letter sized page (8.5 by 11 inches) is 612 x 792 units, and a A4 page (210 x 297 mm) corresponds to 595 x 842 units. The rectangle values can be either positive or negative. If negative then they are measured from the right and top sides of the page; if positive they are measured from the left and bottom sides of the page. For instance, to place a 100 x 50 (W x H) rectangle in the lower left corner, 20 units from the edges one would use the values [20 20 120 70]. To place the rectangle in the upper right corner, 20 units from the page edges, one could use the values [-120 -70 -20 -20]. Note that for a A4 page this is equivalent to [475 872 575 822].

# visible signature parameters
sigrect=[lx by rx ty]

A visible signature will also incorporate an image if one was defined in the "Signature Profile". The image will be scaled to fit inside the signature rectangle. Ideally the image will have a transparent background. The suggested approach to select the right sized signature image is to start by choosing the right visible signature rectangle size so that the filled text template fits nicely. Once that is known create a signature image with the same proportions (but high enough resolution so that it looks fine when printed). An example: if the rectangle is 130 (units) wide by 40 tall (like the default one) the size when printed will be 130/72 inches by 40/72 inches. Sign your name in a piece of paper inside a rectangle of such dimensions and scan it at, say, 300 dpi. This will create an image that is 130*300/72 (pixels) wide by 40*300/72 tall (or 542 by 167 pixels). An image with such resolution will scale nicely and the resulting graphics will have the right size. Images of different proportions can be used but since they will be scaled (and centered) to fit inside the rectangle there will be space around two of the sides of the image. For testing purposes there is a signature.png file in the tests directory of the installation. This file can be used with the default (130 x 40) rectangle.

# visible signature parameters
sigimage=/path/to/image.png

While the size of the visible signature rectangle needs to be set manually in the profile (unless you want to use the default 130 x 40 rectangle), its page and position can be set with the mouse: when the original document is selected, checking the "visible" checkbox opens up a dialog with a preview of the page and visible signature rectangle. The position of the signature can be changed by grabbing and dragging the rectangle. Note that this dialog has "Save" and "OK" buttons. The first one saves the changes permanently to the configuration file while the latter only saves for the session.

Time Stamping: A TSA (Time Stamp Authority) HTTP(S) server can be configured in this section (account and password are optional). At the moment MyPDFSigner only supports the HTTP(S) POST TSA protocol.

# time stamping parameters
tsaurl=http://adobe-timestamp.geotrust.com/tsa
# tsauser and tsapasswd if required by your TSA provider
tsauser=tsausername
tsapasswd=tsauserpassword

If you do not have a TSA server available try one of the public available ones listed in sites like http://tsp.iaik.at/tsp/ (usually only valid for testing purposes). An example is http://tsp.iaik.at/tsp/TspRequest. Some governments provide a TSA to their citizens as part of their National Citizen Card program. For instance, portuguese users can use the TSA at http://ts.cartaodecidadao.pt/tsa/server.

If using a TSA HTTPS server the certificate of the server needs to be trusted by your Java installation, i.e., the certificate of the Root CA that issued the TSA HTTPS server certificate needs to be present in the "cacerts" file ($JAVA_HOME/lib/security/cacerts).

To list the certificates of the trusted CAs in the cacerts file:

keytool -list -v -keystore $JAVA_HOME/lib/security/cacerts

To add a new certificate to cacerts:

keytool -import -trustcacerts -file RootCA.crt -alias new_root_ca -keystore $JAVA_HOME/lib/security/cacerts

Note: (a) if you are prompted for a KeyStore password, the default one is "changeit"; (b) the alias in the above import is a "friendly name" and can be anything; (c) if you update Java you may unknowingly overwrite the cacerts file in which case you will need to repeat the above step.

PAdES B-B/T and eIDAS: PAdES signature level B-B and B-T can be performed if the subfilter entry is set to ETSI.CAdES.detached. The level B-T is performed if Time Stamping is enabled, B-B is performed otherwise.

# perform PAdES B-B or B-T
subfilter=ETSI.CAdES.detached

Note: many European governments provide online PAdES validation services; an example is http://dss.agid.gov.it/validation.

An eIDAS signature is a PAdES signature performed with an eIDAS compliant certificate.

Other Parameters: There are a few other parameters that may be useful when experimenting with signature placement and design, or when the application does not work (like when configuring the certificate fails to work), or when you are behind a proxy.

