PDFBox has (obviously) the ability to protect a file with several certificates by adding teh recipient's certificates one after another:
For the commandline tool functionality, it just offers "-cert" with the option to add a SINGLE certificate. I expect that in most serious use cases actually two certificates are used to protect the document (the actual recipient and the creator who wants to be able still to open the document as well).
I propose to extend the command line functionality (Encrypt.java) by having an iteration through several cert files, e.g. separated by special character.