What is AATL?
How does it work?
Why must the certificate be stored on cryptographic hardware?
Ordering, Vetting and Installing AATL
How do I order and receive AATL Document Signing Certificates (token-based)?
How are subscribers and/or organizations vetted?
How do I install my AATL Certificate?
Where can I get the GlobalSign AATL Intermediate Certificates?
Where can I find the USB Token Drivers?
How do I digitally sign using my AATL Certificate?
What are the differences between Certifying and Approval signatures?
How does timestamping work?
What is Long-term signature validation (LTV)?
What are the technical requirements needed to use an AATL Certificate?
What Document Signing Certificate is right for me?
AATL stands for Adobe Approved Trust List, a program that allows users worldwide to create trusted digital signatures whenever a signed document is opened in Adobe® Acrobat® or Reader® software. GlobalSign is a member of this list. AATL was introduced in Adobe Reader/Acrobat v9.0. Therefore, GlobalSign’s AATL Document Signing Certificates are compatible with Adobe Version. 9+
Prior to AATL, Adobe offered the Certificate Document Services (CDS) program. The Adobe CDS program was launched in 2005 with five member CAs (GlobalSign being one of them). CDS has been phased out in preference of AATL. For more information on how AATL compares to CDS, please see our blog post. Additional information on Adobe's Approved Trust List (AATL) can be found on Adobe’s website here.
AATL works off an “Approved Trust List” where AATL member CAs are carefully vetted by Adobe to ensure their services and credentials meet the AATL Technical Requirements. Once a CA has been added to the list, any signatures applied with certificates that trace back to their root will be automatically trusted in Adobe products.
Since GlobalSign AATL Document Signing Certificates chain back to GlobalSign’s root certificate, which is included in multiple trust/root stores, they can also be used for signatures in other software such as Microsoft Office and Bluebeam Revu.
The AATL Technical Requirements specify that the CA must generate and protect key pair(s) for the supplied certificate(s) in a medium that prohibits exportation and duplication that could allow unauthorized use of the private or secret keys. The suitable medium is considered a hardware security module that meet FIPS 140-2 Level 3 or equivalent such as the SafeNet I Key.
Token-based AATL document signing certificates can be purchased individually online or in bulk (5+ certificates) through GlobalSign’s Managed PKI platform. Benefits of Managed PKI include pre-vetting for instant certificate issuance, volume discounts, easy certificate management and more. Contact an Account Manager to get started with Managed PKI
To purchase individual certificates:
- Click Buy Online and you will be taken to GlobalSign’s secure ordering process.
- Create your GlobalSign Certificate Center (GCC) Account and Account Logic
- Complete the Certificate Application, including:
- Certificate Identity Details page – Enter the Certificate Holder’s Identity Information (or the Organization/ Department identity) and create a pickup password used to securely pick up and install the certificate
- Payment page – submit payment
- Our Vetting team will verify the application details and call to confirm/verify your order (1 – 3 business days)
- After vetting is complete, we will ship a secure USB token to you via standard shipping.
- *You will need to wait until you receive the USB token (by mail) to install the Certificate.
An Organization’s identity is verified by GlobalSign’s vetting team in accordance with the steps described in the GlobalSign CA Certification Practice Statement (CPS). GlobalSign will verify the Organization is legitimate using third party verification services such as a qualified government information source.
Please follow the AATL install instructions found here.
AATL Intermediate Certificates are available in this Support Article.
Please find the SafeNet USB Token Drivers in this Support Article.
Please view our PDF Signing video tutorials here.
There are two types of signatures that can be added to PDFs: Certifying signatures and Approval signatures. Only the first person to sign a PDF (most often, the author) can add a certifying signature. A certifying signature attests to the contents of the document and allows the signer to specify the types of changes allowed for the document to remain certified. Changes to the document are detected in the Signatures panel. You have one of three options for choosing which actions are permitted after certifying:
- Annotations, form fill-in, and digital signatures
- Form fill-in and digital signatures
- No changes allowed
Approval signatures, also referred to as digital signatures in the Adobe interface, are performed when someone signs a document to show consent, approval, or acceptance. Adding a visible approval signature is the equivalent of signing your name on a physical document.
Valid approval signatures produce a "green check mark" and certified signatures produce a "blue ribbon" at the top of the Adobe interface.
Example digitally signed document in Adobe Acrobat Pro DC
Example certified document in Adobe Acrobat Pro DC
Please see our blog post for more information on the differences between the signature types.
How does timestamping work? GlobalSign AATL Certificates include a timestamping URL and Adobe (and other supporting applications) will use the URL to gain access to GlobalSign’s highly available and trusted RFC 3161 trusted clock. This assures relying parties of the exact date and time of the signature.
For more information on what timestamping is and how it works, please view our blog post.
Long-term signature validation allows you or relying parties to check the validity of a signature long after the document was signed and after the signing certificate expires. The following validation elements must be embedded into a signed PDF to achieve LTV: the signing certificate chain, certificate revocation status, and possibly a timestamp.
If a signer has access to the internet, a valid GlobalSign AATL Certificate will automatically embed the required elements - signing certificate chain, certificate revocation status and a timestamp into the document.
Please view Adobe's full guidance on long-term signature validation available here.
- You will need to download and install SafeNet Authentication Client drivers.
- For certificate pickup/installation, you must have access to a Windows PC and Microsoft Internet Explorer. Once the certificate is installed on the USB token, you may sign from other platforms such as OS X.
- Digital Signing and signature viewing Requirements:
- Adobe Reader
- Adobe Acrobat
- Microsoft Office Word and Excel
GlobalSign offers scalable document signing solutions from desktop to cloud-based deployment options. You can view the options here: https://www.globalsign.com/en/digital-signatures