Mar 11, 2025

Download and Install AATL or Qualified Certificate for Electronic Seals/Signatures

Introduction

This guide outlines the download and install steps for the following: 

• Adobe Approved Trust List (AATL) Certificate
• Qualified Certificate for Electronic Seal
• Qualified Certificate for Electronic Signature
   

IMPORTANT: If you ordered your certificate with "Enrollment with Fortify" option, follow this guide How to Install a Certificate using Fortify. If you ordered your certificate with "Download using Internet Explorer (IE) Compatibility Mode" option, enable IE compatibility mode in your Edge Browser by following the guide IE Compatibility in Microsoft Edge, and then continue with the instructions in this article.

Prerequisites

Note: You may use your own smart card as an alternative to the USB token offered by GlobalSign. If you are using your own smart card, you will need to meet prerequisite #5 below:

1. You will need a SafeNet USB Token. This will be mailed to you when you place your order.
2. Download and install SafeNet Authentication Client drivers. Note: For renewals, it's not necessary to reinstall Safenet drivers. However, we recommend verifying that you are using the latest Safenet driver available in the link above. Also, the new Safenet eToken 5110 CC (940) requires v10.7 or higher.
3. Plug in and initialize your SafeNet token. 
   (In case you are changing the token passwords. Please do save it somewhere securely, The token may get locked if the passwords are Incorrect).
   Note: For the new Safenet eToken 5110 CC (940), the default password is "0000".
   For old tokens, the default password is "1234567890".
4. For Qualified Certificates, the correct Qualified Signature Creation Device (QSCD) which is the Safenet eToken 5110 cc should be used. Also, the default administrator password for this token is forty-eight 0's and the default Digital Signature PUK is six 0's. You can choose to tick the respective checkboxes to auto-populate the Administrator Password and Digital Signature PUK accordingly for your convenience. Note: The Qualified Certificate is only compatible with the indicated token. 
5. For certificate pickup, you must have access to a Windows PC and Microsoft Edge. Once the certificate is installed on the USB token, you may sign from other platforms such as OS X.

Download & Install

1. Once your order has been approved, vetted, and you have your USB token initialized, open the pickup link from your pickup e-mail in Microsoft Edge with IE Compatibility Mode enabled.
2. Enter the Temporary Pickup Password that was set at the time of ordering:
   
   
3. Click Yes when prompted to allow digital certificate operations. 
   
   
4. To install on a SafeNet USB token provided by GlobalSign, select:
   eToken Base Cryptographic Provider
   
   To install on a smart card provided by you or your company, select:
   Microsoft Base Smart Card Crypto Provider
5. Check the box to agree to the subscriber agreement and click Next.
   
   
6. Enter the password for your USB token. This was set during the initialization process.
   
   
7. The screen may appear to freeze for a minute or two; DO NOT press the back button on your browser. You should see the light on your USB token blinking. Also, there will be a message that will appear reminding to wait for a while 
   
   
8. Once the token has finished the keypair generation, click Install My Certificate.
   
   
9. Click Yes to allow digital certificate operations. 
   
   
10. Finally, click OK when you get the Install Success message. 
    
    

Reissue and Reinstall AATL Certificate

Note: If you are going to reissue and reinstall an AATL Certificate, you will need to delete the old  AATL Certificate from the token, so that the token will use the new one. Make sure that you have installed the new  AATL Certificate correctly before removing the old one. To remove the old AATL Certificate from the token, please follow the guidelines below:

1. Open the SafeNet Authentication Client Tools.
2. Click the Gear Icon on the top right of the window for Advanced View. This will redirect you to the next window.
3. Click your token (may be named differently) and then click User Certificates to show the list of installed User Certificates in your token.
4. Select the old AATL Certificate and then click the Delete Certificate button. A dialogue box will appear, click Yes to proceed.
   Note: You will be required to input your Token Password to complete this process.
5. You are now done removing the old AATL Certificate from your token.

Additional Resources

1. Adobe PDF Signing Overview