# other optional parameters, all of them with a default value
# defaults to keys directory of installation if not present 
keyfile=/path/to/license.key
# use when requesting support, default is off
debug=off
# defaults to mypdfsigner.log in local user directory if not present; requires debug=on
logfile=/path/to/mypdfsigner.log
# set license to off when you have a transaction license and want to experiment signing without using a signature
license=off
# scale to use for the visible signature placement preview window: defaults to 66 (meaning 66% scaling)
scale=90
# if you are behind a proxy you will need to set these so that internet requests, like retrieval of OCSP, work properly
proxyprotocol=http
proxyhost=proxy.example.com
proxyport=1080

You can sign PDF documents from the command line using the mypdfsigner utility. Use of the CLI (command line interface) is really intended for business purposes and in principle you need a server license or terminal license to use it (but not to try it). See the License section for more information.

In Linux the command mypdfsigner installs to /usr/local/bin while in Mac OS X installs to /Applications/MyPDFSigner.app/Contents/MacOS/ (you can add this path to the /etc/paths file if you wish). In Windows if you want to use MyPDFSigner from the command line you need to add "C:\Program Files\MyPDFSigner" to your PATH (or cd into that directory).

Run mypdfsigner without arguments to get the usage instructions which should be clear to understand. The behavior is the same in all platforms.

[support@kryptokoder ~]$ mypdfsigner -h
MyPDFSigner v2.1.1, (c) 2009-2016 KryptoKoder LLC
Usage:
mypdfsigner -i input.pdf -o output.pdf -p "password" -l "location" -r "reason" -v <visible> -c <certify> -q <timestamp> -t "title" -a "author" -s "subject" -k "keywords" -z mypdfsigner.conf

Only -i is required. If -o is missing the output file is the same as the input with "-signed" appended.
If -i and -o are directories all the PDF files in the input directory are signed and placed in the output directory, if not there yet.
If -z is missing the configuration file "/usr/local/mypdfsigner/mypdfsigner.conf" is used instead.
The password is the open document password, needed if the signed document is to be encrypted.

The configuration file can store an encrypted password for the PKCS#12 key store. The password can be encrypted from the command line with -e "password".

kryptokoder:~ support$ /Applications/MyPDFSigner.app/Contents/MacOS/mypdfsigner -h
MyPDFSigner v2.1.3, (c) 2009-2016 KryptoKoder LLC
Usage:
mypdfsigner -i input.pdf -o output.pdf -p "password" -l "location" -r "reason" -v <visible> -c <certify> -q <timestamp> -t "title" -a "author" -s "subject" -k "keywords" -z mypdfsigner.conf

Only -i is required. If -o is missing the output file is the same as the input with "-signed" appended.
If -i and -o are directories all the PDF files in the input directory are signed and placed in the output directory, if not there yet.
If -z is missing the configuration file "/Applications/MyPDFSigner.app/Contents/Home/mypdfsigner.conf" is used instead.
The password is the open document password, needed if the signed document is to be encrypted.

The configuration file can store an encrypted password for the PKCS#12 key store. The password can be encrypted from the command line with -e "password".

C:\Program Files\MyPDFSigner>MyPDFSigner.exe -h
MyPDFSigner v2.2.0, (c) 2009-2016 KryptoKoder LLC
Usage:
mypdfsigner -i input.pdf -o output.pdf -p "password" -l "location" -r "reason" -v <visible> -c <certify> -q <timestamp> -t "title" -a "author" -s "subject" -k "keywords" -z mypdfsigner.conf

Only -i is required. If -o is missing the output file is the same as the input with "-signed" appended.
If -i and -o are directories all the PDF files in the input directory are signed and placed in the output directory, if not there yet.
If -z is missing the configuration file "C:\Program Files\MyPDFSigner\mypdfsigner.conf" is used instead.
The password is the open document password, needed if the signed document is to be encrypted.

The configuration file can store an encrypted password for the PKCS#12 key store. The password can be encrypted from the command line with -e "password".

Note that the -i and -o arguments can be either a file or a directory. In the latter case all the PDF files in the input directory are signed and placed in the output directory.

The CLI needs a configuration file to run and can accept one from the command line (using the -z switch), or read it from the installation directory (if present), or use the configuration file present in the user home directory (if the CLI is being run by an user that has previously configured one).

The configuration file is created using the GUI and is originally saved to the home directory as ".mypdfsigner". You can copy it to the installation directory and rename it as "mypdfsigner.conf" and the CLI will use it instead of your personal configuration file.

