Signed PDFs appear as “unknown” in the PDF reader, but are marked as valid in DeepValidator

Problem

A signed PDF is displayed as “unknown,” “not trusted,” or similar in a PDF reader such as Adobe Acrobat, Foxit Reader, or Microsoft Edge, while the same signature is reported as valid in DeepValidator.

Classification

This behavior does not necessarily mean that the signature is technically or legally invalid. In many cases, the cause is that the PDF reader or the local system cannot fully resolve the certificate chain of the signer’s certificate up to a trusted root CA, or does not classify it as trusted.

Possible causes

• The PDF reader uses local or application-specific trust stores and cannot find the required root CA or intermediate certificates.
• The required root or intermediate certificates are not present on the system, are outdated, or are not marked as trusted.
• Trust-related lists or settings in the PDF reader are not up to date, such as the Adobe Approved Trust List (AATL) or the European Union Trust List (EUTL).
• Different PDF readers sometimes evaluate signatures differently because they use different trust models, certificate stores, and validation logic.

Possible solutions

1. Update the PDF reader:
   Make sure that an up-to-date version of Adobe Acrobat Reader, Foxit Reader, or Microsoft Edge is being used so that current validation mechanisms and trust information are available.
2. Check the trust store and certificate chain:
   Verify whether the required root CA and the associated intermediate certificates are present on the system or in the PDF reader and are stored as trusted.
3. Import certificates or set trust:
   If necessary, manually import the relevant certificates and configure them as trusted. In Adobe, this can be done by viewing the signer’s certificate and adjusting the trust settings; in Foxit, certificates can be imported into the “Trusted Certificates” area and marked as a “trusted root.”
4. Update the PDF reader’s trust lists:
   Using Adobe Acrobat Reader as an example: check whether AATL and EUTL are enabled and up to date, as missing or outdated trust lists can cause a signature to appear as unknown.
5. Check the CA certificates of the provider:
   If signatures are created with certificates from a specific certification authority, the root and intermediate certificates provided by that CA should also be checked and updated if necessary. For Swisscom certificates, the latest information and certificates can be obtained via Swisscom’s Digital Certificate Service page: https://www.swisscom.ch/en/business/enterprise/offer/security/digital_certificate_service.html.

Alternative check

• Open the document in another up-to-date PDF reader as a test to determine whether the behavior is specific to one reader.
• Also validate the signature with another recognized validator, such as the federal validator in a ZertES context or the EU validator in an eIDAS context. If this validation also returns a positive result, this indicates that the signature is valid and that the differing display is due to a local trust configuration or reader-specific presentation.

Note for support cases

For analysis, the following information is helpful:

• The PDF reader used, including its version number.
• The operating system of the affected device.
• The exact error message or a screenshot of the signature display.
• Information about the signature certificate or certification authority, if available.