Establish long-term signature validation

Long-term signature validation allows you to check the validity of a signature long after the document was signed. To achieve long-term validation, all the required elements for signature validation must be embedded in the signed PDF. Embedding these elements can occur when the document is signed, or after signature creation.

Without certain information added to the PDF, a signature can be validated for only a limited time. This limitation occurs because certificates related to the signature eventually expire or are revoked. Once a certificate expires, the issuing authority is no longer responsible for providing revocation status on that certificate. Without conforming revocation status, the signature cannot be validated.

The required elements for establishing the validity of a signature include the signing certificate chain, certificate revocation status, and possibly a timestamp. If the required elements are available and embedded during signing, the signature can be validated requiring external resources for validation. Acrobat and Reader can embed the required elements, if the elements are available. The PDF creator must enable usage rights for Reader users (File > Save As > Reader extended Document).

Note: Embedding timestamp information requires an appropriately configured timestamp server. In addition, the signature validation time must be set to Secure Time (Preferences > Security > Advanced Preferences > Verification tab). CDS certificates can add verification information, such as revocation and timestamp into the document without requiring any configuration from the signer. However, the signer must be online to fetch the appropriate information.

Add verification information at signing

  1. Make sure that your computer can connect to the appropriate network resources.

  2. Ensure that the preference Include Signature’s Revocation Status When Signing is still selected. (Preferences > Security > Advanced Preferences > Creation tab.) This preference is selected by default.

  3. Sign the PDF.

If all the elements of the certificate chain are available, the information is added to the PDF automatically. If a timestamp server has been configured, the timestamp is also added.

Add verification information after signing

In some workflows, signature validation information is unavailable at signing, but can be obtained later. For example, a company official may sign a contract using a laptop while traveling by air. The computer cannot communicate with the Internet to obtain timestamping and revocation information to add to the signature. When Internet access is available later, anyone who validates the signature can add this information to the PDF. All subsequent signature validations can also use this information.

  1. Ensure that your computer can connect to the appropriate network resources, and then right-click the signature in the PDF.

  2. Choose Add Verification Information.

Information and methods used to include this long term validation (LTV) information in the PDF comply with Part 4 of the ETSI 102 778 PDF Advanced Electronic Signatures (PAdES) standard. For more information, see blogs.adobe.com/security/2009/09/eliminating_the_penone_step_at.html. The command is unavailable if the signature is invalid, or is signed with a self-signed certificate. The command is also unavailable in case the verification time equals the current time.