Skip to main content
Krisztian M
Krisztian M
Participant
May 26, 2026
Answered

Acrobat rejects DSS additions after a certification signature (DocMDP P=1, No changes allowed), contrary to ISO 32000-2. Is a fix on the roadmap?

  • May 26, 2026
  • 1 reply
  • 37 views

I'm working on a workflow that requires applying a certification signature with DocMDP P=1 ("No changes allowed") to a PDF, while also producing an LTV-enabled seal.
ISO 32000-2 explicitly carves out DSS dictionary updates and document timestamp additions from the restrictions, meaning these should be permitted even under P=1. However, Acrobat has historically flagged such post-certification additions as invalidating the certification.

 

A few questions:

  • Is a fix on the roadmap and is there a target release?
  • In the meantime, what does Adobe recommend for use cases that genuinely require both the highest certification level and embedding revocation info?

 

I'd appreciate any official guidance, since the alternatives each involve trade-offs (CMS-only embedding doesn't cover the TSA chain and P=2 weakens the certification guarantee).

 

Thanks.

    Correct answer Anand Sri Bhattacharya

    Hello @Krisztian M,


    I hope you are doing well, and thanks for reaching out and sharing the details. We're sorry for the trouble you had.


    To make sure I cover what you need, and can help you with the information:

    • Which Acrobat product and environment are you testing with?
      A) Acrobat Pro (desktop, continuous track)
      B) Acrobat Pro (classic track)
      C) Acrobat Web
      D) Acrobat Sign–generated PDFs

    • Is the DSS being added via:
      A) Acrobat’s Add verification information / LTV workflow
      B) An external signing service/tool that injects DSS after certification
      C) A document timestamp added after certification


    Please note that you need to certify a PDF with DocMDP P=1 (No changes allowed) and still include Long-Term Validation (LTV) data (i.e., revocation info and/or a document timestamp). Currently, Acrobat Pro (desktop) will indeed invalidate the certification if any changes are made post-certification – even the DSS (Document Security Store) or a timestamp, despite ISO 32000-2 (PDF 2.0) allowing those specific additions.


    Acrobat’s current behavior with “No changes allowed” (P=1):
    Acrobat strictly enforces that “no changes” means no incremental updates at all. Any added data after the certifying signature – even just revocation info or a timestamp, causes Acrobat to flag the certification as broken. In other words, Acrobat doesn’t currently implement the PDF 2.0 exception that treats DSS updates or document timestamps as non-breaking changes. So under P=1 certification, any modification (other than viewing) will show “At least one signature is invalid”.

    Check this community discussion on a similar topic: https://adobe.ly/4u1Adbz


    Current recommended approach (workaround) for LTV with certified PDFs:

    Include revocation info & timestamp at signing time – Before applying your certification signature, configure Acrobat to embed all available validation data. Go to Edit > Preferences > Signatures > Creation & Appearance > More, then check “Include signature’s revocation status”. Now, when you certify (sign), Acrobat will automatically embed the OCSP/CRL responses for the signer’s certificate chain (and apply a timestamp if you have a timestamp server set up). This means the PDF is LTV-enabled from the moment of signing, with no need for post-signing modifications. (If you were signing offline and couldn’t embed everything initially, see the next point.) See this article for more information: https://adobe.ly/4u29z2z


    If LTV info must be added after signing, use a less restrictive certification level: Instead of P=1, consider certifying with “Form fill-in and digital signatures allowed” (DocMDP P=2). This still prevents content edits but allows further signatures or form-fills after certification. In practice, that means you can add a document timestamp signature or use Add Verification Information after the initial certification without invalidating it. The downside: P=2 is slightly less strict (others could fill a form field or add a signature), but if you trust that only your controlled LTV/timestamp update will happen, it’s a viable compromise using supported features. To do this, when certifying the document in Acrobat’s Sign dialog, choose Permitted Actions After Certifying: Form fill-in and digital signatures instead of No changes allowed.


    As of now, there isn't any specific fix that you can apply in Acrobat’s settings for this. But if you share the above-requested information, then I will check with the product team on this.


    Regards,

    Anand Sri.

    1 reply

    Anand Sri Bhattacharya
    Community Manager
    Anand Sri BhattacharyaCommunity ManagerCorrect answer
    Community Manager
    May 26, 2026

    Hello @Krisztian M,


    I hope you are doing well, and thanks for reaching out and sharing the details. We're sorry for the trouble you had.


    To make sure I cover what you need, and can help you with the information:

    • Which Acrobat product and environment are you testing with?
      A) Acrobat Pro (desktop, continuous track)
      B) Acrobat Pro (classic track)
      C) Acrobat Web
      D) Acrobat Sign–generated PDFs

    • Is the DSS being added via:
      A) Acrobat’s Add verification information / LTV workflow
      B) An external signing service/tool that injects DSS after certification
      C) A document timestamp added after certification


    Please note that you need to certify a PDF with DocMDP P=1 (No changes allowed) and still include Long-Term Validation (LTV) data (i.e., revocation info and/or a document timestamp). Currently, Acrobat Pro (desktop) will indeed invalidate the certification if any changes are made post-certification – even the DSS (Document Security Store) or a timestamp, despite ISO 32000-2 (PDF 2.0) allowing those specific additions.


    Acrobat’s current behavior with “No changes allowed” (P=1):
    Acrobat strictly enforces that “no changes” means no incremental updates at all. Any added data after the certifying signature – even just revocation info or a timestamp, causes Acrobat to flag the certification as broken. In other words, Acrobat doesn’t currently implement the PDF 2.0 exception that treats DSS updates or document timestamps as non-breaking changes. So under P=1 certification, any modification (other than viewing) will show “At least one signature is invalid”.

    Check this community discussion on a similar topic: https://adobe.ly/4u1Adbz


    Current recommended approach (workaround) for LTV with certified PDFs:

    Include revocation info & timestamp at signing time – Before applying your certification signature, configure Acrobat to embed all available validation data. Go to Edit > Preferences > Signatures > Creation & Appearance > More, then check “Include signature’s revocation status”. Now, when you certify (sign), Acrobat will automatically embed the OCSP/CRL responses for the signer’s certificate chain (and apply a timestamp if you have a timestamp server set up). This means the PDF is LTV-enabled from the moment of signing, with no need for post-signing modifications. (If you were signing offline and couldn’t embed everything initially, see the next point.) See this article for more information: https://adobe.ly/4u29z2z


    If LTV info must be added after signing, use a less restrictive certification level: Instead of P=1, consider certifying with “Form fill-in and digital signatures allowed” (DocMDP P=2). This still prevents content edits but allows further signatures or form-fills after certification. In practice, that means you can add a document timestamp signature or use Add Verification Information after the initial certification without invalidating it. The downside: P=2 is slightly less strict (others could fill a form field or add a signature), but if you trust that only your controlled LTV/timestamp update will happen, it’s a viable compromise using supported features. To do this, when certifying the document in Acrobat’s Sign dialog, choose Permitted Actions After Certifying: Form fill-in and digital signatures instead of No changes allowed.


    As of now, there isn't any specific fix that you can apply in Acrobat’s settings for this. But if you share the above-requested information, then I will check with the product team on this.


    Regards,

    Anand Sri.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices