Establish long-term signature validation



Long-term signature validation allows you to check the validity of a signature long after the document was signed. To achieve long-term validation, all the required elements for signature validation must be embedded in the signed PDF. Embedding these elements can occur when the document is signed, or after signature creation.

Without certain information added to the PDF, a signature can be validated for only a limited time. This limitation occurs because certificates related to the signature eventually expire or are revoked. Once a certificate expires, the issuing authority is no longer responsible for providing revocation status on that certificate. Without conforming revocation status, the signature cannot be validated.

The required elements for establishing the validity of a signature include the signing certificate chain, certificate revocation status, and possibly a timestamp. If all the required elements are available and embedded at signing, the signature can be validated without going to outside resources for validation information. Acrobat and Reader can embed all the required elements, as long as the elements are available. The PDF creator must enable usage rights for Reader users (Advanced > Extend Features In Adobe Reader).

Note: Embedding timestamp information requires a properly configured timestamp server. In addition, the signature validation time must be set to Secure Time (Preferences > Security > Advanced Preferences > Verification tab).

Add verification information at signing

  1. Make sure that your computer can connect to the appropriate network resources.

  2. Check that the preference Include Signature’s Revocation Status When Signing is still selected. (Preferences > Security > Advanced Preferences > Creation tab.) This preference is selected by default.

  3. Sign the PDF.

If all the elements of the certificate chain are available, the information is added to the PDF automatically. If a timestamp server has been configured, the timestamp is also added.

Add verification information after signing

In some workflows, signature validation information is unavailable at signing, but can be obtained later. For example, suppose a company official signs a contract using a laptop while traveling by air. The computer cannot communicate with the Internet to obtain timestamping and revocation information to add to the signature. Later, when Internet access becomes available, anyone who validates the signature can add this information to the PDF. All subsequent signature validations can also use this information.

  1. Make sure that your computer can connect to the appropriate network resources, and then right-click the signature in the PDF.

  2. Choose Add Verification Information.

The command is unavailable if the signature is invalid, or signed with a self-signed certificate.