AATL Frequently Asked Questions

OVERVIEW: This page covers everything you need to know about GlobalSign Adobe Approved Trust List (AATL) Certificate. For certificate installation instructions, please refer to this guide. Can't find what you're looking for? Get in touch for assistance.

What is AATL?

AATL stands for Adobe Approved Trust List, a program that allows users worldwide to create trusted digital signatures whenever a signed document is opened in Adobe® Acrobat® or Reader® software. GlobalSign is a member of this list. AATL was introduced in Adobe Reader/Acrobat v9.0. Therefore, GlobalSign’s AATL Document Signing Certificates are compatible with Adobe Version. 9+ Prior to AATL, Adobe offered the Certificate Document Services (CDS) program. The Adobe CDS program was launched in 2005 with five member CAs (GlobalSign being one of them). CDS has been phased out in preference of AATL. For more information on how AATL compares to CDS, please see our blog post. Additional information on Adobe's Approved Trust List (AATL) can be found on Adobe’s website here.

Where can I get the GlobalSign AATL Intermediate Certificates?

Intermediate Certificates help complete a "Chain of Trust" from your SSL or Client Certificate to GlobalSign's Root Certificate. The Intermediate Certificates listed below have been built specifically for the purposes of document signing, and chain to CAs that are part of the Adobe Approved Trust List (AATL). AATL Intermediate Certificates are available here.

How do I order a new AATL Certificates (token-based)?

Token-based AATL document signing certificates can be purchased in the following platforms:

• If you are a new customer, you can order your certificate through our website to create a GCC account. 
• If you are an existing customer with an active GCC account, please refer to this page to place your new order. 

You can also place an order in bulk (5+ certificates) through GlobalSign’s Managed PKI platform. Benefits of Managed PKI include pre-vetting for instant certificate issuance, volume discounts, easy certificate management and more. Contact an Account Manager to get started with Managed PKI. 

Once you complete your order, our Vetting team will verify the application details and call to confirm/verify your order (1 – 3 business days).
INFORMATION: An Organization’s identity is verified by GlobalSign’s vetting team in accordance with the steps described in the GlobalSign CA Certification Practice Statement (CPS). GlobalSign will verify the Organization is legitimate using third party verification services such as a qualified government information source.

If you choose credit card as your mode of payment, we will be sending a link to proceed with your payment. Once your order is ready, please refer to this page to process your payment. After vetting is complete and payment is confirmed, we will ship a secure USB token to you via standard shipping. Note: You will need to wait until you receive the USB token (by mail) to install the Certificate.

How do I reissue my AATL Certificate?

For AATL Certificate reissue, please refer to this page. For Reissues, you will need to remove the expired certificate in the token to use the new certificate. Ensure that you have installed the new certificate correctly before removing the old one. 

Note: You may still use compatible and existing SafeNet eToken as long as it meets the required supported key size. The minimum required supported key size of eToken for AATL Certificate is 2048 bits. If you wish to use your existing eToken, initializing process is not required. 

Where can I find the SafeNet eToken Drivers?

The AATL Technical Requirements specify that the CA must generate and protect key pair(s) for the supplied certificate(s) in a medium that prohibits exportation and duplication that could allow unauthorized use of the private or secret keys. The suitable medium is considered a hardware security module that meet FIPS 140-2 Level 3 or equivalent such as the SafeNet I Key. You may find the SafeNet eToken Drivers here.

How do I remove expired/used certificates in the etoken?

To remove expired or used certificates in the eToken, please refer to this page. 
WARNING: Removing certificate in the eToken is permanent. Ensure that your certificate is already expired or used and you will remove the correct certificate before continuing. For reissues, install the new certificate correctly before removing the old one. 

 What are the differences between Certifying and Approval signatures?

There are two types of signatures that can be added to PDFs: Certifying ignatures and Approval signatures. Only the first person to sign a PDF (most often, the author) can add a certifying signature, while a certifying signature attests to the contents of the document and allows the signer to specify the types of changes allowed for the document to remain certified. Changes to the document are detected in the Signatures panel. You have one of three options for choosing which actions are permitted after certifying:

• Annotations, form fill-in, and digital signatures
• Form fill-in and digital signatures
• No changes allowed

Approval signatures, also referred to as Digital Signatures in the Adobe interface, are performed when someone signs a document to show consent, approval, or acceptance. Adding a visible approval signature is the equivalent of signing your name on a physical document.

Valid approval signatures produce a green check mark  and certified signatures produce a blue ribbon at the top of the Adobe interface.

Figure 1: Sample digitally signed document in Adobe Acrobat Pro DC


Figure 2: Sample certified document in Adobe Acrobat Pro DC

Read more about the difference between Certifying and Approval signatures in our blog post. 

How to add timestamp?

See topics below to enable timestamping in the following platforms:                                                                                                                                                       

• Timestamp - Adobe Acrobat
• Timestamp - Microsoft Windows
• Timestamp - Microsoft Office 2010, 2013, 2016 & 2019

What are the technical requirements needed to use an AATL Certificate?

• You will need to download and install SafeNet Authentication Client drivers.

• For certificate pickup/installation, you must have access to a Windows PC and Microsoft Edge. Once the certificate is installed on the USB token, you may sign from other platforms such as OS X.

• Digital Signing and signature viewing Requirements:
  
  • Adobe Reader
  • Adobe Acrobat
  • Microsoft Office Word and Excel
  • OpenOffice
  • LibreOffice

How to enable IE Compatibility in Microsoft Edge browser?

If you selected Download using Internet Explorer (IE) Compatibility Mode as key generation method in your order, you are required to open the pickup link in Microsoft Edge with an enabled IE Compatibility Mode. Follow the guidelines on how to enable IE compatibility mode in Microsoft Edge here.