Skip to main content
Suranjit
Participant
June 25, 2026
Question

Getting "Bad parameter" error while trying to sign a PDF with Internal Root CA

  • June 25, 2026
  • 3 replies
  • 48 views

I am trying to sign a PDF content with a digital signature certificate created through ADCS Internal Root CA. When I open the signed PDF document to Microsoft Edge it is showing “Signature Valid” but when I open the signed PDF in Adobe Acrobat Reader (latest version) it gives -

“Error during signature verification

Adobe Acrobat error.

Bad parameter.”

I am using BouncyCastle for CMS signature generation. I have tested my signing code with just PFX loading and CMS signature generation steps on a small text and I have found the CMS verification is successful. But whenever I use the same code to sign the PDF it gives “Bad parameter” and also the openssl cms verification test fails. 

Based on these observations I feel there is something regarding the PDF structure after embedding the signing part into the original PDF which causes the “Bad parameter” issue.

I am hereby providing some structural information of the signed PDF as attachment.

Any help will be highly appreciated.

    3 replies

    Suranjit
    SuranjitAuthor
    Participant
    July 2, 2026

    There are some points I would like to add as follows - 

    When I open the signed PDF (signed using BouncyCastle.Cryptography) in my machine where Internal Root CA is in the Windows Trusted Certificate Store as well as in Adobe's Trusted Certificate Store, there the "Signature panel" shows "signed by unknown - Signature validity is unknown." But this PDF shows proper valid signature information when opened in browser.

    But the same PDF when signed by same PFX using iTextSharp and open in that machine it shows "signed and all signatures are valid". 

    As I now have a proper signed PDF (signed through iTextSharp) which Acrobat Reader correctly interprets as valid signature with no "Bad parameter" error hence I am comparing the structural difference between these two PDFs to find out the reason.

    But at the same time the OpenSSL CMS verification command now succeeds which failed earlier. It was failing earlier because the command should be given with '-binary' flag. Otherwise it takes text mime type as default.

    Anand Sri Bhattacharya
    Community Manager
    Community Manager
    July 2, 2026

    Hello ​@Suranjit 

     

    Thank you for sharing additional details and context. I will get this checked internally and will get back to you with an update.

     

    Regards,

    Anand Sri.

    Suranjit
    SuranjitAuthor
    Participant
    June 25, 2026

    Hello ​@Anand Sri Bhattacharya 

    Thanks much for your quick reply. I am trying to answer your queries as follows - 

    1. I was testing with Adobe Acrobat Reader version 26.001.21662.0 but as per your suggestion I have updated the version to 26.001.21677.0, restart the app and machine and try again but the result is the same.

    2. I am creating the PDF signature using a custom implementation with BouncyCastle.

    3. My Content Hex size is fixed as 32768 = 16384 bytes, generally used for RSA-2048 certificate chain + PKCS#7 envelope. I have checked the /Content placeholder mechanics is calculated correctly. 

    4. I perform the sign on a fresh PDF. No rewriting the PDF.

    5. /FT is set to /Sig

    6. /V 14 0 R means /V is stored as a referenced object, not an inline dictionary.

    7. /ByteRange is set with no prefixed padding.

          I think the issue occurs during Signature embedding. Actually this is my first attempt for singing PDF, so I do not have any working signed PDF.

          I am currently using Windows 10 Pro.

          I am hereby attaching the screenshot of the error message and a sample PDF with the signature applied.

     

    Best Regards,

    Suranjit 

          

     

    Anand Sri Bhattacharya
    Community Manager
    Community Manager
    June 25, 2026

    Thank you for sharing the details ​@Suranjit 

     

    We will get this test replicated at our end, and if required, I will reach out to you for additional details.

     

    Regards,

    Anand Sri.

    Anand Sri Bhattacharya
    Community Manager
    Community Manager
    June 25, 2026

    Hello @Suranjit


    I hope you are doing well, and thanks for reaching out. We're sorry for the trouble you had.

    Could you please share more details:

    1. Which exact Adobe Acrobat Reader version are you testing with (Menu > Help > About Acrobat)?

    2. Are you creating the PDF signature using a custom implementation only (BouncyCastle) or using any Adobe library (e.g., Acrobat SDK / PDF Library)?

    3. Can you confirm whether your /Contents placeholder size is fixed before signing, and matches the final CMS size (no overflow/truncation)?

    4. Are you performing an incremental update when embedding the signature (i.e., not rewriting the entire PDF)?


    Please ensure you have the latest version of Acrobat installed on the machine: 26.001.21677, Planned update, Jun 17, 2026. Check for any pending updates by navigating to Menu > Help> Check for Updates. Install the updates, restart the app and the machine, and try again.


    Please note that Acrobat is stricter about PDF signature compliance than some other viewers. This error can occur if the signature dictionary is not structured as expected (for example, how the /V value is defined). In some cases, using a direct dictionary instead of a referenced object can trigger this validation error in Acrobat. Since you’re generating the CMS using BouncyCastle, it may help to validate:

    • Whether the signature field (/FT) is correctly set to Sig

    • Whether the signature value (/V) is stored as a referenced object, not just an inline dictionary

    • That the ByteRange and incremental update structure are correctly applied


    Since you mentioned OpenSSL verification also fails after embedding, this reinforces that the issue is likely introduced during:

    • PDF modification / incremental save

    • Signature embedding (not CMS generation itself)

    If possible, compare:

    • A working signed PDF vs. your generated one

    • Especially the cross-reference table, offsets, and signature object references


    If you have Acrobat Pro, test the same file.


    If the issue continues, please share the current version of Acrobat Reader installed, the version of the OS, the screenshot of the error message, and a sample PDF file with the signature applied for further investigation.


    Regards,

    Anand Sri.