For a user to be able to sign a document (PDF or otherwise), they need to have access to their private key (credential). The private key is found in the PFX file.
If digital certificates are distributed via PFX files, typically the end user installs the credential on their system. In a Windows based system, the certificate is stored in the Windows Certificate Store. Other ways to distribute digital certificates include secure USB keys and Smart cards. There are also "roaming credential" solutions such as SignFort from Arcot.
What it comes down to is that you have to give your end users their pivate keys (PFX) and they have to install them to be able to sign a PDF on their client. The provisioning and management of digital certificates (PKI) is always the trickiest part of a digital signature infrastructure.
What are you trying to achieve by using Digital Signatures? Maybe you could use some other form of electronic signature where a PKI is not necessary.
Regards
Steve