Jun 18, 2025

AATL Document Signing FAQs

OVERVIEW: This page covers everything you need to know about GlobalSign Adobe Approved Trust List (AATL) Certificate. For certificate installation instructions, please refer to this guide. Can't find what you're looking for? Get in touch for assistance.

Menu Option

• GENERAL INFORMATION                                                                                                                                                                                                       
  WHAT IS AATL?             
  HOW DOES IT WORK?                                                                                                                                                              
  WHY MUST THE CERTIFICATE BE STORED ON A SAFENET ETOKEN HARDWARE?                                         

• CERTIFICATE MANAGEMENT                                                                                                                                                                         
  HOW DO I ORDER AND RECEIVE AATL DOCUMENT SIGNING CERTIFICATES (TOKEN BASED)?
  HOW ARE SUBSCRIBER/S AND ORGANIZATIONS VETTED?                                                                                
  HOW DO I INSTALL MY AATL CERTIFICATE?
  WHERE CAN I GET THE GLOBALSIGN AATL INTERMEDIATE CERTIFICATE?                                                     
  WHERE CAN I FIND THE SAFENET ETOKEN DRIVERS?
  HOW DO I REISSUE MY AATL CERTIFICATE?                                                                                                          
  HOW DO I REMOVE AN OLD OR EXPIRED AATL CERTIFICATE AND INITIALIZE MY ETOKEN?

• DIGITAL SIGNING USING AATL                                                                                                                                                                  
  HOW DO I DIGITALLY SIGN MY DOCUMENT USING AATL CERTIFICATE?                                                                                            
  WHAT ARE THE DIFFERENCES BETWEEN CERTIFYING AND APPROVAL SIGNATURES?

• TIMESTAMPING                                                                                                                                                                                             
  HOW DOES TIMESTAMPING WORK?                                                                                                                      
  HOW TO ADD TIMESTAMP?                                                        
  WHAT IS LONG TERM SIGNATURE VALIDATION (LTV)?                                                                                      

• SYSTEM REQUIREMENT                                                                                                                                                                                
  WHAT ARE THE TECHNICAL REQUIREMENTS NEEDED TO USE AN AATL CERTIFICATE?                                                                                        
  WHAT DOCUMENT SIGNING CERTIFICATE IS RIGHT FOR ME?

• TROUBLESHOOTING                                                                                                                                                                                     
  HOW TO ENABLE IE COMPATIBILITY MODE IN MICROSOFT EDGE BROWSER?
  HOW TO TROUBLESHOOT INVALID PDF SIGNATURES?

 

GENERAL INFORMATION

What is AATL? AATL stands for Adobe Approved Trust List, a program that allows users worldwide to create trusted digital signatures whenever a signed document is opened in Adobe® Acrobat® or Reader® software. GlobalSign is a member of this list. AATL was introduced in Adobe Reader/Acrobat v9.0. Therefore, GlobalSign’s AATL Document Signing Certificates are compatible with Adobe Version. 9+ Prior to AATL, Adobe offered the Certificate Document Services (CDS) program. The Adobe CDS program was launched in 2005 with five member CAs (GlobalSign being one of them). CDS has been phased out in preference of AATL. For more information on how AATL compares to CDS, please see our blog post. Additional information on Adobe's Approved Trust List (AATL) can be found on Adobe’s website here.

How does it work?

AATL works off an “Approved Trust List” where AATL member CAs are carefully vetted by Adobe to ensure their services and credentials meet the AATL Technical Requirements. Once a CA has been added to the list, any signatures applied with certificates that trace back to their root will be automatically trusted in Adobe products. Since GlobalSign AATL Document Signing Certificates chain back to GlobalSign’s root certificate, which is included in multiple trust/root stores, they can also be used for signatures in other software such as Microsoft Office and Bluebeam Revu.
 

Why must the certificate be stored on a SafeNet eToken hardware? The AATL Technical Requirements specify that the CA must generate and protect key pair(s) for the supplied certificate(s) in a medium that prohibits exportation and duplication that could allow unauthorized use of the private or secret keys. The suitable medium is considered a hardware security module that meet FIPS 140-2 Level 3 or equivalent such as the SafeNet I Key.

 

CERTIFICATE MANAGEMENT

How do I order and receive AATL Document Signing Certificates (token-based)?

Token-based AATL document signing certificates can be purchased individually online or in bulk (5+ certificates) through GlobalSign’s Managed PKI platform. Benefits of Managed PKI include pre-vetting for instant certificate issuance, volume discounts, easy certificate management and more. Contact an Account Manager to get started with Managed PKI. 

To purchase individual certificates, follow these steps:

1. Click Buy Online and you will be taken to GlobalSign’s secure ordering process.

2. Create your GlobalSign Certificate Center (GCC) Account.

3. Complete the Certificate Application, including:

   • Certificate Identity Details page – Enter the Certificate Holder’s Identity Information (or the Organization/ Department identity) and create a pickup password used to securely pick up and install the certificate

   • Payment page – Submit payment

4. Our Vetting team will verify the application details and call to confirm/verify your order (1 – 3 business days).

5. After vetting is complete, we will ship a secure USB token to you via standard shipping.
   Note: You will need to wait until you receive the USB token (by mail) to install the Certificate.

To purchase certificate in GCC (after creating your account), follow the guideline here. 

