Signature is invalid - Invalid Policy Constraint - Certificate from IdenTrust IGC CA 2

Report · Apr 29, 2025

I have an error with the Certificate signature window in Adobe Acrobat. The “Signature validity is Unknown”. When I opened “Signature Properties” the “Signer Info,” said “Errors were building the path from the signer’s certificate to an issuer certificate. Revocation checking was not performed.” then I proceeded to click on “Show Signer’s Certificate…” the error message is shown on the bottom window “The selected certificate has errors: Invalid policy constraint”. How can I fix this problem so my signature is valid and recognized?

Report · Apr 29, 2025

Hi @Melissa5D61,

Sorry for the troubled experience, and thanks for reaching out.

You can try the following and let us know how it works:

1. Update Trusted Root Certificates in Acrobat

Open Acrobat.
Go to Edit > Preferences > Signatures.
Under Verification, click More.
Ensure “Use the Online Certificate Status Protocol (OCSP)” and “CRL” options are enabled for revocation checks.
Click Update Now under “Trusted Certificates” to fetch the latest list from Adobe.

2. Manually Trust the Signer’s Certificate

If the signer’s certificate is not part of AATL/EUTL:

In the Certificate Viewer, go to the Trust tab.
Click Add to Trusted Certificates.
Check “Use this certificate as a trusted root” and ensure relevant trust options (e.g., Digital Signatures) are selected.
Click OK and close all dialogs.

Then re-validate the signature.

3. Check for Network or Proxy Restrictions

Ensure Acrobat can access:

AATL and CRL URLs
Your firewall or proxy isn’t blocking certificate validation endpoints.

4. Confirm Certificate Usage Policies

You may want to contact the certificate issuer or IT/security team to confirm the policy identifiers embedded in the certificate chain. If they’ve recently changed issuing chains or policies, Acrobat may flag this mismatch as an invalid constraint.

This could be happening because Acrobat is unable to fully trust the signature because:

The certificate policy in the signer’s certificate doesn’t match what the issuing or trusted root certificate authority (CA) expects.
Trust settings or revocation checks couldn’t be completed (often due to missing CA certificates or network access restrictions).
The certificate is not part of Adobe’s Approved Trust List (AATL) or European Union Trusted List (EUTL), which Acrobat uses to validate signatures automatically.

~Tariq

Report · Apr 29, 2025

for option 1: i do not see that option to update

Report · Apr 29, 2025

According to your screenshot the root certificate of the certificate chain has a common name starting with "Federal Common Policy C". Looking into the Trusted Certificates list of Acrobat here that may be "Federal Common Policy CA" or "Federal Common Policy CA G2".

Both those possible root anchors have policy restrictions, i.e. signatures by certificates issued by these roots are not valid unless those certificates have one of the associated certificate policies.

Thus, have you checked that your certificate has one of those certificate policies?

Report · Apr 29, 2025

where would you check for the certificate policies?

Report · Apr 30, 2025

where would you check for the certificate policies?

Please have a look at this Acrobat discussion - it contains screen shots of the places where you see the required certificate policies and the actual certificate policies.