I'm facing an issue with PAdES-B-LT signature validation in Adobe Reader and the EU ETSI validation tool. Both tools are reporting errors related to the certificate chain.
Context
- I'm using Entrust's Signing Automation Service API (SAS) to create a PAdES-B-LT signed PDF with timestamping.
- I retrieve the base64 encoded signature from Entrust API response.
- I utilize Apryse (PDFTron)'s Go library to embed the signature in the PDF.
Errors
Adobe Reader: Shows "The signer's identity is unknown" and hides the intermediary and root CA certificates, even with "Show all certification paths found" enabled.
EU ETSI Validation Tool: Reports "NO_CERTIFICATE_CHAIN_FOUND" with details stating "Unable to build a certificate chain up to a trusted list" and "The certificate chain for signature is not trusted, it does not contain a trust anchor."
Additional Information
- The issue occurs for some colleagues but not others.
- I view the PDF today, the signature is invalid. I view someother document that's also signed by Entrust, and then if I view my document, it says Signature is valid. The weird thing is, it happens everyday. Unless I view someother document, my document says signature is invalid.
- I've verified the certificate's validity using with Entrust.
What could be causing this "No Certificate Chain Found" error? How can I ensure complete certificate chain inclusion in the PAdES-B-LT signature to enable proper validation in Adobe Reader and the EU ETSI tool? Are there any specific considerations when using Apryse (PDFTron) for embedding PAdES-B-LT signatures that might be relevant to this issue?