What is AATL?
How does it work?
Why must the certificate be stored on cryptographic hardware?
Ordering, Vetting and Installing AATL
How do I order and receive AATL Document Signing Certificates (token-based)?
How are subscribers and/or organizations vetted?
How do I install my AATL Certificate?
Where can I get the GlobalSign AATL Intermediate Certificates?
Where can I find the USB Token Drivers?
How do I digitally sign using my AATL Certificate?
What are the differences between Certifying and Approval signatures?
How does timestamping work?
What is Long-term signature validation (LTV)?
What are the technical requirements needed to use an AATL Certificate?
What Document Signing Certificate is right for me?
What is AATL?
AATL stands for Adobe Approved Trust List, a program that allows users worldwide to create trusted digital signatures whenever a signed document is opened in Adobe® Acrobat® or Reader® software. GlobalSign is a member of this list. AATL was introduced in Adobe Reader/Acrobat v9.0. Therefore, GlobalSign’s AATL Document Signing Certificates are compatible with Adobe Version. 9+ Prior to AATL, Adobe offered the Certificate Document Services (CDS) program. The Adobe CDS program was launched in 2005 with five member CAs (GlobalSign being one of them). CDS has been phased out in preference of AATL. For more information on how AATL compares to CDS, please see our blog post. Additional information on Adobe's Approved Trust List (AATL) can be found on Adobe’s website here.
AATL works off an “Approved Trust List” where AATL member CAs are carefully vetted by Adobe to ensure their services and credentials meet the AATL Technical Requirements. Once a CA has been added to the list, any signatures applied with certificates that trace back to their root will be automatically trusted in Adobe products.
Since GlobalSign AATL Document Signing Certificates chain back to GlobalSign’s root certificate, which is included in multiple trust/root stores, they can also be used for signatures in other software such as Microsoft Office and Bluebeam Revu.
The AATL Technical Requirements specify that the CA must generate and protect key pair(s) for the supplied certificate(s) in a medium that prohibits exportation and duplication that could allow unauthorized use of the private or secret keys. The suitable medium is considered a hardware security module that meet FIPS 140-2 Level 3 or equivalent such as the SafeNet I Key.
Token-based AATL document signing certificates can be purchased individually online or in bulk (5+ certificates) through GlobalSign’s Managed PKI platform. Benefits of Managed PKI include pre-vetting for instant certificate issuance, volume discounts, easy certificate management and more. Contact an Account Manager to get started with Managed PKI
To purchase individual certificates:
An Organization’s identity is verified by GlobalSign’s vetting team in accordance with the steps described in the GlobalSign CA Certification Practice Statement (CPS). GlobalSign will verify the Organization is legitimate using third party verification services such as a qualified government information source.
Please follow the AATL install instructions found here.
AATL Intermediate Certificates are available in this Support Article.
Please find the SafeNet USB Token Drivers in this Support Article.
Please view our PDF Signing video tutorials here.
There are two types of signatures that can be added to PDFs: Certifying signatures and Approval signatures. Only the first person to sign a PDF (most often, the author) can add a certifying signature. A certifying signature attests to the contents of the document and allows the signer to specify the types of changes allowed for the document to remain certified. Changes to the document are detected in the Signatures panel. You have one of three options for choosing which actions are permitted after certifying:
Approval signatures, also referred to as digital signatures in the Adobe interface, are performed when someone signs a document to show consent, approval, or acceptance. Adding a visible approval signature is the equivalent of signing your name on a physical document.
Valid approval signatures produce a "green check mark" and certified signatures produce a "blue ribbon" at the top of the Adobe interface.
Example digitally signed document in Adobe Acrobat Pro DC
Example certified document in Adobe Acrobat Pro DC
Please see our blog post for more information on the differences between the signature types.
GlobalSign AATL Certificates include a timestamping URL and Adobe (and other supporting applications) will use the URL to gain access to GlobalSign’s highly available and trusted RFC 3161 trusted clock. This assures relying parties of the exact date and time of the signature.
For more information on what timestamping is and how it works, please view our blog post.
Long-term signature validation allows you or relying parties to check the validity of a signature long after the document was signed and after the signing certificate expires. The following validation elements must be embedded into a signed PDF to achieve LTV: the signing certificate chain, certificate revocation status, and possibly a timestamp.
If a signer has access to the internet, a valid GlobalSign AATL Certificate will automatically embed the required elements - signing certificate chain, certificate revocation status and a timestamp into the document.
Please view Adobe's full guidance on long-term signature validation available here.
GlobalSign offers scalable document signing solutions from desktop to cloud-based deployment options. You can view the options here: https://www.globalsign.com/en/digital-signatures