Reader will not validate EU qualified signature after update

Report · Dec 20, 2019

Hi all, hope you can help me!

So I have this PDF signed with a EU qualified certificate. In my Mac, Reader will confirm the validity fine, but when I made an update on one of the PC:s it will not validate. It seems it wont even validate against EUTL anymore? Pic:

The other PC is still fine, even after update. Both are about a year old and have the same settings as far as I can tell:

What is wrong? I know the certificate is valid, why wont Reader validate agains EUTL all of a sudden? 😞

Report · Dec 21, 2019

Go to Edit - Preferences - Trust Manager and click both Update Now buttons.

Report · Dec 29, 2019

Hi try67, sadly that did nothing for us.

Adobe (DC) still says it Validates toward AATL only!

Any other ideas to solve that issue?

It also seems that computers using Adobe Reader before September do not have this issue but computers that get PDF's with this certificate after September for the forst time almost always get this problem.

Report · Jan 10, 2020

Does anyone have any solution to this problem?

That Adobe Reader does not validate toward EUTL at all? (See orignial post for details)

Report · Oct 11, 2020

I am experiencing the same issues on Win 10 with Acrobat Reader DC v2020.012.20048 as well with Adobe Acrobat Pro 2017 v2017.011.30175.

I have tried updating both AATL and EUTL without success.

Any other suggestions? Or could this be an issue in Acrobat?

Report · May 25, 2021

I managed to find a workaround for this.

However this is still a bug that needs fixing by Adobe.

Close Adobe Reader
Delete addressbook.acrodata from
C:\Users\<username>\AppData\Roaming\Adobe\Acrobat\DC\Security
Launch Adobe Reader and go to
Edit > Preferences > Trust Manager
Update the EUTL list and wait for the confirmation message.
If you do AATL first the error in OP occurs and addressbook.acrodata needs to be deleted again.
Update the AATL list.
Open or refresh the signed document.
Both the certificate and the signature is now marked as valid and the signature panel shows that the certificate is validated against both AATL and EUTL.

The settings in Preferences > Signatures > Verification > Windows Integration doesn't seem to have any impact on this. I have tried the above steps with these settings disabled and enabled and the result is the same.

I have tried this several times on different computers(and clean VMs). The result is always the same. If you update AATL first Reader doesnt use EUTL to verify.

Report · May 26, 2021

I have also reported this as a bug on the Adobe Acrobat UserVoice:

BUG: EUTL corrupted by default – Share your feedback on Acrobat DC (uservoice.com)

Report · Aug 24, 2021

Thanks! This did help!

Report · Oct 05, 2021

The problem here is, that certificate issuer "I.CA Qualified 2 CA/RSA 02/2016" is registered both in AATL and in EUTL, but the registrations are not identical.

When you first load EUTL, addressbook.acrodata contains:

/Country(CZ)/Editable true/Enabled true/ID ..../Source[(EUTL)(AATL)]/

and the signature is verified according to EUTL.

However, the default is to load AATL first, which results in addressbook.acrodata containing:

/Editable true/ID ..../Source[(AATL)(EUTL)]/

and the signature fails verification with Invalid policy constraint

Report · Oct 05, 2021

I see! So, who did something wrong? Is it Adobe or the TSP who manages the registrations in AATL?

Report · Oct 06, 2021

I think the same TSP should not be registered in both AATL and EUTL, this is useless. Out of 1220 TSPs in EUTL, only 9 have duplicate registration also in AATL: 5 from Italy, 2 from France and 2 from Czech republic. This is probably some historical relict.

I'll recommend to contact I.CA and notify them about this problem

Report · Oct 06, 2021

Thank you so much, I will do that!

Report · Oct 06, 2021

Well, there might be reasons for registering via both TLs as it is conceivable that in some environments Acrobat is configured to work with only one of those lists.

But even in that case it should work if one keeps the registration identical on both lists...

Report · Oct 08, 2021

According to this:

https://community.adobe.com/t5/acrobat-discussions/previously-valid-signing-certificate-shows-invali...

AATL now requires specific policies to be set on root certificates, but this is not compatible with EU requirements based on eIDAS regulation.

So it seems the solution is indeed to remove "I.CA Qualified 2 CA/RSA 02/2016" from AATL and keep it only on EUTL.

Report · Oct 11, 2021

So it seems the solution is indeed to remove "I.CA Qualified 2 CA/RSA 02/2016" from AATL and keep it only on EUTL.

Indeed.

Essentially this is an Adobe Acrobat bug: If you have two trust lists, it has to suffice to be able to establish trust via one of them.

As Adobe has not gotten around to fix this bug for more than two years, they appear not to be interested in fixing it at all.

So this is one more reason not to trust Adobe Acrobat validation results, in particular in the context of eIDAS.