How are subscribers and/or organizations vetted? An Organization’s identity is verified by GlobalSign’s vetting team in accordance with the steps described in the GlobalSign CA Certification Practice Statement (CPS). GlobalSign will verify the Organization is legitimate using third party verification services such as a qualified government information source.

How do I install my AATL Certificate?

Follow AATL installation instructions here.

Where can I get the GlobalSign AATL Intermediate Certificates? Intermediate Certificates help complete a "Chain of Trust" from your SSL or Client Certificate to GlobalSign's Root Certificate. The Intermediate Certificates listed below have been built specifically for the purposes of document signing, and chain to CAs that are part of the Adobe Approved Trust List (AATL). AATL Intermediate Certificates are available here.

Where can I find the SafeNet eToken Drivers?

You may find the SafeNet eToken Drivers here.

How do I reissue my AATL Certificate? Follow the AATL reissue guidelines here. Note: For Reissues, you may still use compatible and existing SafeNet eToken as long as it meets the required supported key size. The minimum required supported key size of eToken for AATL Certificate is 2048 bits. If you wish to use your existing eToken, initializing process is not required.

How do I remove an old or expired AATL Certificate and initialize my eToken?

For Reissues, you will need to to remove the expired certificate in the token to use the new certificate. Ensure that you have installed the new certificate correctly before removing the old one. 

See Initialize SafeNet eToken for the complete initialization process of the eToken. This process is a requirement when setting up the SafeNet Token for the first time or if you want to change your token password. 


 

DIGITAL SIGNING USING AATL

How do I digitally sign my document using AATL Certificate?  GlobalSign's AATL document signing certificates are compatible with the leading programs and are an easy to use, cost-effective way to add digital signatures to your documents. For instructions on how to sign documents with your GlobalSign AATL Certificate, see the following topics:  Sign PDF Document - Adobe Sign PDF Document - Foxit Reader Sign PDF Document - Bluebeam Revu 2015 Sign PDF Document - Acrobat Reader DC Sign PDF Document - Acrobat XI Sign Word Document - Microsoft Office 2010 and 2013 Multiple Signatures - Adobe Acrobat XI

What are the differences between Certifying and Approval signatures?

There are two types of signatures that can be added to PDFs: Certifying ignatures and Approval signatures. Only the first person to sign a PDF (most often, the author) can add a certifying signature, while a certifying signature attests to the contents of the document and allows the signer to specify the types of changes allowed for the document to remain certified. Changes to the document are detected in the Signatures panel. You have one of three options for choosing which actions are permitted after certifying:

1. Annotations, form fill-in, and digital signatures
2. Form fill-in and digital signatures
3. No changes allowed

Approval signatures, also referred to as Digital Signatures in the Adobe interface, are performed when someone signs a document to show consent, approval, or acceptance. Adding a visible approval signature is the equivalent of signing your name on a physical document.

Valid approval signatures produce a green check mark  and certified signatures produce a blue ribbon at the top of the Adobe interface.

Figure 1: Sample digitally signed document in Adobe Acrobat Pro DC


Figure 2: Sample certified document in Adobe Acrobat Pro DC

Read more about the difference between Certifying and Approval signatures in our blog post. 


 

TIMESTAMPING

How does timestamping work? GlobalSign AATL Certificates include a timestamping URL and Adobe (and other supporting applications) will use the URL to gain access to GlobalSign’s highly available and trusted RFC 3161 trusted clock. This assures relying parties of the exact date and time of the signature. For more information on what timestamping is and how it works, you can view our blog post.

How to add timestamp?

See guides below to enable timestamping in the following platforms:

Timestamp - Adobe Acrobat
Timestamp - Microsoft Windows
Timestamp - Microsoft Office 2010, 2013, 2016 & 2019

What is Long-term signature validation (LTV)? Long-term signature validation allows you or relying parties to check the validity of a signature long after the document was signed and after the signing certificate expires. The following validation elements must be embedded into a signed PDF to achieve LTV: the signing certificate chain, certificate revocation status, and possibly a timestamp. If a signer has access to the internet, a valid GlobalSign AATL Certificate will automatically embed the required elements - signing certificate chain, certificate revocation status and a timestamp into the document. See Adobe's full guidance on long-term signature validation here.

SYSTEM REQUIREMENTS

What are the technical requirements needed to use an AATL Certificate? You will need to download and install SafeNet Authentication Client drivers. For certificate pickup/installation, you must have access to a Windows PC and Microsoft Edge. Once the certificate is installed on the USB token, you may sign from other platforms such as OS X. Digital Signing and signature viewing Requirements: Adobe Reader Adobe Acrobat Microsoft Office Word and Excel OpenOffice LibreOffice

What Document Signing Certificate is right for me?

GlobalSign offers scalable document signing solutions from desktop to cloud-based deployment options. You can view the options here:

TROUBLESHOOTING

How to enable IE Compatibility in Microsoft Edge browser? If you selected Download using Internet Explorer (IE) Compatibility Mode as key generation method in your order, you are required to open the pickup link in Microsoft Edge with an enabled IE Compatibility Mode. Follow the guidelines on how to enable IE compatibility mode in Microsoft Edge here.

How to troubleshoot invalid PDF signatures?

Invalid PDF Signatures could be caused by either of the following reasons: 

1. Expired Cross Certificate.
   To remove the expired Cross Certificate, follow the guidelines here.

2. Outdated AATL (Adobe Approved Trust List) in Adobe Acrobat Reader.
   To manually update the AATL in Adobe Acrobat Reader, follow the guidelines here. ​​​