"Digital" certificates – i.e. computer files, not paper certificates – are used protect PDF (and in some case PDF/A) documents. Your computer system keeps these very securely in its own special certificate stores.

Certificates which just contain information about a specific user's identity and their public key are usually called 'identity certificates' or 'public key certificates' (.CER, .P7B or .P7C format files). A private key can be attached to such a certificate, and then it is often referred to as a 'signing certificate' or a 'private key certificate' (though it still contains your public key and identity as well).

To sign a PDF or PDF/A document, you must use a signing certificate that contains your private key, your public key and your identity: see Sign a document.
When a signed document is opened, some PDF viewers will allow you check the certificate, and with the aid of the public key contained within it, ascertain whether the file has been altered since it was signed or not.

To encrypt a PDF document, you must apply the identity certificates of each 'recipient' whom you will allow to view the document: see Encrypt a document. Recipients must supply their identity certificates to you as .CER, P7B or P7C format files before you can encrypt the document: see Install a certificate.
When a user tries to open the encrypted document, the PDF viewer will only display the document if that user's certificate was included in the file export. If the user's certificate was not included, the PDF viewer will not display the document, just a message to inform the user that he cannot access the document. See also Decryption notes.