AATL PDF Digital Signatures = More Trust!

Get your own AATL compliant PDF signing solution, Guaranteed!
  • Globally Trusted
  • 100% ETSI Compliant
  • Advanced Digital Signatures
  • Developer friendly integrations
  • Secured with FIPS 140-2 Level 3 HSM

AATL, silver bullet for your signature trust issues

Signing PDF documents is simple but ensuring that your signed PDFs are trusted out of the box is complex. Getting an alert notification on opening a digitally signed PDF file is both confusing and disturbing. The most common cause of PDF not being trusted in Adobe Acrobat Reader is its failing to trust the signing certificate. This is where AATL from Adobe helps. Adobe launched their Adobe Acrobat Trusted List program (AATL) allowing PDF digital signatures to be trusted requiring no manual client side configurations. AATL improves the overall user’s experience by trusting your PDF digital signatures. 

PDF Signed with AATL backed signatures

Painful alternatives

Administrators may employ cumbersome options to ensure their clients see a trusted green tick mark when they open digitally signed PDFs. Some of these are:

  • Manually install the Root CA certificates and configuring Adobe Acrobat to use Windows Keystore  (Adobe Reader > hit Ctrl + K, Signature > Verification)
  • Manually add Root CA inside Adobe Acrobat Trusted Certificates List  (Adobe Reader > hit Ctrl + K, Signature > Identity and Trusted Certificates)

Both of these options are workable but only helpful in closed environments where your or administrator can easily guide users or control machines. All of these options will fail, if user’s are outside your network as persuading them to trust your internally hosted Root CA will not work.

AATL avoids manual trusting Root Certificates, speeds up signature acceptability and client trust.

Components in an AATL system

AATL involves multiple business entities collaborating to ensure your digital signatures are trusted seamlessly. These are:

Cloud Provider

Hosts the HSM in the cloud at location of your choice

AATL Provider

Validates your identity and issues AATL trusted digital certificates

USB Token

Optionally keys can also reside on USB token

PDF Application

PDF signing application to process the keys and certificates

How to get an AATL Certified Digital Certificate

Following are the steps to digitally sign PDF with AATL trusted certificate:

  1. Register with an AATL Provider. Registration requires proving your company’s identity and paying registration fees
  2. Once done, generate keypairs (RSA or ECDSA) inside a secure hardware device. This can be either an on-premise HSM or a Cloud hosted HSM. In both case these must be a FIPS 140-2 Level 3 compliant hardware
  3. Generate CSR (Certificate Signing Request) and get associated proof (video, attestation document) that the keys were generated inside an HSM 
  4. Send the CSR to the AATL Provider with proofs and get your AATL digital certificate
  5. Integrate the certificate in your software and enable signing with the HSM

An AATL based digital keys/certificate can either reside on a USB based crypto token or HSM. These certificates are automatically trusted and the signatures can be used for long-term; timestamped and revocation added (LTV; long term validated). In case of USB token, CSR doesn’t need to be sent rather the AATL Provider will send you the USB token so steps 2 – 4 above are not needed.

PDF Signing-How AATL Works

How an AATL signed PDF looks

A PDF signed with an AATL trusted digital certificate looks the same as signed with a non-AATL certificate as there are no change in the PDF contents. The two noticeable changes are:

  • Digital signature is marked as verified/trusted at the top bar
  • Mentions source of Trust obtained from Adobe Approved Trust List (AATL)

Your clients will not see digital signature verification failures and start trusting your signed content more.

Green Tick Mark

Digital signature is marked as verified/trusted at the top bar

Source of Trust

Show's source of Trust obtained from Adobe Approved Trust List (AATL)

AATL signed PDF viewed in Adobe Acrobat
AATL signed PDF viewed in Adobe Acrobat

How Codegic helps in AATL based PDF Signing

Codegic is a one stop shop which helps clients from choosing the best AATL provider and developing ETSI’s PAdES complaint PDF signing software. Some of the salient features are:

