‘At Least One Signature Is Invalid’: How to Fix an Invalid Signature in a PDF (Adobe)

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Loading...

Learn what causes this PDF-related error in Adobe Acrobat and Reader and how to fix it

Since you’re here reading this article, I’ll assume that you’ve received an error informing you that “at least one signature is invalid” in a PDF in Adobe Acrobat (which looks like this):

Invalid signature in a PDF example: A screenshot of how the PDF signature invalid error displays in an Adobe Acrobat PDF
Image caption: A screenshot of the PDF signature error in Adobe Acrobat, which states that “at least one signature is invalid.”

Compare this to what it should look like when you digitally sign a PDF in Adobe Acrobat using a valid document signing certificate:

A screenshot illustrating how a valid certificate-based signature displays in a PDF in Adobe Acrobat
Image caption: A screenshot of a valid PDF signature error in Adobe Acrobat.

We’ll quickly break down what this error means and how you can address it to get back to signing your PDF documents.

NOTE: To add a cryptographic digital signature to your document in Adobe Acrobat or Adobe Reader, you’ll need to use a Document Signing Certificate from a trusted Certification Authority (CA). If you don’t already have one, you’ll need to get one.

Add an Adobe-Trusted Signature to Your PDFs for as Little as $307.75

Secure your Adobe PDFs and other documents with a legally binding signature that proves they’re legitimate and can be trusted.

Get a Document Signing Certificate

 

What Causes the PDF ‘Signature Is Invalid’ Error in Adobe Acrobat?

A few possible scenarios can cause this invalid signature error in a PDF. The first may be an issue with your version of Adobe Acrobat. Update your Adobe to the latest version of the software, if you haven’t already done so.

However, simply updating your software isn’t a one-size-fits-all solution. The PDF invalid signature error message “The selected certificate has errors: invalid policy constraint” is a big clue, and narrows this issue down to two potential causes:

  1. You’re using the wrong X.509 certificate (i.e., one that doesn’t have the key usage, advanced key usage, or certificate policy for document signing)
  2. Adobe doesn’t recognize or trust the CA that signed the document signing certificate

We’ll explore these potential causes for why you’re seeing the “at least one signature is invalid” error in Adobe Acrobat and how you can fix it.  

Reason #1 Why Your PDF Signature Is Invalid: You’re Using the Wrong Certificate

This is something I was guilty of doing (hence why I came to write this article). When trying to create an example signature for another article, I accidentally selected the wrong certificate to sign my PDF. (In this case, I’d accidentally selected my S/MIME email signing certificate because I forgot to plug in the secure hardware token where my document signing certificate is stored and just selected the certificate that was showing as available in Adobe Acrobat.)

Two screenshots placed together that compare the visual difference of how a valid signature versus an invalid signature displays in a PDF in Adobe Acrobat.
Image caption: A side-by-side comparison of what you see when you open a Document Signing Certificate (left) versus an S/MIME email signing and encryption certificate (right).

While some S/MIME certificates (i.e., Multipurpose Organization-Validated S/MIME Certificates) are now able to digitally sign certain types of documents, namely Microsoft Office files, a document signing certificate specifically is required to sign Adobe PDFs.

So, when I selected the wrong certificate to apply my signature, it ended up displaying an ugly error:

An example of the signature is invalid error that displays in Adobe Acrobat for a PDF that's signed by an untrusted certificate

To fix this issue, you need to ensure you’re using a valid document signing certificate:

  • Right-click on the digital signature box in your Adobe PDF and select All Signature Properties.
  • In the Signature Properties window, press the Show Signer’s Certificate button.
  • Under the Details tab, scroll to Certificate Policies and see the listed policy identifier. You can also check the Key Usage and Extended/Enhanced Key Usage fields for information relating to Digital Signatures and Non-Repudiation.

Add Your Document Signing Certificate

You can add a signing certificate to Adobe Acrobat by completing the following steps:

  • Double-check to ensure that you have activated your SafeNet Authentication Client.
  • Plug in the secure USB token where your document signing certificate and private key are stored.
  • In Adobe Acrobat, navigate to All Tools > Use a Certificate > Digitally sign.
  • Using your mouse, draw a rectangle where you want the digital signature to display in the document.
  • Select the appropriate Document Signing Certificate in the Sign with a Digital ID window and hit Continue.
A screenshot demonstrating how to choose a Digital ID to use for signing in Adobe Acrobat.

Is your document signing certificate not showing on the list of available certificates? Hit the Refresh button near the top of the window and see if it appears.

Otherwise, select Configure New Digital ID and follow the prompts to create a new Digital ID profile in Adobe Acrobat.  

A screenshot showing how to configure a digital ID for signing in Adobe Acrobat

Reason #2 Why Your PDF Signature Is Invalid: A CA Isn’t Trusted

Every publicly trusted Document Signing Certificate is issued by a publicly trusted certification authority (i.e., a CA such as DigiCert). If there’s an issue with the certificate trust chain (i.e., the hierarchy of certificates that the signing certificate came from), then there will be trust issues when it comes to Adobe Acrobat validating the signature.

What are some of the causes of this error?

  • There’s an issue with the public CA that issued and signed the certificate
  • You’re using a certificate that was issued by a private CA
  • You’re using a self-signed document signing certificate

Untrusted Public CA Certificates

Check your Adobe Acrobat trust settings to see whether it’s set to use the Adobe Approved Trust List (AATL) and/or the European Union Trust List (EUTL). Try refreshing both lists to ensure your Adobe Acrobat is using the most current data by navigating to Menu > Preferences. In the Preferences screen, select the Trust Manager category from the left-hand list of options and hit the Update Now buttons for both the AATL and EUTL lists as shown here:

Screenshots showing where to update the trust lists (i.e., AATL and EUTL) in Adobe Acrobat.

Hit OK for each list’s security settings update confirmation screen and the OK button in the Trust Manager to finish.

Private CA Certificates

For the private CA certificate, you’ll need to manually trust the CA by validating the certificate chain. To do this, navigate to the Certificate Details, select the Trust tab and hit the Add to Trusted Certificates button (as shown below).

A screenshot of the Certificate Viewer screen where you can add a certificate to the list of trusted certificates in Adobe Acrobat.

When prompted to change the trust settings, hit OK.

In the Import Contact Settings window, select Use this certificate as a trusted root and hit OK to complete the task.

NOTE: This will ensure the certificate is trusted on your device only and won’t impact the invalid signature issue for other parties who open the PDF on different devices.

Self-Signed Certificates

Adobe doesn’t recommend adding random or self-signed certificates to Adobe’s list of Trusted Identities. We recommend sticking with that advice as adding a self-signed certificate is inherently dangerous. Only use document signing certificates from a publicly trusted CA for PDFs that are shared externally and a private CA document signing certificate strictly for internal use cases.

Add an Adobe-Trusted Signature to Your PDFs for as Little as $307.75

Secure your Adobe PDFs and other documents with a legally binding signature that proves they’re legitimate and can be trusted.

Get a Document Signing Certificate

 

Still Having Issues?

Get in touch with TheSSLstore.com’s Support team for further assistance.

Want to Learn More About Signing PDFs in Adobe Acrobat or Reader?

If you want to learn more about signing PDFs using a Document Signing Certificate, check out our step-by-step guide on signing a PDF in Adobe Acrobat on Hashed Out. This guide includes a video and step-by-step instructions with screenshots to walk you through the process.  

No related posts.