PDFBOX3 sign - bouncycastle - cannot create signer: No installed provider supports this key: sun.security.ec.ECPrivateKeyImpl

Question

MOTIVATION
I am trying to use latest PDFBOX 3 to sign pdf documents.

RIG
Windows machine with java23

CERTIFICATES
I have created domain certificates with certbot 2.9.0 and openssl-3.0.7 in jks, p12 and pem formats

:: certbot_to_p12.bat
del tomcat.p12
openssl.exe pkcs12 -export -in C:\Certbot\live\tugalsan.com\fullchain.pem -inkey C:\Certbot\live\tugalsan.com\privkey.pem -out D:\dat\ssl\tomcat.p12 -name "MyAllias" -password pass:MyPass
pause

:: p12_to_jks.bat
del tomcat.jks
keytool.exe -importkeystore -srckeystore D:\dat\ssl\tomcat.p12 -srcstoretype pkcs12 -destkeystore D:\dat\ssl\tomcat.jks -deststorepass MyPass -srcstorepass MyPass
pause

:: p12_to_pem.bat
del tomcat.crt.pem
del tomcat.crt.ca.pem
del tomcat.key.pem
openssl.exe pkcs12 -in D:\dat\ssl\tomcat.p12 -out D:\dat\ssl\tomcat.crt.pem -clcerts --passin pass:MyPass
openssl.exe pkcs12 -in D:\dat\ssl\tomcat.p12 -out D:\dat\ssl\tomcat.key.pem -nocerts -nodes -passin pass:MyPass
openssl.exe pkcs12 -in D:\dat\ssl\tomcat.p12 -out D:\dat\ssl\tomcat.crt.ca.pem -nodes -nokeys -cacerts -passin pass:MyPass
pause

DEPENDENCY USED
I have added below depencency to my pom

<dependency>
<groupId>org.apache.pdfbox</groupId>
<artifactId>pdfbox-examples</artifactId>
<version>3.0.4</version>
</dependency>

JAVA CODE USED simplified as below

//IMPORTS
import java.awt.geom.Rectangle2D;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.KeyStore;
import org.apache.pdfbox.examples.signature.CreateVisibleSignature2;

//KEYSTORE
KeyStore keystore;
Path strPathStore = pathStore.toString().toUpperCase();
if (strPathStore.endsWith("JKS")) {
 keystore = KeyStore.getInstance("JKS");
} else {
 keystore = KeyStore.getInstance("PKCS12");
}
try (InputStream is = Files.newInputStream(pathStore)) {
 keystore.load(is, password.toString().toCharArray());
}
    
//SIGNER
var signer = new CreateVisibleSignature2(keystore, password.toString().toCharArray());    
signer.setExternalSigning(useExternalSignScnerio);//true or false, it has no effect on outcome
signer.signPDF(
 pathPdfInput.toFile(),
 pathPdfInput.resolveSibling(pathPdfInput.toFile().getName()+"_signed.pdf").toFile(),
 new Rectangle2D.Float(10,200,150,50),
 null,
 "aaa"
);

OUTPUT
I have used JKS and P12 certificates; but both returns below error

SLF4J(W): No SLF4J providers were found.
SLF4J(W): Defaulting to no-operation (NOP) logger implementation
SLF4J(W): See https://www.slf4j.org/codes.html#noProviders for further details.
{Main}, {main}, {ERROR CAUSE: 'java.io.IOException: org.bouncycastle.operator.OperatorCreationException: cannot create signer: No installed provider supports this key: sun.security.ec.ECPrivateKeyImpl'
ERROR TREE:
org.apache.pdfbox.examples.signature.CreateSignatureBase.sign(CreateSignatureBase.java:155)
org.apache.pdfbox.pdfwriter.COSWriter.doWriteSignature(COSWriter.java:915)
org.apache.pdfbox.pdfwriter.COSWriter.visitFromDocument(COSWriter.java:1346)
org.apache.pdfbox.cos.COSDocument.accept(COSDocument.java:429)
org.apache.pdfbox.pdfwriter.COSWriter.write(COSWriter.java:1586)
org.apache.pdfbox.pdmodel.PDDocument.saveIncremental(PDDocument.java:1095)
org.apache.pdfbox.examples.signature.CreateVisibleSignature2.signPDF(CreateVisibleSignature2.java:297)
...

RELATED LINKS

• There is an answer below; but I could not understand, how to implement it.
  JAVA Signature Object - No installed provider supports this key: sun.security.rsa.RSAPrivateCrtKeyImpl
• I can sign pdf documents with below. But it uses pdfbox version 2 https://github.com/intoolswetrust/jsignpdf

UPDATE - PROJECT FILES
I have cleaned up dependecies and publish project as below
https://github.com/tugalsan/com.tugalsan.blg.pdf.pdfbox3.sign/tree/main
and output changed a bit, but the exception remained same

