Frequently Asked Questions

Entrust Document Signing Certificates

Icon_PDF Sign Cert

What is Entrust Document Signing Certificates?
Entrust Document Signing Certificates enable users to digitally sign Adobe® and Microsoft Office® documents. Visual trust indicators verify the publisher’s identity and that the document was not altered.  Users can authenticate sensitive documents requiring multiple signatures.  Real-time assurance verifies the document’s authenticity not just the first-time, but throughout its lifetime.  Learn

What are the steps to get a Document Signing Certificate?

It’s easy.

Step 1: Select the DSC certificate that’s right for you, http://www.entrust.com/signing-certificate-comparison/

Step 2: Click on the Buy Now button to start the purchase process, Have your authorization, billing and technical contact information ready. You will also have to provide your domain and company information.

Step 3: Entrust will begin the process of verifying the information. Our stringent verification process may include phone calls and trusted third party searches to verify information. Once verified, your USB security token will be shipped to you unless you require a certificate for an HSM module.

Step 4:Once you receive a Secure USB token you will have to install a software package that initializes the token. Once complete the certificate is installed on the token.

Contact us, if you need more information.

How does it work?
Authors interested in creating certified documents can register with Entrust.  Once the registrant’s identification information is verified, they are provided with a digital ID to be used in Adobe® and Microsoft® products to apply a trusted digital signature to a document.  When a Document Signing Certificate is opened, a trust dialog is immediately presented at the top of the document. Visual indicators enable recipients to verify the signature’s authenticity and whether the document has been altered since signing every time the document is opened.

The dialog may vary depending on the software solution and version the recipient is using, but general looks like this:

This document has been certified by a valid trusted signature using the Adobe trust process and cannot be repudiated by the author. Certified documents may allow users to complete forms or also sign documents.Entrust Document Signing Certificates

This document has been signed by a valid trusted signature using the Adobe trust process and cannot be repudiated by the author. Entrust Document Signing Certificates

This document was signed using an untrusted certificate, and cannot be verified.
Entrust Document Signing Certificates

This document has been altered or tampered with since signing.
Entrust Document Signing Certificates

What’s the difference between a certified certificate and a signed certificate?
The key difference is that a certified document provides the ability for extra functionality:

  1. allows some modifications to the document without breaking validation. For example, form filling,
  2. validates even with Acrobat Sandbox enabled, and
  3. can be used to allow JavaScript if disabled.

From the point of view of integrity and authenticity, certified and signed certificates are the same.

What happens to the documents that have been signed, if my Entrust Document Signing Certificate expires?
In most cases, the signature will remain valid after the certificate has expired leaving the documents valid long after the initial signing.  However, the software that you are using may be configured to allow signatures to expire.  In that case, the signature is only valid for the duration it was configured.

How am I and my organization vetted?
Before issuing a Document Signing Certificate, registrants are vetted though a stringent verification process to ensure proper identity.  Entrust performs the following verification process:

How am I and my organization vetted?
Before issuing a Document Signing Certificate, registrants are vetted though a stringent verification process to ensure proper identity.Entrust performs the following verification process:

Individuals (without an organization)
Individuals who are not associated with an organization will have their name identified on the Document Signing Certificate.

  1. Entrust will verify a government issued identity received by fax or scan.
  2. A phone number for the individual will be obtained through a trusted third party source.
  3. A call will be placed to the subscriber with the found phone number.
  4. A validation email will confirm the email address of the subscriber via a shared secret.

Individuals or roles within an organization
In this case the certificate is for an individual associated with an organization. Both the individual’s and the organization’s names will be identified in the certificate.

  1. Confirmation of the legal existence of the organization will be obtained by Entrust using trusted third party sources of information.
  2. A phone number will be obtained through a third party listing.
  3. A call to the Organization Representative (OR) contact will verify the employment of the OR and confirm the authorization of the subscriber.
  4. A call to the subscriber will confirm the request.
  5. Entrust will validate the email address of the subscriber via a shared secret.

Organizations ordering certificates on behalf of the organization
In this case the certificate is for an organization whose name will be in the certificate. No individual’s name will appear in the certificate; however, an individual will be assigned as the Key Custodian for the certificate:

  1. Confirmation of the legal existence of the organization will be obtained by Entrust using trusted third party sources of information.
  2. A phone number will be obtained through a third party listing.
  3. A call to the Organization Representative (OR) to verify the employment of the OR and confirm the authorization of the Key Custodian.
  4. A call to the Key Custodian to verify the request.
  5. Entrust will validate the email domain of the organization.

