A keystore is basically a database format that is capable of securely storing certificates and private keys (e.g., by using password protection). Keystores can have various (file) formats.


webPDF supports the following file formats for keystores:


JKS (Java Keystore)

A keystore (file) format specifically for use in Java-based applications.

PKCS #11

A keystore format for use with smart cards. It describes an API that allows the use of certificates with cryptographic tokens.

PKCS #12

A file-based keystore format for storing private keys and public certificates that allows password protection. A common standard.



PKCS #11 is a "Cryptographic Token Interface Standard". It allows access to certificates and private keys that are stored on a cryptographic token (e.g., a smart card).


In order for webPDF to be able to work with this standard, the appropriate API for the cryptographic token must be installed.


The configuration for the PKCS#11 interface can be found in the "pkcs11.cfg" file in the Configuration folderof webPDF. The possible settings are described under in section "2.2 Configuration".



Information about PKCS#11:


Keystore for webPDF

In the Admin area under "Certificates store signatures", select the type of the keystore and you can upload or configure a corresponding file (see the image). webPDF's signature service cannot be used without this configuration. The keystore must contain at least one valid X.509 certificate and one private key. The keystore can be password-protected. The password for the keystore has to be defined in the configuration.


dialog admin keystore


Certificates (and corresponding keystores, as the case may be) are provided by a public Certificate Authority (Certificate Authority; CA).



You can find a tool for creating and editing keystores at: or Please note that we do not provide any support for questions arising from the use of this tool. Our support covers webPDF itself only.


The key within the keystore can either be selected statically with the configuration or dynamically when calling the web service (see Web Service Parameters).


The keystore is accessed when the webPDF server is started. Your server's log / the server's console should show the following (or very similar) messages:


Serverlog Keystore


It is only possible to use the signature web service if the keystore has been successfully loaded and activated.



If the keystore contains only one certificate and the corresponding private key, then selecting the key for the signature is not necessary. webPDF will automatically use the available key for any signatures.


Automatic keystore with "self-signed certificate"

You do not have to create a keystore in order to test the webPDF signature service. If the configuration does not contain a keystore, webPDF will automatically create a certificate (self signed certificate) and a private key when the server is started. This certificate, however, will only be available temporarily (while the server is running) and therefore cannot be validated (see message in the screenshot).


Automatisches Zertifikat


If you want to use a permanent certificate, then you have to provide the server with a keystore, as described above.