C:\git\blg\com.tugalsan.blg.pdf.pdfbox3.sign>java -jar target\com.tugalsan.blg.pdf.pdfbox3.sign-1.0-SNAPSHOT-jar-with-dependencies.jar
C:\git\blg\com.tugalsan.blg.pdf.pdfbox3.sign\HelloWorld_signed.pdf
Oca 26, 2025 10:37:43 ÖS org.apache.pdfbox.examples.signature.SigUtils checkCertificateUsage
SEVERE: Certificate extended key usage does not include emailProtection, nor codeSigning, nor anyExtendedKeyUsage, nor 'Adobe Authentic Documents Trust'
java.io.IOException: org.bouncycastle.operator.OperatorCreationException: cannot create signer: No installed provider supports this key: sun.security.ec.ECPrivateKeyImpl
        at org.apache.pdfbox.examples.signature.CreateSignatureBase.sign(CreateSignatureBase.java:155)
        at org.apache.pdfbox.pdfwriter.COSWriter.doWriteSignature(COSWriter.java:915)
        at org.apache.pdfbox.pdfwriter.COSWriter.visitFromDocument(COSWriter.java:1346)
        at org.apache.pdfbox.cos.COSDocument.accept(COSDocument.java:432)
        at org.apache.pdfbox.pdfwriter.COSWriter.write(COSWriter.java:1586)
        at org.apache.pdfbox.pdmodel.PDDocument.saveIncremental(PDDocument.java:1099)
        at org.apache.pdfbox.examples.signature.CreateVisibleSignature2.signPDF(CreateVisibleSignature2.java:297)
        at com.tugalsan.blg.pdf.pdfbox3.sign.Main.main(Main.java:43)
Caused by: org.bouncycastle.operator.OperatorCreationException: cannot create signer: No installed provider supports this key: sun.security.ec.ECPrivateKeyImpl
        at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown Source)
        at org.apache.pdfbox.examples.signature.CreateSignatureBase.sign(CreateSignatureBase.java:141)
        ... 7 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.ec.ECPrivateKeyImpl
        at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1302)
        at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1359)
        at java.base/java.security.Signature.initSign(Signature.java:635)
        ... 9 more

UPDATE - ADDING Security.Provider
I have added "Security.addProvider(new BouncyCastleProvider());"
The output changed as below

C:\git\blg\com.tugalsan.blg.pdf.pdfbox3.sign>java -jar target\com.tugalsan.blg.pdf.pdfbox3.sign-1.0-SNAPSHOT-jar-with-dependencies.jar
C:\git\blg\com.tugalsan.blg.pdf.pdfbox3.sign\HelloWorld_signed.pdf
Oca 26, 2025 10:52:31 ÖS org.apache.pdfbox.examples.signature.SigUtils checkCertificateUsage
SEVERE: Certificate extended key usage does not include emailProtection, nor codeSigning, nor anyExtendedKeyUsage, nor 'Adobe Authentic Documents Trust'
java.io.IOException: org.bouncycastle.operator.OperatorCreationException: cannot create signer: Supplied key (sun.security.ec.ECPrivateKeyImpl) is not a RSAPrivateKey instance
        at org.apache.pdfbox.examples.signature.CreateSignatureBase.sign(CreateSignatureBase.java:155)
        at org.apache.pdfbox.pdfwriter.COSWriter.doWriteSignature(COSWriter.java:915)
        at org.apache.pdfbox.pdfwriter.COSWriter.visitFromDocument(COSWriter.java:1346)
        at org.apache.pdfbox.cos.COSDocument.accept(COSDocument.java:432)
        at org.apache.pdfbox.pdfwriter.COSWriter.write(COSWriter.java:1586)
        at org.apache.pdfbox.pdmodel.PDDocument.saveIncremental(PDDocument.java:1099)
        at org.apache.pdfbox.examples.signature.CreateVisibleSignature2.signPDF(CreateVisibleSignature2.java:297)
        at com.tugalsan.blg.pdf.pdfbox3.sign.Main.main(Main.java:50)
Caused by: org.bouncycastle.operator.OperatorCreationException: cannot create signer: Supplied key (sun.security.ec.ECPrivateKeyImpl) is not a RSAPrivateKey instance
        at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown Source)
        at org.apache.pdfbox.examples.signature.CreateSignatureBase.sign(CreateSignatureBase.java:141)
        ... 7 more
Caused by: java.security.InvalidKeyException: Supplied key (sun.security.ec.ECPrivateKeyImpl) is not a RSAPrivateKey instance
        at org.bouncycastle.jcajce.provider.asymmetric.rsa.DigestSignatureSpi.engineInitSign(Unknown Source)
        at java.base/java.security.Signature$Delegate.tryOperation(Signature.java:1321)
        at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1275)
        at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1359)
        at java.base/java.security.Signature.initSign(Signature.java:635)

Answer 1

To solve it;

1. as @Topaco mentioned, one should add required dependencies

https://pdfbox.apache.org/3.0/dependencies.html

2. as @Tilman Hausherr mentioned, one should add the provider as below

Security.addProvider(new BouncyCastleProvider());

3. as @mkl mentioned, one should change the signatureAlgorithm on
   

https://github.com/apache/pdfbox/blob/3.0/examples/src/main/java/org/apache/pdfbox/examples/signature/CreateSignatureBase.java

ContentSigner sha1Signer = new JcaContentSignerBuilder(XXX).build(privateKey);

where (in my case) for domain certificates, XXX= "SHA256WithECDSA"

PS, one can find the working project at https://github.com/tugalsan/com.tugalsan.blg.pdf.pdfbox3.sign/tree/main