Troubleshooting certificates

no certificate
If you get this window when trying to select a certificate in PDF Signet, there are two common causes for it: either you really don't have a certificate yet or it isn't in macOS Keychain form some reason.

I don't have a certificate

You need to obtain a certificate from a Certification Authority first. See this guide.

I have a certificate, but it isn't showing in PDF Signet

This is a trickier case that usually boils down to some problem with installing the certificate (for example, Firefox users may end up installing it only inside Firefox, which can be fixed easily). It may also be an issue with your smart card, if you are using one. PDF Signet needs the certificate to be present in macOS's secure Keychain to be able to access it.

Fortunately it's easy to check if the certificate is installed correctly. There are two ways to check the certificate outside of PDF Signet:

1. Try signing an email

Apple Mail can sign emails with a certificate and if you have one installed properly, you should be able to do it. Open Mail and compose new message; you should see a button for signing on the right side of the Subject field:

no certificate
If you don't have a certificate in Keychain that matches your email address, the button will be gray and not clickable. If the certificate is properly installed, the button will turn blue when clicked.

2. Use Keychain Access to inspect the certificate

macOS comes with a tool for managing certificates called Keychain Access. It shows all certificates that you have installed. It looks like this:

no certificate
Click the My Certificates category to see if your certificate is there. Notice that it is the My section and not the "Certificates" one! The latter shows certificates that you only have the public part of, e.g. certificates of sites you use or people you correspond with. We're interested in certificates that are yours, i.e. that you have the secret private key for; these are the ones you can sign documents with.

Your certificate should be there and it should have the little key icon under it to indicate it contains the private part as well. If you don't see your certificate in this list, it means that it isn't installed in Keychain and that's why PDF Signet cannot see it. Try installing the certificate again and follow your Certificate Authority's instructions carefully (use Safari if the process is web-based).

My smartcard isn't recognized by PDF Signet or Keychain Access

If your smartcard isn't showing in Keychain Access at all, or is not showing all certificates on it, it's possible that the drivers from its vendor are outdated or not installed at all. Make sure you install any drivers per your vendor's instructions. If that doesn't help, there are alternative drivers to try:

Install newer smartcard drivers

  1. Smart Card Services drivers (used to be shipped by Apple with macOS in the past)
  2. Alternative OpenSC drivers

My smartcard works in Firefox / Thunderbird, but not elsewhere

This means that your smartcard only supports PKCS#11 interface and not the native macOS one that PDF Signet needs. You may be able to get the card recognized by installed a bridge driver from CACKey. Make sure to click Customize in the installer and uncheck all components except the PKCS11 one. Also make sure that the smartcard driver configured in Firefox points to a file in the /usr/local/lib/pkcs11 folder, that the file has the .dylib extension and that there are no other files with that extension in this folder.