Create signed PDF-Files

Some days ago a friend of mine asked me how to create PDF-Receipts. Background is that – at least in Germany – you can replace printed receipts with digitally signed PDF-Files. The signature has to comply to certain legal standards to be able to replace the printed copy but the way is the same whether it’s a self-signed certificate or an official one.

For the start I wanted to see how to sign a PDF-Document created with TCPDF. At a later time I will also have a look at how to sign a PDF-File using the libraries supported by

Signing PDF-files with TCPDF requires you to have the private key and the certificate available via a stream-ressource. That excludes certificates and keys on a signature-card as long as you can not export them.

Creating a signed PDF-File using TCPDF is rather simple as you can see in this code-snippet:


// set certificate file
$certificate = 'file://' . __DIR__ . '/cert/certificate.crt';
$privateKey = 'file://' . __DIR__ . '/cert/privateKey.crt';
// set document signature
$pdf->setSignature($certificate, $privateKey, 'test1234', '', 1, array());

// Do some more stuff here like creating the actual PDF-File

//Close and output PDF document
$pdf->output('test.pdf', 'D');

That’s it.

The hard part now is for one thing creating the actual PDF-File.
And the more important one question was “Which certificate-key-thingy goes where”.

That was the one that took me most of the time. When using a self-signed certificate as described in the TCPDF-Example you can somehow use the given openSSL shell-lines to get somehow to a result. But I wanted to sign the document with a “qualified electonical signature” which takes some more steps.

What is a qualified electronical signature? It’S nothing else than any other digital signature from a certification authority. The only difference is, that it has been issued according to the german “Signaturgesetz” which means, that it is based on a qualified certificate and has been created using a certain approved PKI. As I am not a lawyer, this is simply my own description of a legal process which might be inaccurate or plain false. So do not take my word as legally authoritative. A list of issuers for qualified electronical signatures can be found at

As I do not posses such a qualified electronical signature (and there currently is no need for me to get one) I tried the whole stuff with a certificate I got myself from CA-Cert. As far as I know (but I will verify that one soon) you can export a qualified electronic signature into a format that can be used for these purposes.

The relevant parts are the following variables

needs to point to a certificate file in PEM-Format. Thats a plaintext-file with —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– and some base64 encoded stuff in between.
needs to point to a private key file in binary PKCS7-Format. Those files normally end in something like ‘.p12′ or ‘.pfx’. To open this file you normally need a passphrase which you have to provide as third parameter to $pdf->setSignature.

Using that certificate and private key you can now sign your PDF-file.

SRWare Iron and PDF

Sadly SRWares Chromium-based Browser Iron doesn’t come with a built in PDF-Viewer.

For a long time I’ve simply taken that, but today I had to research vor PDF-stuff and finally I was fed up!

GoogleChrome to the rescue

As described in you can simply use Google Chromes PDF-Engine. And it does not only work out for Windows but also for Mac.

Simply open the Applications Content of your SRWare Iron by right-clicking onto the Application and selecting “Open Package Content”. You should get a Finder-window showing simply a folder “Contents”. Inside are several folders. One of them should be named “Versions”. Open that one and select the “newest” one inside. In my case that was “29.0.1600.1″. In there is a folder “Chromium Framework.framework” in which again is a folder “Internet Plug-Ins”. Thats the one we’re after!. So the path is as follows:
SRWare > Contents > Versions > 29.0.1600.1 > Chromium Framework.framework > Internet Plug-Ins

Open the same folder of a Google Chrome-Browser (Note: The Version-Folder will be differently named, take the “newest”) and locate a Plug-In called PDF.plugin. Copy that one into the folder of your SRWare Iron, restart the application and open a PDF-file.

Thats it! updated

Hi everyone.

Today I finally managed to update some of the features on I’ve had in mind for a long time already.

Now it’s possible to promote a new usergroup and to edit your own usergroup. To minimize spam and to know which of those some-hundred usergroups is your one you have to log in. Currently login is possible with your Twitter-Account (more might come) and then you are able to edit all the groups your twitter-account is associated with. That way does not need to maintain a user-base (and you do not need to remember another login) and you can pass on authority to the next usergroup-leader by passing on the usergroups-twitter account.

You can provide a simple iCalendar-File in your webspace and link to that from That way everyone interested can integrate YOUR calendar into their Calendaring-Application and as soon as you change your calendar those are updated to everyone else. No need to maintain your event-date (and possible updates to that) on another page. In times to come we might even evaluate those calendaring-informations to an “All-Usergroups-Event-Calendar”.

And yes, I know that adding the geolocation currently is far from easy to handle. I’m working on that. Until a better solution you will need to provide Latitude-Longitude Informations. But with a recent update to google-maps you can right-click onto the location GoogleMaps, select “What’s here” and copy the string from the search-field. Paste that into the Location field and be happy.

If you find issues or have new ideas for feel free to tell us about it

Thanks to all support got during the last year! I appreciate that a lot.