Signing PDF documents is simple but ensuring that your signed PDFs are trusted out of the box is complex. Getting an alert notification on opening a digitally signed PDF file is both confusing and disturbing. The most common cause of PDF not being trusted in Adobe Acrobat Reader is its failing to trust the signing certificate. This is where AATL from Adobe helps. Adobe launched their Adobe Acrobat Trusted List program (AATL) allowing PDF digital signatures to be trusted requiring no manual client side configurations. AATL improves the overall user’s experience by trusting your PDF digital signatures.
Administrators may employ cumbersome options to ensure their clients see a trusted green tick mark when they open digitally signed PDFs. Some of these are:
- Manually install the Root CA certificates and configuring Adobe Acrobat to use Windows Keystore (Adobe Reader > hit Ctrl + K, Signature > Verification)
- Manually add Root CA inside Adobe Acrobat Trusted Certificates List (Adobe Reader > hit Ctrl + K, Signature > Identity and Trusted Certificates)
Both of these options are workable but only helpful in closed environments where your or administrator can easily guide users or control machines. All of these options will fail, if user’s are outside your network as persuading them to trust your internally hosted Root CA will not work. AATL avoids trusting Root Certificate and speeds up signature acceptability.
AATL involves multiple business entities collaborating to ensure your digital signatures are trusted seamlessly. These are:
Steps to get an AATL Certified Digital Certificate
Following are the steps to digitally sign PDF with AATL trusted certificate:
- Register with an AATL Provider
- Generate keypairs inside the Cloud HSM
- Generate CSR (Certificate Signing Request) and get associated proof (video, attestation document) that the keys were generated inside the Cloud HSM
- Send the CSR to the AAT Provider with proofs and get the issued digital certificate
- Integrate the certificate in your software and enable signing with the cloud hosted HSM
An AATL based digital keys/certificate can either reside on a USB based crypto token or HSM. These certificates are automatically trusted and the signatures can be used for long-term; timestamped and revocation added (LTV; long term validated). In case of USB token, CSR doesn’t need to be sent so step 2 above is not needed.
A PDF signed with an AATL trusted digital certificate looks the same as signed with a non-AATL certificate as there are no change in the PDF contents. The two noticeable changes are:
- Digital signature is marked as verified/trusted at the top bar
- Mentions source of Trust obtained from Adobe Approved Trust List (AATL)
Your clients will not see digital signature verification failures and start trusting your signed content more.
Codegic is a one stop shop which helps clients from choosing the best AATL provider and developing ETSI’s PAdES complaint PDF signing software.
- Standard based: We create PAdES digital signatures (PAdES-BES, PAdES-T or PAdES-LTV)
- Trust Oriented: Integrate your existing PDF signing solution with top AATL providers
- Cloud based: Develop and integrate with top Cloud based HSM providers. This includes: Google Cloud HSM, Azure Key Vault, Amazon Cloud HSM
- Reduced Cost: We have relationships with the best AATL Provider out of 60+ known AATL providers
- Guidance: Support and & training is provided from key generation, certificate issuance and integration
- Fully Trusted: Ensure the signed PDF complies with PAdES standard and also trusted (out of the box) in Adobe Acrobat Reader DC
To Learn more about PDF Signing click see How PDF Signing works.
Cost incurred by AATL Provider
1. How long it takes to get a trusted certificate from an AATL Provider?
Normally it takes 5-7 days to get your first AATL certified certificate.
2. Is the timestamp service charges comes included in the AATL charges?
Yes, you get timestamping service which comes with the overall solution.
3. Which Cloud KMS offering should we use?
Google, AWS and Azure charge almost the same. As a rule of thumb pick the KMS service where you have deployed your PDF signing application. This will reduce network latency in performing the cryptographic operation.
4. What are the benefits of creating PAdES signatures?
PAdES is an ETSI standard and supports advanced PDF digital signature formats. With PAdES-LTV based signatures your users can continue to verify digitally signed PDFs even if after digital certificate expiry. PAdES-LTV signature embeds both the signing certificate revocation information and cryptographic timestamps. In short PAdES out performs older techniques of PDF signing.
6. Which technology stack you use for PDF Signing?
We provide the PDF Signing software as a webservice hosted on your platform. This ensures no fuss integration and allowing your developers to integrate in few minutes. We use Java + Apache tomcat to ensure deployment can be done on any platform (Linux, Windows, Mac).
7. Do we need another machine to host the PDF Signing Software?
Can be done both ways. You just need to look at your PDF processing load. As the core CPU processing is done at the Cloud KMS end hence the software can be deployed on existing machines unless you have really heavy load e.g. 500/1000 documents to be processed per minute. In that case a separate machine with 2 vCPU and 4 GB RAM is sufficient.
8. My application is written in PHP, can we still integrate?
Of course, any application which can generate an HTTP request can integrate with our software.
9. What if the AATL Provider Timestamp service goes down?
You can still generate signed PDF from the PDF Signing Software so there is no dependency between you and AATL Provider. The only draw back is that you won’t be able to create advanced long term digital signature for which timestamp is required but is an optional for an AATL trusted digital signature. The only external dependency is with the Cloud KMS hosting provider which if goes down will effect signing. You can optionally enable Key replication with the Cloud hosting provider to ensure 100% key availability.
10. Should we expect performance issues after integration?
Our PDF Signing Software ensures best performance as long as sufficient resources are available. Let us know if you have some specific performance needs. Our deployment experts will then guide you.
11. Do you have sandbox or test account?
Yes we can host a test environment for you to can send PDFs and get signed PDF in return.
12. Do the AATL provider send USB for the certifications?
Yes but you can’t use that approach because it will be single threaded and will fail when hundreds of requests are coming to sign. Signing where the key reside inside an HSM (or Cloud HSM) is the right way to go.
13. Can I use my own locally held HSM for the key generation?
Yes you can as long as it is a FIPS 140-2 Level 3 compliant HSM.
14. Is there any extra cost of the Timestamp service?
No there is no additional cost.
15. Do you also provide source code of the PDF Signing Software?
Yes, we will so that you can maintain it in future as well without depending on us.