Legacy notice!

iText 5 is the previous major version of iText's leading PDF SDK. iText 5 has been EOL, and is no longer developed. Switch your project to iText 7, integrating the latest developments.
Check related iText 7 content!

We need to encrypt a PDF with a certificate. I've found something using iText some months ago, but I cannot find it any more. The certs are on a smart card.

Posted on StackOverflow on May 21, 2014 by user2946593

Encrypting a PDF is done with a public certificate. Once a PDF is encrypted, only the person with the corresponding private certificate can open the PDF. In your scenario, this would mean that only the person who owns the smart card can open the document.

First you need to extract the public certificate from the smart card. The main question here is: do you want to do this in Java? If so, do you want to do this using PKCS#11? Using MSCAPI? Using a smart card API? I honestly don't think that's what you want to do. I think you want the owners of the smart card to extract their public certificate manually and to send it to you. If this assumption is wrong, you need to post another question: how to get a public certificate from a smart card.

Once you have this certificate, you can encrypt the PDF like this:

 PdfReader reader = new PdfReader(src);
 PdfStamper stamper = new PdfStamper(reader, new FileOutputStream(dest));
 Certificate cert = getPublicCertificate("resources/encryption/public.cer");
 stamper.setEncryption(new Certificate[]{cert},
     new int[]{PdfWriter.ALLOW_PRINTING}, PdfWriter.ENCRYPTION_AES_128);

The public certificate is stored in the file public.cer. That's the file your end user extracted from the smart card.