Menu

AATL Frequently Asked Questions

Jul 30, 2025

AATL Frequently Asked Questions

OVERVIEW: This page covers everything you need to know about GlobalSign Adobe Approved Trust List (AATL) Certificate. For certificate installation instructions, please refer to this guide. Can't find what you're looking for? Get in touch for assistance.

CONTENTS

GENERAL INFORMATION

What is AATL?

AATL stands for Adobe Approved Trust List, a program that allows users worldwide to create trusted digital signatures whenever a signed document is opened in Adobe® Acrobat® or Reader® software. GlobalSign is a member of this list. AATL was introduced in Adobe Reader/Acrobat v9.0. Therefore, GlobalSign’s AATL Document Signing Certificates are compatible with Adobe Version. 9+ Prior to AATL, Adobe offered the Certificate Document Services (CDS) program. The Adobe CDS program was launched in 2005 with five member CAs (GlobalSign being one of them). CDS has been phased out in preference of AATL. For more information on how AATL compares to CDS, please see our blog post. Additional information on Adobe's Approved Trust List (AATL) can be found on Adobe’s website here.


How does it work?

AATL works off an “Approved Trust List” where AATL member CAs are carefully vetted by Adobe to ensure their services and credentials meet the AATL Technical Requirements. Once a CA has been added to the list, any signatures applied with certificates that trace back to their root will be automatically trusted in Adobe products. Since GlobalSign AATL Document Signing Certificates chain back to GlobalSign’s root certificate, which is included in multiple trust/root stores, they can also be used for signatures in other software such as Microsoft Office and Bluebeam Revu.

Where can I get the GlobalSign AATL Intermediate Certificates?

Intermediate Certificates help complete a "Chain of Trust" from your SSL or Client Certificate to GlobalSign's Root Certificate. The Intermediate Certificates listed below have been built specifically for the purposes of document signing, and chain to CAs that are part of the Adobe Approved Trust List (AATL). AATL Intermediate Certificates are available here.

 

 

CERTIFICATE MANAGEMENT

How do I order a new AATL Certificates (token-based)?

Token-based AATL document signing certificates can be purchased in the following platforms:

  • If you are a new customer, you can order your certificate through our website to create a GCC account. 
  • If you are an existing customer with an active GCC account, please refer to this page to place your new order. 

You can also place an order in bulk (5+ certificates) through GlobalSign’s Managed PKI platform. Benefits of Managed PKI include pre-vetting for instant certificate issuance, volume discounts, easy certificate management and more. Contact an Account Manager to get started with Managed PKI. 

Once you complete your order, our Vetting team will verify the application details and call to confirm/verify your order (1 – 3 business days).
INFORMATION: An Organization’s identity is verified by GlobalSign’s vetting team in accordance with the steps described in the GlobalSign CA Certification Practice Statement (CPS). GlobalSign will verify the Organization is legitimate using third party verification services such as a qualified government information source.

If you choose credit card as your mode of payment, we will be sending a link to proceed with your payment. Once your order is ready, please refer to this page to process your payment. After vetting is complete and payment is confirmed, we will ship a secure USB token to you via standard shipping. Note: You will need to wait until you receive the USB token (by mail) to install the Certificate.

How do I install my AATL Certificate?

To install your certificate, follow the guidelines here.

How do I reissue my AATL Certificate?

For AATL Certificate reissue, please refer to this page. For Reissues, you will need t remove the expired certificate in the token to use the new certificate. Ensure that you have installed the new certificate correctly before removing the old one. 

Note: You may still use compatible and existing SafeNet eToken as long as it meets the required supported key size. The minimum required supported key size of eToken for AATL Certificate is 2048 bits. If you wish to use your existing eToken, initializing process is not required

 

 

SAFENET ETOKEN MANAGEMENT

Where can I find the SafeNet eToken Drivers?

The AATL Technical Requirements specify that the CA must generate and protect key pair(s) for the supplied certificate(s) in a medium that prohibits exportation and duplication that could allow unauthorized use of the private or secret keys. The suitable medium is considered a hardware security module that meet FIPS 140-2 Level 3 or equivalent such as the SafeNet I Key. You may find the SafeNet eToken Drivers here.

How do initialize and reset my eToken?

