PDF digital signatures are not all the same. An e-signature that places a signature image on a PDF (DocuSign’s click-to-sign, Adobe Acrobat’s Fill and Sign, a drawn signature on a tablet) creates an electronic signature backed by an audit trail. A certificate-based digital signature uses PKI cryptography: a private key signs a hash of the document content and embeds the signature along with the signer’s certificate in the PDF. The cryptographic result is verifiable without contacting any third-party service.
The distinction matters for two reasons: legal standing and trust display. An AATL-trusted certificate-based digital signature shows a green checkmark and verified identity in Adobe Acrobat and Adobe Reader for all recipients with no setup. A self-signed certificate shows ‘Unknown identity’ or ‘Invalid’ unless the recipient manually adds the signer’s certificate to their trusted list. A platform-based e-signature relies on the platform’s audit trail evidence rather than cryptographic proof.
This guide covers how to apply a certificate-based digital signature to a PDF using several tools, from the full Adobe Acrobat workflow to free alternatives, with an honest explanation of what each produces and when each is appropriate.
Before You Start: Which Type of Certificate?
| Situation | What the recipient sees | Certificate needed | Cost |
| Signing for yourself or your team who will add your cert to their trusted list | Unknown identity, then valid after trust is established | Self-signed (free; create in Acrobat or with OpenSSL) | Free |
| Signing documents for external recipients using Adobe products | Automatically trusted; green checkmark and your name | AATL-trusted document signing certificate from a CA on Adobe’s AATL | Paid; typically $70-$300/year from DigiCert, Sectigo, GlobalSign |
| Signing documents for recipients using Microsoft Office | Automatically trusted in Word, Excel, Outlook | Certificate from a Microsoft Trusted Root CA | Same CAs as AATL; some are on both lists |
| Internal organization-wide signing where all devices have the corporate CA installed | Valid and trusted for all internal users; internal certificate | Private CA certificate from AD CS or similar | No per-certificate cost if you have internal CA infrastructure |
| Signing for legal purposes requiring qualified signatures (EU eIDAS QES) | Qualified badge in conforming readers; legally equivalent to handwritten signature in EU | Qualified certificate from an EU Trust Service Provider | Higher cost; requires identity verification |
Method 1: Adobe Acrobat With an AATL-Trusted Certificate
This is the method that produces the most widely trusted signatures, with automatic green checkmarks for all recipients using Adobe products. It requires a paid document signing certificate from an AATL-member CA (DigiCert, Sectigo, GlobalSign, SSL.com, and others) and either Adobe Acrobat Standard or Pro.
Prerequisites
- A document signing certificate installed on a hardware token (USB token provided by the CA) or in a cloud HSM signing account
- Adobe Acrobat Standard or Pro (not just Reader; Reader can apply signatures but requires a pre-existing signature field)
- The hardware token software installed and the token plugged in, if using a physical token
Applying a certification signature (first signer, defining the document)
A certification signature is appropriate when you are the originating party certifying a document as the authoritative version. It appears as a blue ribbon in Acrobat and optionally defines what subsequent modifications are permitted.
- Open the PDF in Adobe Acrobat
- Go to All tools (top left), then View more, then Use a certificate
- Select Certify (visible signatures) for a visible signature, or Certify (invisible signatures) for a certification mark without a signature block on the page
- Click OK on the instructions dialog, then drag to draw a signature rectangle where the signature should appear
- In the Sign with a Digital ID dialog, select your certificate from the list. If not listed, click Configure New Digital ID and import from your token or PKCS12 file.
- Select the signature appearance (Acrobat has built-in text-based appearances; you can create custom appearances with logo or image in Preferences, Signatures, Creation and Appearance)
- Select what modifications to allow after certification: No changes allowed, Form filling and signatures, or Form filling, signatures, and annotations
- Click Sign, then save the document with a new filename to preserve the original
- If prompted, enter your hardware token PIN or PKCS12 password
Applying an approval signature
An approval signature is appropriate for subsequent signers or for any document you are approving rather than certifying. It can be applied multiple times by multiple parties to the same document.
- Open the PDF in Adobe Acrobat
- Go to All tools, then View more, then Use a certificate
- Select Digitally sign
- Drag to draw the signature rectangle
- Select your certificate, configure appearance, and click Sign
- Save the signed document
If the PDF already has designated signature fields, Adobe Acrobat shows them with purple indicators. Click on a designated field rather than drawing a new rectangle to sign into the existing field. This is the workflow for signing forms sent to you with specific signature locations already prepared.
Method 2: Adobe Acrobat Reader (Free) With a Certificate
Adobe Acrobat Reader is free and can apply certificate-based digital signatures when a document signing certificate is available. The limitation compared to Acrobat Pro: Reader can only add signatures to PDFs that either have an existing signature field or have been reader-extended by Acrobat Pro (enabled with Reader comments and signatures). For documents you receive with a signature field already prepared, Reader works well.
The workflow in Reader is the same as Acrobat once you reach the signature dialog: All tools, Use a certificate, Digitally sign. Reader reads certificates from the Windows Certificate Store (on Windows) or macOS Keychain (on Mac), so a certificate installed by your hardware token’s software is accessible to Reader automatically. Cloud HSM signing services with desktop client software also typically integrate with the system certificate store.
Method 3: LibreOffice (Free, Cross-Platform)
LibreOffice can digitally sign PDF files using certificates from the system certificate store, Mozilla’s NSS database, or a PKCS11 device. It supports both signing PDFs directly and exporting ODF documents to signed PDFs.
- Open the document in LibreOffice (Writer, Calc, Impress, or Draw)
- Go to File, Export as PDF
- In the PDF options dialog, click the Digital Signatures tab
- Click Select next to Certificate, then choose your certificate from the certificate selection dialog
- Optionally enter a signing reason and contact information in the provided fields
- Set the timestamp authority URL in the Certificate Timestamp Authority field (use a public TSA like http://timestamp.digicert.com for free timestamping)
- Click Export, choose a filename, and save the signed PDF
LibreOffice uses certificates from the operating system certificate store on Windows and macOS. On Linux, it uses Mozilla’s NSS database. A certificate installed by your hardware token software is accessible through the Select dialog. Self-signed certificates created in Acrobat are in PKCS12 format (.p12 or .pfx) and can be imported into the system certificate store before signing in LibreOffice.
Method 4: pyHanko (Command Line and Python Library)
pyHanko is an open-source Python tool for signing, verifying, and stamping PDF files. It supports all PAdES baseline profiles (B-B, B-T, B-LT, B-LTA), LTV-enabled signatures, multiple signatures, PKCS11 hardware token integration, and RFC 3161 timestamping. It is appropriate for automated signing workflows, scripting, or any scenario where a GUI application is impractical.
| # Install pyHanko:
$ pip install pyhanko pyhanko-certvalidator
# Sign a PDF with a PKCS12 certificate file: $ pyhanko sign addsig –field ‘Signature1’ \ –timestamp-url http://timestamp.digicert.com \ pemder \ –cert signing-cert.pem \ –key signing-key.pem \ input.pdf output-signed.pdf
# Sign with a PKCS12 (.p12 / .pfx) file: $ pyhanko sign addsig –field ‘Signature1’ \ –timestamp-url http://timestamp.digicert.com \ pkcs12 \ –pfx-file certificate.p12 \ input.pdf output-signed.pdf
# Sign using a PKCS11 hardware token (USB token): $ pyhanko sign addsig –field ‘Signature1’ \ –timestamp-url http://timestamp.digicert.com \ pkcs11 \ –lib /path/to/pkcs11-module.so \ –slot-no 0 \ –cert-label ‘My Signing Certificate’ \ input.pdf output-signed.pdf
# Apply LTA (Long Term Archival) archive timestamps to an existing signed PDF: $ pyhanko sign ltaupdate –timestamp-url http://timestamp.digicert.com signed.pdf
# Validate all signatures in a signed PDF: $ pyhanko sign validate signed.pdf |
pyHanko generates cryptographically correct PAdES-compliant signatures. The resulting signatures are verifiable in Adobe Acrobat and Acrobat Reader. The AATL trust issue still applies: if the signing certificate is not from an AATL-member CA, recipients using Adobe products see ‘Unknown identity’ unless they add the signer’s certificate to their trusted list.
Method 5: open-pdf-sign (Simple CLI, Java)
open-pdf-sign is a simpler command-line tool for signing PDFs with a certificate. It requires Java 11 or later and accepts a certificate and key in PEM format. It is less feature-rich than pyHanko but simpler to use for basic signing operations and suitable for server-side automated signing.
| # Download open-pdf-sign:
$ curl -Lo open-pdf-sign.jar \ https://github.com/open-pdf-sign/open-pdf-sign/releases/latest/download/open-pdf-sign.jar
# Sign a PDF (invisible signature): $ java -jar open-pdf-sign.jar \ –input input.pdf \ –output output-signed.pdf \ –certificate certificate.crt \ –key private.key
# Sign with a visible signature on the last page: $ java -jar open-pdf-sign.jar \ –input input.pdf \ –output output-signed.pdf \ –certificate certificate.crt \ –key private.key \ –page -1 \ –locale en-US
# The tool accepts PEM-formatted certificates and keys. # For PKCS12 files, extract with: # openssl pkcs12 -in cert.p12 -out certificate.crt -nokeys # openssl pkcs12 -in cert.p12 -out private.key -nocerts -nodes |
Verifying a Digital Signature in a PDF
Verification in Adobe Acrobat and Reader is automatic when you open a signed PDF. The signature validation status appears in the Signature panel (View menu, Show/Hide, Panels, Signatures, or the ribbon icon on the left side). Understanding what each status means is important for correctly evaluating a document.
| Status in Acrobat | What it means | Common cause |
| Signature is valid (green checkmark) | The signature cryptographically checks out AND the certificate chains to a CA in Acrobat’s trust list (AATL or your custom trusted certificates) | Certificate from an AATL-member CA; signature and document have not been modified since signing |
| Signed, but the identity of the signer could not be verified (blue question mark or yellow warning) | The signature cryptographically checks out but the certificate is not trusted by Acrobat | Self-signed certificate; certificate from a CA not on the AATL; internal CA certificate not added to trusted list |
| Signature is invalid (red X) | The document has been modified after signing, or the signature is corrupt | Document was edited after signing; PDF corruption; mismatch between the signature’s hash and the current document content |
| Signature is unknown / cannot be verified | The signature could not be processed due to a missing or expired certificate | The signer’s certificate has expired; certificate chain is incomplete; required CRL or OCSP data is unavailable |
Adding a certificate to Acrobat’s trusted list
To display ‘valid’ for a certificate not on the AATL (for example, an internal CA certificate or a certificate from a colleague who signed with a self-signed certificate), add the certificate to Acrobat’s trusted certificates list:
- In Adobe Acrobat, go to Edit (Windows) or Acrobat (Mac), Preferences, Signatures
- In Identities and Trusted Certificates, click More
- In Digital IDs and Trusted Certificate Settings, select Trusted Certificates
- Click Import, browse to the certificate file (.cer, .crt, or .pem), and import it
- In the import confirmation, check Trust this certificate as a trusted root and click OK
After importing, reopen the signed PDF and the signature status updates to valid for all documents signed by that certificate or certificates issued by that CA.
Creating and Using a Self-Signed Certificate for Signing
Acrobat can create a self-signed PKCS12 digital ID for signing purposes without any external CA. This is useful for internal workflows where you control all recipient environments. In Acrobat, go to Edit, Preferences, Signatures, Identities and Trusted Certificates, Add ID, Create a self-signed digital ID. Fill in the name, organization, and email. Set the key algorithm to RSA 2048 or higher, set the intended use to Digital Signing, and set an appropriate validity period.
The resulting .p12 file contains the certificate and private key. Anyone who needs to trust signatures from this certificate must import it as a trusted root (steps above). For a team of five people signing internal documents, this is workable. For external recipients across organizations, it is impractical, and an AATL-trusted certificate from a public CA is the appropriate choice.
OpenSSL can also generate a self-signed certificate suitable for PDF signing from the command line. The key requirement is including the non-repudiation and digital signature key usage extensions, and optionally adding the document signing extended key usage OID (1.2.840.113583.1.1.5). For most internal use cases, a certificate without the exact extended key usage still works in Acrobat but may generate warnings in strict validation environments.
Long-Term Validity: Ensuring Signatures Remain Verifiable
A signed PDF without LTV (Long Term Validation) embedding may become unverifiable after the signing certificate expires or after CA revocation infrastructure is decommissioned. LTV embeds all validation material in the PDF at signing time: the full certificate chain, OCSP responses or CRL data, and optionally a trusted timestamp.
In Adobe Acrobat, LTV embedding happens automatically when the signature is applied with OCSP or CRL data available and a timestamp server is configured. Check the signature’s details in Acrobat’s Signature panel to confirm the LTV status.
For documents requiring archival validity across decades, periodic archive timestamps (LTA) extend verifiability as algorithms age. pyHanko’s ltaupdate command applies archive timestamps to already-signed PDFs. Adobe Acrobat does not have a built-in LTA workflow, but the enterprise document signing platforms (DigiCert, DocuSign, Adobe Sign) can apply LTA as part of their managed signing service.
For most business documents (contracts, invoices, agreements with 7-10 year retention requirements), LTV embedding is sufficient. For documents with very long retention requirements (notarized documents, property records, legal filings), LTA should be considered.
Frequently Asked Questions
Do I need to buy a certificate to digitally sign a PDF?
It depends on who needs to trust the signature. If you only need to sign documents for recipients who will manually add your certificate to their trusted list (colleagues in your organization where you can distribute the certificate), a free self-signed certificate created in Adobe Acrobat is sufficient. If you need the signature to show as ‘valid’ with a green checkmark for any recipient using Adobe products worldwide without any manual setup, you need an AATL-trusted certificate from a CA on Adobe’s Approved Trust List. AATL-trusted document signing certificates cost from around $70 to $300 per year depending on the CA and validation level.
What is the difference between Adobe’s Fill & Sign and a certificate-based digital signature?
Fill and Sign in Adobe Acrobat and Acrobat Reader applies an electronic signature: it places an image of your signature on the page (drawn, typed, or uploaded as an image). This creates a visual signature appearance but no PKI cryptographic binding. The signature does not verify your identity through a certificate chain and does not prove the document was not modified after signing. A certificate-based digital signature (via All tools, Use a certificate, Digitally sign) applies a cryptographic hash-then-sign operation tied to your certificate, provides tamper evidence, and shows your verified identity in the signature validation panel.
Can I sign a PDF without Adobe Acrobat?
Yes. LibreOffice can sign PDFs using certificates from your system certificate store when exporting to PDF via File, Export as PDF, Digital Signatures tab. pyHanko is an open-source Python command-line tool that supports all PAdES profiles and RFC 3161 timestamping. open-pdf-sign is a simpler Java command-line tool for basic signing operations. Both produce signatures that are verifiable in Adobe Acrobat. The AATL trust requirement applies regardless of which tool you use: the trust level of the resulting signature depends on which CA issued the signing certificate, not which tool was used to apply the signature.
Why does Acrobat show ‘Unknown identity’ for a signature that I applied correctly?
The blue question mark ‘Identity unknown’ or ‘Signed, but the identity of the signer could not be verified’ means the signature is cryptographically valid but the certificate is not trusted by Adobe Acrobat. This happens with self-signed certificates and with certificates from CAs not on the Adobe Approved Trust List (AATL). The document has not been tampered with; the certificate simply is not in Adobe’s trusted root list. To fix this for specific certificates: have the certificate issuer apply for AATL membership (appropriate for CA organizations), or for internal use, distribute the root certificate to all recipients for manual import into Acrobat’s trusted certificates.
Does the signature survive if the PDF is printed and scanned?
No. A PDF digital signature is an electronic construct embedded in the PDF file structure. Printing destroys the PDF structure and creates a raster image. Scanning creates a new PDF without any signature. The signature cannot survive the print-scan cycle. If you need a physical document with a verifiable original digital record, the electronic PDF with signature is the authoritative version and the printed copy is a reproduction. This is why legally significant signed documents should be kept in their original signed PDF form rather than being printed and stored as paper.
