Skip to main content
R
rolando_rerf
Participant
September 15, 2019
Question

Can't sign documents -- Sectigo signature does not get validated: "Invalid policy constraint"

  • September 15, 2019
  • 4 replies
  • 4745 views

Hi,

This has been discussed on one other post a month ago without solution but it is still a big problem, in Acrobat (and Reader) DC 2019 our valid signature is marked as invalid. The certificate path shows "Invalid policy constraint" for the issuing certificate paths and the signing certificate. The certificate is issued by Sectigo and AATL approved, this is generating a lot of inconveniences because we can not sign documents anymore .. 


PS:
BTW It also display that the "Document has been altered or corrupted since it has been signed" just when it was generated ..
Really Adobe ???

Any hints out there ? A better piece of software perhaps ?
Cheers, Roland.



4 replies

me_hardy
me_hardy
Participant
April 1, 2026

Just to add a practical angle here - the core issue is that Personal Authentication certificates and Document Signing certificates use completely different certificate policy OIDs, which is exactly why Adobe throws that "Invalid policy constraint" error. They're not interchangeable, even if both come from the same CA like Sectigo. If you're evaluating options beyond Sectigo, DigiCert Document Signing Certificate is also AATL-listed and works cleanly with Acrobat - worth comparing before you decide. Hope it helps you!

    J
    JessicaHowe
    Participant
    October 3, 2025

    The error comes up because the certificate you are using is not real one document signing certificate but a personal one, which Adobe doesn’t fully trust. To fix this, you need a proper AATL-approved document signing certificate so that Acrobat/Reader will validate it without errors. A good option is using a trusted provider Document Signing Certificates, which are made for signing PDFs and avoid these “invalid policy” issues. Hope it helps!

    R
    rolando_rerfAuthor
    Participant
    September 16, 2019

    Hi,
    I got a response from Sectigo (former Comodo) great costumer support 
    It seems that I need to purchase a new certificate with a new trusted chain 🙂

    Hello,

    Greetings from Sectigo Support!

    Yes, the Personal Authentication Certificate which you've purchased will give a trusted identity error when you sign Adobe PDF files. Instead, it is recommended to purchase a new certificate specifically designed for document signing which comes with a new trusted chain " Sectigo RSA Document Signing CA” added into Adobe Approved Trust List (AATL).

    Please do refer the following link for more details about Sectigo document signing certificate.

    https://sectigo.com/ssl-certificates/document-signing-certificates

    Please let us know if you need any further support.

    Regards,
    Sectigo - Technical Support





     

    Eric Dumas
    Community Expert
    Eric DumasCommunity Expert
    Community Expert
    September 16, 2019

    Hi,

    Thanks for sharing your reply. I hope this will help other users that might have a similar issue.

    Can you post an update once you get the renewed certificate?

     

    Eric Dumas
    Community Expert
    Eric DumasCommunity Expert
    Community Expert
    September 16, 2019

    Hi,

    Can you confirm the version of your Software and operating system?

    Can you confirm that you have tested the path to your certificates?

    Can you describe the process you use to create the pdf?

    With more details, we can try to understand your issue better and help you find a solution.

    A couple of screenshot would help as well.

    Thanks

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices