Trust Settings
Table of Contents
Introduction
A digital signature guarantees the document's integrity and it allows the recipient to identify the signer of a document. The integrity is proved by mathematic solutions but how do you know that the signer is really the signer you expect?
And how should the reader application know that the signers identity is the expected one? Well, at the end all of this is based on trust and entities that sign other certificates to confirm their identity - a certificate authority (CA).
Trust Settings in Adobe Acrobat or Reader
By default Adobe Acrobat and Reader trust signers whose digital certificates can trace its lineage back to a certificate on the Adobe Approve Trust List (AATL), by the Certified Document Services (CDS) or on the European Union Trusted Lists (EUTL).
Nearly all certificates of these programs require the certificate to be stored on a secure hardware device, such as an USB token, which makes them not useable through PHP in common situations. To overcome this we had built several modules which allow you to communicate with key management systems (e.g. AWS KMS, Google KMS, Azure Key Vault) which store the keys as a service on a secure hardware device for you. You can find more details about the modules here.
Software certificates for companies (so called advanced seals) are also available as software certificates and validate through the EUTL.
Other certificate authorities offers software certificates but they are not automatically trusted by Acrobat or the Reader. Because of this a blue ribbon will be telling the user that "At least one signature has problems.".
To validate the signature you need to add the signators certificate or its root certificate to your "Trusted Certificates" as describe here.