There may be several reasons why when sending a PDF using the “Send” button on the PDF or through the EACAT registration window, the result of the sending is “Invalid or revoked signature certificate” or “Invalid form signature”.

The reasons we have detected are:

1. The certificate is invalid (Revoked, expired, not recognized...). The error that appears is “Invalid or revoked signing certificate” .

2. The time on the machine where the signature is being made is a future time, meaning that the signature time has not arrived. The error that appears in this case is also “Signature certificate invalid or revoked”.

3. Problem identified with the use of T-CAT on card, Acrobat 9 or higher and SafeSign Standard 3.076. When clicking on the signature it gives “error when encoding BER” and the error reason given by EACAT in this case is “Invalid form signature” .

Below we explain each case and the solution in more detail:

1. Invalid certificate

One possibility is that your certificate has expired or been revoked, or that you have a valid one but have not chosen the correct certificate. If you are not sure, you can click on the PDF signature and you will be able to see in the properties if the certificate is expired. To find out if it has been revoked, you will have to speak to the person responsible for the certification service of your entity who will be able to consult it from the Subscriber Folder.

It is also possible that the certificate is not classified and is not accepted by signature validators. It should be noted that signatures generated with the “Create new digital ID” option in Acrobat are not signatures recognized by signature validators as they are not issued by any trusted provider.

Solution: Sign the PDF with a valid certificate.

2. Future signature time on the PDF

When you sign a PDF, Acrobat uses the computer time as the signature time. The computer time can be incorrect, either because the user of the machine has manually changed it or because the time on your organization's network server is incorrect. If you try to send a PDF signed with a time that has not yet arrived, the signature validator will obviously indicate that the signature is invalid, because the signature will not be valid until that time arrives in real time (not on the computer you are trying to send from).

How to fix it? Correct the time on the computer from which you are signing or talk to your IT staff so they can check the server time and modify it and sign again (recommended option) once you have signed with the correct time, send it; or if you cannot change it at this time, send it when the signing time has passed.

3. Problem identified with the use of T-CAT on card, Acrobat 9 or higher and SafeSign Standard 3.076

If, despite having Adobe Acrobat correctly configured, a problem appears in the validation of the document signature, when a 2048-bit TCAT has been used for the signature, it must be taken into account that, if the version of Adobe Acrobat is version 9 or higher, this program presents a problem unrelated to the EACAT service and the CATCert digital certificate with which the signature has been made. The specific error when attempting to submit through the “Send” button of the form is “ Invalid signature ” and when attempting to validate the signature from Acrobat itself, it appears as shown in the image below “ Error decoding BER

Capture

In this case, we recommend three possible alternatives :

  • Option 1: Sign the document from a computer that has another version of Adobe Acrobat prior to 9.
  • Option 2: If option 1 is not possible, you must uninstall the software for using the AOC Consortium certificates (Safesign Standard) and install the latest version.
  • Option 3: If there is no quick way to upgrade to the latest version , you can configure card access via PKCS#11 manually in Acrobat settings from this option (This option requires technical knowledge):
    – Adobe > Editing > Preferences > Signatures > Identities and trusted certificates > PKCS#11 modules and badges > Attach module > C:\Windows\System32\aetpkss1.dll

Once the new version of the software has been installed or Adobe has been configured on all computers where a PDF signature is to be performed and the computer has been restarted :
– Put the T-CAT on the reader.
– Access Home – All programs – Safesign Standard – Token management.
– From the Digital IDs menu option, select Show Registered Digital IDs. At this point, the certificates should be displayed in the open window.
– If so, re-sign the original PDF from the computer where the update was made. The error should have been resolved.