Note that the installation directory where you should place the mypdfsigner.conf file is:

Test the CLI in Linux:

[support@kryptokoder ~]$ mypdfsigner -i /usr/local/mypdfsigner/tests/example.pdf -o /tmp/example-signed.pdf -z /usr/local/mypdfsigner/tests/mypdfsigner.conf -v -c -q

Check /tmp/example-signed.pdf with a viewer (like Adobe Reader) that can display the digital signature. Note that viewers like Evince cannot yet display the digital signature, and the warning one sees with Adobe Reader about lack of certificate trust is to be expected (see Evaluation KeyStore).

Similarly on Mac OS X:

kryptokoder:~ support$ /Applications/MyPDFSigner.app/Contents/MacOS/mypdfsigner -i /Applications/MyPDFSigner.app/Contents/Home/tests/example.pdf -o /tmp/example-signed.pdf -z /Applications/MyPDFSigner.app/Contents/Home/tests/mypdfsigner.conf -v -c -q

To run the example in Windows add "C:\Program Files\MyPDFSigner" to the environment PATH variable. Then:

C:\> MyPDFSigner.exe -i "C:\Program Files\MyPDFSigner\tests\example.pdf" -o C:\Users\Username\Downloads\example-signed.pdf -z "C:\Program Files\MyPDFSigner\tests\mypdfsigner.conf" -v -c -q

To use the CLI with a PKCS#11 security device the configuration file needs to be prepared as explained in the language modules PKCS#11 section.

MyPDFSigner automatically embeds OCSP status in the signed PDF. This, when available, is enough to make the signed PDF be LTV (Long Term Validation) enabled. In situations where an OCSP status is not available, either because the OCSP end point is not present in the signer certificate or for any other reason (like being unable to reach the OCSP server), there is the option of embedding a CRL file, if available, in the signed PDF. By default MyPDFSigner does not embed the CRL file but that can be forced by setting the embedcrl configuration entry to on (or true).

# force embedding CRL if OCSP not available; default is off
embedcrl=on

MyPDFSigner can also be used to add PAdES LTV to already signed PDFs.

[support@kryptokoder ~]$ mypdfsigner addltv -i input-signed.pdf -o output-ltved.pdf -z mypdfsigner.conf

This feature is fully functional without a license but the OCSP and CRL data will only be cached for 30 seconds and 5 minutes respectively. With a server license the caching times will be extended to 1 hour and 24 hours respectively.

MyPDFSigner can be used to verify the validity of a signed PDF (validation of the certificates is not performed yet).

[support@kryptokoder ~]$ mypdfsigner verify -i input-signed.pdf -z mypdfsigner.conf

This feature is fully functional without a license but the signed documents are restricted to five pages maximum. With a server or terminal license the restriction is lifted.

MyPDFSigner ships with a pre-configured test PKCS#12 KeyStore in the tests directory of the installation: mypdfsigner-test.p12. The password for the KeyStore is already encrypted and saved in the test configuration file, mypdfsigner.conf, in the same directory.

To test signing of DWFx files larger than 1 MB you can use the PKCS#12 evaluation KeyStore shipped with the MyDWFSigner installer. To configure it, select the "PKCS12 KEYSTORE FILE" option, then click "Change", enter the following information below and click "Save":

File: /Applications/MyDWFSigner.app/Contents/Home/tests/mydwfsigner-eval.p12
Password: evaluation
Alias: Evaluating MyDWFSigner

The evaluation KeyStores use a self-signed certificate so the warnings about lack of trust are to be expected.

Checking for Java: If MyPDFSigner fails to launch when trying to run it then it probably means you do not have Java installed, or you have a JRE architecture that does not match the package you installed (i.e., you have a 32-bit JRE and you installed a 64-bit package), or you have a version of Java that is too old. MyPDFSigner requires at least Java 8 to run the desktop application. Open a command prompt or teminal and run "java -version". If Java is not available or is not the correct one for the installed package you need to install it.

Windows and Mac OS X: Download and install the JRE package available from the Java site.

Fedora: Run as root (or using sudo)

# dnf list | grep jdk # find the right package name to use
# dnf install java-k.l.m-openjdk

Ubuntu: Run as root (or using sudo)

# apt-cache search jdk # find the right package name to use
# apt-get install openjdk-n-jdk

Requesting Support: If you are able to launch the application but are unable to configure the certificate or run into other problems please set debug=on in the configuration file and run the application to reproduce the problem. Then contact KryptoKoder and include the log file (usually mypdfsigner.log in your home directory) in your submission.