I’m trying to be better about digitally signing .pdf documents that I author as a professional engineer. And without needing to pay Adobe to use Acrobat. Enter pyHanko, which does not have a graphical user interface; however, with a little fussing it works well.

First, open Terminal.app and execute the following command to create a certificate and private key:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3650

When prompted, I entered:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Minnesota
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Barr Engineering Co.
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Bradford Schwie
Email Address []:bschwie@barr.com

Next combine the above generated cert.pem and key.pem into certif.p12 with this command:

openssl pkcs12 -export -out certif.p12 -in cert.pem -inkey key.pem

Verify the certificate.p12 contains a certificate and key with this command:

openssl pkcs12 -info -in certif.p12

Finally, create a .pdf with command:

pyhanko sign addsig --field Sig1 pkcs12 input.pdf output_signed.pdf certif.p12

pyhanko sign addsig --field 1/70,400,390,350/Sig1 --style-name default pkcs12 input.pdf output_signed.pdf certif.p12

I could probably do more fussing with the signature appearance, but it took a fair amount of effort and this was before Liam bailed me out – thank you! Hopefully others find this as helpful as I do.

** Update 11-26-2025 **
Today I was signing a document that another user had already digitally signed. No sweat, pyHanko seems to handle this situation with the following example that I used:

pyhanko sign addsig –field 1/90,215,360,185/Sig1 –style-name default –no-strict-syntax pkcs12 input.pdf output_signed.pdf certif.p12