Jun 18, 2025

Download and Install AATL Certificate

OVERVIEW: This page walks you through the process of downloading and installing your GlobalSign Adobe Approved Trust List (AATL) Certificate. At the completion of this procedure, your Certificate will be ready to place signatures on Adobe® Acrobat® or Reader® documents. Learn more about AATL Certificate management and document signing here.

Menu Option

During the ordering process, you were given an option to choose the key generation method you prefer for your AATL certificate. Based on your selection, install your GlobalSign AATL Certificate with the following guidelines: 

• TOKEN-BASED INSTALLATION                                                                                                                              
  Note: GlobalSign-provided eToken is mailed to you upon ordering GlobalSign's AATL Certificate. For Reissues, you may still use your existing token as long as it remains compatible and working. 

• HSM-BASED INSTALLATION                                                                                                                                    
  Note: You will be prompted to provide the CSR during the certificate pick up process.

Token-based Installation

IMPORTANT: For token-based installations, the minimum required supported key size of the eToken for AATL certificate is 2048 bits. Ensure that you have your eToken handy before proceeding with the process. This implementation has two key generation methods: Enrollment with Fortify and Download using Internet Explorer (IE) Compatibility Mode.

Install AATL Certificate Using Microsoft Edge in IE Compatibility Mode

IMPORTANT: If you selected the Enrollment with Fortify as key generation method during the ordering process, proceed with install your certificate using Fortify. Otherwise, you need to cancel your current order and reorder to change your selection.

Prerequisites

1. Approved and vetted GlobalSign AATL Certificate.

2. GlobalSign-provided SafeNet eToken. Depending on your need, do the following actions:
   
   For New Orders
   • Download and install SafeNet Authentication Client drivers.
   • Initialize SafeNet eToken. This is a requirement when setting up the SafeNet eToken for the first time. 
   
   For Renewals and Reissues
   • You may still use compatible and existing SafeNet eTokens as long as it meets the required supported key size.

   IMPORTANT: If the supported key size of your current token is not compatible with AATL, request for a new token during the renewal/reissuing process.

   
   • If your eToken is still compatible and you do not want to make any changes with your current token password, initializing your eToken is not required. You may proceed with the guidelines. 

   WARNING: Initializing your eToken will delete all certificates currently installed there and they will have to be reissued and installed again.

3. For Certificate pickup, you must have access to a Windows PC to proceed. Once the Certificate is installed and stored in the removable device, you may sign from other platforms such as OS X. You are also required to open the pickup link in Microsoft Edge with IE Compatibility Mode enabled, then continue with the guidelines.

Guidelines

1. Open the pickup link from your e-mail in Microsoft Edge with IE Compatibility Mode enabled.

2. Enter the Temporary Pickup Password that was set at the time of ordering and click Next to continue. 
   
   

3. In the Web Access Confirmation prompt, click Yes to allow digital certificate operations. 
   
   

4. In the Install Certificate window, choose one from the Cryptographic Service Provider drop-down options:
   
   • If you want to install the GlobalSign-provider SafeNet eToken, select eToken Base Cryptographic Provider
   • If you want to install a private-owned smart card, select Microsoft Base Smart Card Crypto Provider
   
   Then, tick the box to agree to the subscriber agreement and click Next.
   
   

5. Insert your SafeNet USB token into your computer.

6. Enter the password for your USB token. This was set during the initialization process, then click OK.
   
   
    

   WARNING: The screen may appear to freeze for a minute or two. DO NOT press any button on your browser until the process is complete as it will interrupt the progress. There should be a blinking light from your eToken and a message in the screen reminding to wait for a while.

7. Once the token has finished the keypair generation, click the button to Install My Certificate.
   
   
8. In the Web Access Confirmation prompt, click Yes to allow digital certificate operations. 
   
   
9. Click OK to complete the process.
   
   
10. You are now ready to use your certificate.

IMPORTANT: For Reissues, if you wish to use your existing SafeNet eToken and you do not want to make any changes with your current token password, initializing your eToken is not required. However, you will need to remove the expired certificate in the token to use the new certificate. Ensure that you have installed the new certificate correctly before removing the old one. Then, follow the same process.

 

Install AATL Certificate Using Fortify

IMPORTANT: If you selected the Download using Internet Explorer (IE) Compatibility Mode as key generation method during the ordering process, proceed with install certificate using Microsoft Edge in IE Compatibility Mode. Otherwise, you need to cancel your current order and reorder to change your selection.

Prerequisites

1. Approved and vetted GlobalSign AATL Certificate.

2. GlobalSign-provided SafeNet eToken. See eToken related prerequisites above.

3. Downloaded and installed Fortify App in your operating system. Ensure that you meet the following system requirements: 
   
   • Browsers supported by Fortify: Microsoft Edge, Safari, Firefox and Chrome
   • OS supported by Fortify: MAC OS 10.12 or higher, Windows 7 or higher, and Ubuntu 16.04 or higher

4. For Certificate pickup, you must have access to a Windows PC to proceed. Once the Certificate is installed and stored in the removable device, you may sign from other platforms such as OS X.

Guidelines

1. Open the Certificate Download Ready email and launch the pickup link using any browser. 
2. Enter the Temporary Pickup Password that was set at the time of ordering and click Next to continue. 
   
   
3. Tick I agree to the terms above box, then click Next. 
   
   

4. A pop-up window for the authorization of code will appear on the Access Permission and on Fortify Authorization. If the both codes matched, click Approve to continue. 
   
   

5. In the Create Certificate Request or Self-Signed Certificate window, review the DN or Certificate Identity Detail Information. Then, click Create to continue. Note: If you haven't yet, make sure that your eToken is plugged in to your computer at this point. 
   
   

6. A pop-up window will appear, then enter the token password. Note: Please wait for a while as it will take a few seconds to process. 
   
   

7. On the Install Certificate window, under Select Provider, select the token that you setup (as a prerequisite). Then, click Start to proceed. 
   
   

8. Once Certificate is successfully installed on the token (or local certificate store), a pop-up confirmation window will appear. Click on OK. 
9. You are now ready to use your certificate.

 

HSM-based Installation

IMPORTANT: This method is used when you choose Download using CSR as key generation method. For Advanced Users, externally generate and provide a Certificate Signing Request (CSR). If you select ECC, please create the CSR with ECC.

Prerequisites

1. Approved and vetted GlobalSign AATL Certificate.

2. For Certificate pickup, you must have access to a Windows PC. Once the Certificate is installed, you may sign from other platforms such as OS X.

Guidelines

1. Open the Certificate Download Ready email and launch the pickup link using any available browser. 

2. Enter the Temporary Pickup Password that was set at the time of ordering and click Next to continue. 
   
   

3. Enter your CSR on the Enter CSR Required box. Then, tick I Agree to the subscriber Agreement and click Next to proceed. 
   Note: Paste the CSR generated on the HSM which is FIPS 140-2 Level 2 compliant.
   
   

4. Download your Digital Certificate and Intermediate Certificates.
   
   

5. Import the Certificate into your HSM.

   IMPORTANT: These Certificates will match the private key used to generate the CSR submitted during the ordering process, for information on how to import these Certificates on your HSM, please consult your HSM vendors instructions.

6. You are now ready to use your certificate.

WHAT'S NEXT: Now that you have successfully installed your AATL Certificate, you may now use it to sign documents. For instructions on how to sign documents with your GlobalSign AATL Certificate, see the following topics:  • Sign PDF Document - Adobe  • Sign PDF Document - Foxit Reader  • Sign PDF Document - Bluebeam Revu 2015  • Sign PDF Document - Acrobat Reader DC  • Sign PDF Document - Acrobat XI  • Sign Word Document - Microsoft Office 2010 and 2013  • Multiple Signatures - Adobe Acrobat XI