And my use of those "PKI and X.509 type certificates" is to call a library to deal with them, blithely ignorant as to what those libraries are doing with the keys. Just like I don't write my own code to implement HTTP, and then TCP, and then IP and then ethernet.
The other enormous stupidity in this question is PKI is only one solution, and may not be the best one. Encrypted zip may work just fine, with a password transmitted via another pathway. Or if the document is in a format that supports encryption, hence the question about PDF. Or scp/VPN/etc to a secured share. Or print it out and put a stamp on it.