All About Digital Signatures: Buying an AATL Signing Certificate

All About Digital Signatures: Buying an AATL Signing Certificate

Following on the post All About Digital Signatures, and their Certificates in PDFpen 8, today I’ll talk about how you can get your very own signing certificate.

For a little background, new in PDFpen and PDFpenPro 8 is the ability to digitally sign documents. The goal of a digital signature is to provide a way for everyone to trust that the signature is a) signed by the entity it appears to be signed by, and b) unaltered since it was signed. This is accomplished by signing with a certificate. For the highest level of trust in a digital signature, sign using an AATL certificate, which is a certificate generated by an authority on the Adobe Approved Trust List.

When you open a signed document in PDFpen, Adobe Reader or Acrobat it will indicate the level of trust you should have in the signature and certificate. If it has been signed with an AATL certificate, it will show as trusted, which, in PDFpen, means you will see a green badge in the upper right corner of the document.

How to Sign

The signing process is easy once you have your own AATL certificate: plug in your USB dongle token to a free USB port, and when you sign, your certificate will be presented automatically as a signing option. Choose it, and off you go. The harder part is getting your own AATL certificate for Mac.

How to Get a Certificate on a Mac

Part of the signing process involves the software a certificate comes with, so it is necessary to find a certificate provider which supports Macs. After a false start with a vendor who ultimately did not support the Mac, we found a couple of AATL certificate vendors to try: GlobalSign, and DigiCert. Both effectively use the same Mac software, SafeNet Authentication Client, along with certificates delivered on similar SafeNet USB tokens.

Ordering a Certificate, and Being Approved

Once you order a certificate from a vendor, the vendor will need to verify you are who you say you are. The vendor may look at business records, or simply require a notarized form. This all happens after you place your order, but before you are charged for it.

Once you’re approved your USB token is delivered. This whole process can range from days to weeks.

Setting up your Certificate on your USB Token

Now for a surprise: even after ordering an AATL certificate and USB token for Mac, you’ll find the USB token comes empty. You’ll need access to a Windows PC to setup the token. This is across the board. I found no vendor who had setup software for Mac.

GlobalSign setup was opaque. My account’s assigned user ID was seemingly changed without warning with the appending of an extra series of numbers. The new version of the ID is the one required in setting up the USB token on a PC. I spent about an hour on the phone with their support team to get the token set up. The PC setup requires Internet Explorer, which is hiding behind Edge in Windows 10. Their support team was really good, and very patient, though I can’t help thinking they wouldn’t need phone support if there was a better install process.

DigiCert setup on Windows was much easier, especially having already gone through GlobalSign. The DigiCert setup software was more modern and simpler to navigate. Bonus, my user ID was not arbitrarily reset. I used their online chat support to ask a couple of questions, and that was prompt and helpful.

Once your token is setup, and has your certificate installed, you’re done with the Windows portion of the operation.

The Mac software for the token was simple to install and use.

When your USB token is plugged into your Mac, certificates on the token appear as part of your Keychain, and show in the Keychain Access app, found in your Applications > Utilities folder. Your Keychain is where your Mac stores things like passwords.

After that it’s plain sailing, and working with them is like any other certificate. In PDFpen this means signing a document using an interactive signature field, clicking Apply Digital Signature and choosing your digital certificate from the drop down menu.

Important tip: don’t lose your USB token! Your certificate is no longer secure in that case, as someone may have accessed it. At this point, you can revoke your certificate. Those who open documents signed by you with that certificate will see that the certificate is not to be trusted. You’ll need to get another certificate.


You should expect to pay in the range of $300-$400 for an AATL document signing certificate. For that, you get the assurance that others will trust that a document signed with your certificate is really from you.