See Initialize SafeNet eToken for the complete initialization and resetting process of the eToken. This process is a requirement when setting up the SafeNet Token for the first time or if you want to reset your eToken to change your password. 

How do I remove expired/used certificates in the etoken?

To remove expired or used certificates in the eToken, please refer to this page. 
WARNING: Removing certificate in the eToken is permanent. Ensure that your certificate is already expired or used and you will remove the correct certificate before continuing. For reissues, install the new certificate correctly before removing the old one. 

 

DIGITAL SIGNING USING AATL

How do I digitally sign my document using AATL Certificate? 

GlobalSign's AATL document signing certificates are compatible with the leading programs and are an easy to use, cost-effective way to add digital signatures to your documents. For instructions on how to sign documents with your GlobalSign AATL Certificate, proceed to this page.

What are the differences between Certifying and Approval signatures?

There are two types of signatures that can be added to PDFs: Certifying ignatures and Approval signatures. Only the first person to sign a PDF (most often, the author) can add a certifying signature, while a certifying signature attests to the contents of the document and allows the signer to specify the types of changes allowed for the document to remain certified. Changes to the document are detected in the Signatures panel. You have one of three options for choosing which actions are permitted after certifying:

  1. Annotations, form fill-in, and digital signatures
  2. Form fill-in and digital signatures
  3. No changes allowed

Approval signatures, also referred to as Digital Signatures in the Adobe interface, are performed when someone signs a document to show consent, approval, or acceptance. Adding a visible approval signature is the equivalent of signing your name on a physical document.

Valid approval signatures produce a green check mark  and certified signatures produce a blue ribbon at the top of the Adobe interface.


Figure 1: Sample digitally signed document in Adobe Acrobat Pro DC


Figure 2: Sample certified document in Adobe Acrobat Pro DC

Read more about the difference between Certifying and Approval signatures in our blog post

 

TIMESTAMPING

How does timestamping work?

GlobalSign AATL Certificates include a timestamping URL and Adobe (and other supporting applications) will use the URL to gain access to GlobalSign’s highly available and trusted RFC 3161 trusted clock. This assures relying parties of the exact date and time of the signature.

capture_4.jpg

For more information on what timestamping is and how it works, you can view our blog post.

How to add timestamp?

See topics below to enable timestamping in the following platforms:

What is Long-term signature validation (LTV)?

Long-term signature validation allows you or relying parties to check the validity of a signature long after the document was signed and after the signing certificate expires. The following validation elements must be embedded into a signed PDF to achieve LTV: the signing certificate chain, certificate revocation status, and possibly a timestamp.

If a signer has access to the internet, a valid GlobalSign AATL Certificate will automatically embed the required elements - signing certificate chain, certificate revocation status and a timestamp into the document.

See Adobe's full guidance on long-term signature validation here.

 

SYSTEM REQUIREMENTS

What Document Signing Certificate is right for me?

GlobalSign offers scalable document signing solutions from desktop to cloud-based deployment options. You can view the options here.

What are the technical requirements needed to use an AATL Certificate?

  • You will need to download and install SafeNet Authentication Client drivers.

  • For certificate pickup/installation, you must have access to a Windows PC and Microsoft Edge. Once the certificate is installed on the USB token, you may sign from other platforms such as OS X.

  • Digital Signing and signature viewing Requirements:

    • Adobe Reader
    • Adobe Acrobat
    • Microsoft Office Word and Excel
    • OpenOffice
    • LibreOffice

 

TROUBLESHOOTING

How to enable IE Compatibility in Microsoft Edge browser?

If you selected Download using Internet Explorer (IE) Compatibility Mode as key generation method in your order, you are required to open the pickup link in Microsoft Edge with an enabled IE Compatibility Mode. Follow the guidelines on how to enable IE compatibility mode in Microsoft Edge here.

How to troubleshoot invalid PDF signatures?

Invalid PDF Signatures could be caused by either of the following reasons: 

  1. Expired Cross Certificate.
    To remove the expired Cross Certificate, follow the guidelines here.

  2. Outdated AATL (Adobe Approved Trust List) in Adobe Acrobat Reader.
    To manually update the AATL in Adobe Acrobat Reader, follow the guidelines here. ​​​

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support