Entrust Cloud
For customers of Entrust Cloud the verification must include authorization of administrators that will perform the role of Local Registration Authority (LRA):

  1. Confirmation of the legal existence of the organization will be obtained by Entrust using trusted third party sources of information.
  2. A phone number will be obtained through a third party listing.
  3. A call to the Organization Representative (OR) to verify the employment of the OR and confirm the authorization of the LRA’s.  A call to the Organization Representative (OR) to verify the employment of the OR and confirm the authorization of the Key Custodian.
  4. Entrust will validate the email domain of the organization.

What kind of certificates are there?
Entrust offers four different Document Signing Certificates:

Individual Signing Certificates — Manual: These certificates are used by individuals who wish to sign and certify documents on an ad hoc basis. Examples of this are workflow approvals, legal documents, contracts and letters. The certificates are assigned to an individual whose first and last name appear in the signature along with their email address. This certificate is sold on a secure token.

Group Signing Certificates — Manual: These Document Signing Certificates are used by groups that wish to sign and certify documents on behalf of a group. These certificates, delivered on a secure token, display the organizational group name and email in the signature rather than an individual name. They are intended for ad hoc use. For example a sales department may decide to sign its proposals or RFP responses.

Group Signing Certificates — Automatic: These Document Signing Certificates display the same signature properties as the manual group signing certificates. The difference is that these are intended for use in an automated process, (usually Adobe® Live Cycle) to sign and certify documents. Typical use cases for this signature are invoices, account statements, transcript requests and confirmations.

Enterprise Signing Certificates — Automatic: Intended for corporate use, Enterprise signing certificates display the company name in the signature properties rather than the name of an individual or group.

Comparison Chart

Why do I need special hardware?
A requirement for providers of Document Signing Certificates is to ensure the security of the private signing key. Using digital signature technology, Adobe products provide recipients with assurances that certified PDF documents are authentic – that they did originate from their stated author and the portion of the document signed by the author have not been modified since authoring. For this reason, the private key is generated and stored on a FIPS compliant cryptographic token that ensures the key cannot be duplicated thus preserves the solution for non-repudiation. Entrust includes a FIPS validated cryptographic USB token with each individual and group certificate sold. This key is secured by passwords and is easily accessed by signing applications. For Enterprise digital signatures, organizations can download their certificate to a HSM (Hardware Security Module) which is also FIPS compliant.

What products work with Entrust Document Signing Certificates?
We support all versions of Adobe Acrobat and Adobe Reader since version 9, and all Microsoft Office products which run on supported versions of Windows.
Pending testing of Libre, Open Office and Bluebeam

How does this differ from other client certificates?
Most client certificates work well inside an organization that had deployed software to validate and sign digital documents. Typically PKI customers have the ability to apply digital signatures and have them validated by coworkers inside the organization. The problem comes when exchanging documents outside the organization. Many recipients do not have the technology in place to verify signatures, nor the skills to configure that technology.

Entrust Document Signing certificates are different because the technology to interpret them is built into Adobe® Reader which is ubiquitous. The benefit of using signatures in an application that is readily available and on most desktops is that readers do not have to configure software and no special skills are needed. Additionally, Entrust Document Signing Certificates can be used with other office documents such as those produced from Microsoft Office products.

Can I reissue Entrust Document Signing Certificates?
Entrust Document Signing Certificates can be reissued to the same identity within 30 days of purchase. A certificate may be reissued if passwords are forgotten, tokens are misplaced (an administrative fee applies to replace the token), a key is compromised, or if the individual leaves and organization. If the subscriber leaves the organization, the key should be revoked without re-issue.

Reissuing certificates should not be confused with recycling certificates which is a feature of server based SSL certificates in Entrust Cloud SSL Enterprise. With the SSL Enterprise service an administrator can revoke a certificate and reissue that certificate again to another server without depleting their inventory of certificates. This feature of SSL Enterprise is not available for Entrust Document Signing certificates.

What information does the certificate contain?

Certificate information varies by Certificate type:

Individual Document Signing Certificate

ElementRequired/OptionalValues
cnRequiredIndividual's name
emailRequired
ouOptional
oNot Required
lOptional
stOptional
cRequired

Group Document Signing Certificate

ElementRequired/OptionalValues
cnRequiredRole, Department, Organization
emailRequired
ouOptional
oRequiredOrganization Name
lOptional
stOptional
cRequired

What’s the difference between certified and approval signatures?
A document that is certified attests to the content of the document and certifies that it has not been altered in any way. When a document is certified, the author can specify what changes can be made to the document before its certification is no longer valid. That usually takes the form of:

  • no changes permitted
  • form fields filled out only
  • comments on the document allowed

When a person (not necessarily the author) signs a document to consent or approve it, an approval signature is applied. In all cases for approvals and certification, the document displays the certificate status in the blue bar at the top of the window.