I need a public X509 cert for the signing of PDFs. I have the public key in RSA format (the private key is on an HSM). The current keys on the HSM are self-signed (This will ultimately be replaced by an AATL certificate).

I have used CertificateRequest to set up the certificate. However, in order to use X509Certificate2.Create to create a cert you need X509SignatureGenerator.CreateForRSA. That in turn requires the private key. That's where I am stuck.

AFAIK BouncyCastle also seems to require the private key. What am I missing? Every digitally-signed PDF on the planet contains a public-only cert to decrypt the hash.

[The HSM generates a PEM but that only contains the public key, so CreateFromPem doesn't work either as that seems to need full 'CERTIFICATE' details]