AATL PDF Digital Signatures = More Trust!
Get your own AATL compliant PDF signing solution, Guaranteed!
-
Globally Trusted
-
100% ETSI Compliant
-
Advanced Digital Signatures
-
Developer friendly integrations
-
Secured with FIPS 140-2 Level 3 HSM
AATL, silver bullet for your signature trust issues
Signing PDF documents is simple but ensuring that your signed PDFs are trusted out of the box is complex. Getting an alert notification on opening a digitally signed PDF file is both confusing and disturbing. The most common cause of PDF not being trusted in Adobe Acrobat Reader is its failing to trust the signing certificate. This is where AATL from Adobe helps. Adobe launched their Adobe Acrobat Trusted List program (AATL) allowing PDF digital signatures to be trusted requiring no manual client side configurations. AATL improves the overall user’s experience by trusting your PDF digital signatures.
Painful alternatives
Administrators may employ cumbersome options to ensure their clients see a trusted green tick mark when they open digitally signed PDFs. Some of these are:
- Manually install the Root CA certificates and configuring Adobe Acrobat to use Windows Keystore (Adobe Reader > hit Ctrl + K, Signature > Verification)
- Manually add Root CA inside Adobe Acrobat Trusted Certificates List (Adobe Reader > hit Ctrl + K, Signature > Identity and Trusted Certificates)
Both of these options are workable but only helpful in closed environments where your or administrator can easily guide users or control machines. All of these options will fail, if user’s are outside your network as persuading them to trust your internally hosted Root CA will not work.
Components in an AATL system
AATL involves multiple business entities collaborating to ensure your digital signatures are trusted seamlessly. These are:
How to get an AATL Certified Digital Certificate
Following are the steps to digitally sign PDF with AATL trusted certificate:
- Register with an AATL Provider. Registration requires proving your company’s identity and paying registration fees
- Once done, generate keypairs (RSA or ECDSA) inside a secure hardware device. This can be either an on-premise HSM or a Cloud hosted HSM. In both case these must be a FIPS 140-2 Level 3 compliant hardware
- Generate CSR (Certificate Signing Request) and get associated proof (video, attestation document) that the keys were generated inside an HSM
- Send the CSR to the AATL Provider with proofs and get your AATL digital certificate
- Integrate the certificate in your software and enable signing with the HSM
An AATL based digital keys/certificate can either reside on a USB based crypto token or HSM. These certificates are automatically trusted and the signatures can be used for long-term; timestamped and revocation added (LTV; long term validated). In case of USB token, CSR doesn’t need to be sent rather the AATL Provider will send you the USB token so steps 2 – 4 above are not needed.
How an AATL signed PDF looks
A PDF signed with an AATL trusted digital certificate looks the same as signed with a non-AATL certificate as there are no change in the PDF contents. The two noticeable changes are:
- Digital signature is marked as verified/trusted at the top bar
- Mentions source of Trust obtained from Adobe Approved Trust List (AATL)
Your clients will not see digital signature verification failures and start trusting your signed content more.
How Codegic helps in AATL based PDF Signing
Codegic is a one stop shop which helps clients from choosing the best AATL provider and developing ETSI’s PAdES complaint PDF signing software. Some of the salient features are:
- Standard based: We create PAdES digital signatures (PAdES-BES, PAdES-T or PAdES-LTV)
- Trust Oriented: Integrate your existing PDF signing solution with top AATL providers
- Cloud based: Develop and integrate with top Cloud based HSM providers. This includes: Google Cloud HSM, Azure Key Vault, Amazon Cloud HSM
- Reduced Cost: We have relationships with the best AATL Provider out of 60+ known AATL providers
- Guidance: Support and & training is provided from key generation, certificate issuance and integration
- Fully Trusted: Ensure the signed PDF complies with PAdES standard and also trusted (out of the box) in Adobe Acrobat Reader DC
To Learn more about PDF Signing click see How PDF Signing works.
Pricing
The overall cost of getting AATL signed PDF documents can broken down into:
AATL Provider Cost
The overall cost of getting AATL signed PDF documents can broken down into:
Success Story
FAQ
How long it takes to get a trusted certificate from an AATL Provider?
Normally it takes 5-7 days to get your first AATL certified certificate.
Is the timestamp service charges comes included in the AATL charges?
Yes, you get timestamping service which comes with the overall solution.
Which Cloud KMS offering should we use?
Google, AWS and Azure charge almost the same. As a rule of thumb pick the KMS service where you have deployed your PDF signing application. This will reduce network latency in performing the cryptographic operation.
What are the benefits of creating PAdES signatures?
PAdES is an ETSI standard and supports advanced PDF digital signature formats. With PAdES-LTV based signatures your users can continue to verify digitally signed PDFs even if after digital certificate expiry. PAdES-LTV signature embeds both the signing certificate revocation information and cryptographic timestamps. In short PAdES out performs older techniques of PDF signing.
Do we need another machine to host the PDF Signing Software?
Can be done both ways. You just need to look at your PDF processing load. As the core CPU processing is done at the Cloud KMS end hence the software can be deployed on existing machines unless you have really heavy load e.g. 500/1000 documents to be processed per minute. In that case a separate machine with 2 vCPU and 4 GB RAM is sufficient.
My application is written in PHP, can we still integrate?
Of course, any application which can generate an HTTP request can integrate with our software.
What if the AATL Provider Timestamp service goes down?
You can still generate signed PDF from Khatim Sign Server. The only draw back is that you won’t be able to create advanced long term digital signature for which timestamp is required but is an optional for an AATL trusted digital signature. The only external dependency is with the Cloud KMS hosting provider which if goes down will effect signing. You can optionally enable Key replication with the Cloud hosting provider to ensure 100% key availability.
Should we expect performance issues after integration?
Our PDF Signing Software ensures best performance as long as sufficient resources are available. Let us know if you have some specific performance needs. Our deployment experts will then guide you.
Do you have sandbox or test account?
Yes we can host a test environment for you to can send PDFs and get signed PDF in return.
Does the AATL provider send USB for the certifications?
Yes but you can’t use that approach because it will be single threaded and will fail when hundreds of requests are coming to sign. Signing where the key reside inside an HSM (or Cloud HSM) is the right way to go.
Can I use my own locally held HSM for the key generation?
Yes you can as long as it is a FIPS 140-2 Level 3 compliant HSM.
Is there any extra cost of the Timestamp service?
No there is no additional cost.
WISH TO INTEGRATE WITH AATL & GAIN CLIENT TRUST?
Codegic specializes in Document Signing, Signature Verification, Digital Certificates, PKI, HSMs and lot more.