ETSI Standards

Create ETSI complaint PAdES digital signatures e.g. PAdES-LTV

Lowest Rates

Integrate with AATL Providers at much lower cost


Complete guidance from key generation to PDF signing

Trusted PDFs

Signed PDF are trusted (out of the box) in Adobe Acrobat Reader DC

Multiple Providers

Support all the major Cloud KMS Providers: Google, Azure, Amazon

PDF Signing Software

Develop optimized, platform independent PADES creation software

  • Standard based: We create PAdES digital signatures (PAdES-BES, PAdES-T or PAdES-LTV)
  • Trust Oriented: Integrate your existing PDF signing solution with top AATL providers
  • Cloud based: Develop and integrate with top Cloud based HSM providers. This includes: Google Cloud HSM, Azure Key Vault, Amazon Cloud HSM
  • Reduced Cost: We have relationships with the best AATL Provider out of 60+ known AATL providers
  • Guidance: Support and & training is provided from key generation, certificate issuance and integration
  • Fully Trusted: Ensure the signed PDF complies with PAdES standard and also trusted (out of the box) in Adobe Acrobat Reader DC

To Learn more about PDF Signing click see How PDF Signing works.


The overall cost of getting AATL signed PDF documents can broken down into:

KMS Cloud Provider

Cost less than $2 per signing key per month (with 10,000 cryptographic operations) from Google, AWS, Azure

AATL Provider

Depends upon the number of signatures to be produced, see below for details.


Khatim Sign Server, integrated with KMS using AATL issued certificate. Contact us for details.

AATL Provider Cost

The overall cost of getting AATL signed PDF documents can broken down into:

50K Signing

$1K / year

100K Signing

$1.6K / year


Get further discount when you buy certificates for 2 or 3 years

Success Story

``Our team was not able to handle the AATL needs for our E-sign Service, so we researched and found Codegic. They provided a solution that worked in our workflow, and also put us in touch with an AATL certificate provider that was far less expensive than what we had been seeing. During the whole process Codegic was easy to work with, and very importantly, we did not have any communication barriers. Their skills and expertise were obvious regarding AATL and PKI and literally, the project took less than 4 weeks. It was impressive. We would not hesitate to use them again.``
Aaron Jones, Founder SignFast.com


How long it takes to get a trusted certificate from an AATL Provider?

Normally it takes 5-7 days to get your first AATL certified certificate.

Is the timestamp service charges comes included in the AATL charges?

Yes, you get timestamping service which comes with the overall solution.

Which Cloud KMS offering should we use?

Google, AWS and Azure charge almost the same. As a rule of thumb pick the KMS service where you have deployed your PDF signing application. This will reduce network latency in performing the cryptographic operation.

What are the benefits of creating PAdES signatures?

PAdES is an ETSI standard and supports advanced PDF digital signature formats. With PAdES-LTV based signatures your users can continue to verify digitally signed PDFs even if after digital certificate expiry. PAdES-LTV signature embeds both the signing certificate revocation information and cryptographic timestamps. In short PAdES out performs older techniques of PDF signing.

Do we need another machine to host the PDF Signing Software?

Can be done both ways. You just need to look at your PDF processing load. As the core CPU processing is done at the Cloud KMS end hence the software can be deployed on existing machines unless you have really heavy load e.g. 500/1000 documents to be processed per minute. In that case a separate machine with 2 vCPU and 4 GB RAM is sufficient.

My application is written in PHP, can we still integrate?

Of course, any application which can generate an HTTP request can integrate with our software.

What if the AATL Provider Timestamp service goes down?

You can still generate signed PDF from Khatim Sign Server. The only draw back is that you won’t be able to create advanced long term digital signature for which timestamp is required but is an optional for an AATL trusted digital signature. The only external dependency is with the Cloud KMS hosting provider which if goes down will effect signing. You can optionally enable Key replication with the Cloud hosting provider to ensure 100% key availability.

Should we expect performance issues after integration?

Our PDF Signing Software ensures best performance as long as sufficient resources are available. Let us know if you have some specific performance needs. Our deployment experts will then guide you.

Do you have sandbox or test account?

Yes we can host a test environment for you to can send PDFs and get signed PDF in return.

Does the AATL provider send USB for the certifications?

Yes but you can’t use that approach because it will be single threaded and will fail when hundreds of requests are coming to sign. Signing where the key reside inside an HSM (or Cloud HSM) is the right way to go.

Can I use my own locally held HSM for the key generation?

Yes you can as long as it is a FIPS 140-2 Level 3 compliant HSM.

Is there any extra cost of the Timestamp service?

No there is no additional cost.


Codegic specializes in Document Signing, Signature Verification, Digital Certificates, PKI, HSMs and lot more.