There can be several reasons why when sending a PDF using the "Send" button of the PDF or through the registration window of EACAT the result of the sending is "Certificate of signature invalid or revoked" or "Signature of the form invalid".
The reasons we have detected are:
1. That the certificate is not valid (Revoked, expired, not recognized...). The error that appears is "Signature certificate invalid or revoked" .
2. The time of the machine on which it is signed is a future time, meaning that the time of signature has not arrived. The error that appears in this case is also "Signature certificate invalid or revoked".
3. Problem identified using T-CAT on card, Acrobat 9 or higher and SafeSign Standard 3.076. Clicking on the signature gives "error when encoding BER" and the reason for the error given by EACAT in this case is "Invalid form signature" .
Below we explain each case in more detail and what the solution is:
1. Invalid certificate
One of the possibilities is that your certificate has expired or been revoked, or you have a valid one, but you didn't choose the correct certificate. If you are not sure, you can click on the PDF signature and you can see in the properties if the certificate is expired. To find out if it has been revoked, you will have to speak to the person in charge of the certification service of your body who will be able to check it from the Subscriber Folder.
It is also possible that the certificate is not classified and is not accepted by signature validators. It should be noted that the signatures generated with the "Create new digital id" option in Acrobat are not signatures recognized by signature validators as they are not issued by any trusted provider.
Solution: Sign the PDF with a valid certificate.
2. Future signature time on the PDF
When signing a PDF, Acrobat indicates the time of signature on the computer. The time on the computer may be incorrect, either because the user of the machine has manually changed it, or because the time on the organization's network server is incorrect. If an attempt is made to send a signed PDF with a time that has not yet arrived, obviously the signature validator will indicate that the signature is invalid, because this signature will not be valid until that time arrives in real time (not in that of the computer from which you are trying to send).
How to fix it? Correct the time on the computer you are signing from or talk to your IT guys to have them review the server time and change it and re-sign (recommended option) once signed with the correct time make the shipment; or if you cannot change it at this time, send it after the signature time has passed.
3. Problem identified using T-CAT on card, Acrobat 9 or higher and SafeSign Standard 3.076
If, despite having Adobe Acrobat correctly configured, a problem appears in the validation of the document's signature, when a 2048-bit TCAT has been used for the signature, it should be noted that if the version of Adobe Acrobat is version 9 or higher, this program presents a problem unrelated to the EACAT service and the CATCert digital certificate with which the signature was made. The specific error when trying to submit through the "Send" button of the form is " Invalid signature " and when trying to validate the signature from Acrobat itself, it appears as shown in the image below " Error when decoding BER "
In this case, we recommend three possible alternatives :
- Option 1: Sign the document from a computer that has another version of Adobe Acrobat prior to 9.
- Option 2: If option 1 is not possible, you need to uninstall the software for the use of Consortium AOC (Safesign Standard) certificates and install the latest version.
- Option 3: If there is no quick way to upgrade to the latest version , you can configure card access via PKCS#11 manually in the Acrobat settings from this option (This option requires technical knowledge ):
– Adobe > Editing > Preferences > Signatures > Identities and trusted certificates > PKCS#11 modules and badges > Attach module > C:\Windows\System32\aetpkss1.dll
Once the new version of the software is installed or Adobe is configured on all computers where a PDF signature is to be performed and the computer is restarted :
– Put the T-CAT on the reader.
– Access Home – All programs – Safesign Standard – Token management.
– From the Digital IDs menu option, select Show Registered Digital IDs. At this point the certificates should be displayed in the open window.
– If so, re-sign the original PDF from the computer where the update was made. The error should have been resolved.