Verifying Athenty-Signed PDFs
You received a PDF that was signed by Athenty (typically a closing package, ID verification report, or other signed envelope) and your PDF reader is showing a warning that says something like:
At least one signature has problems. Signer’s identity is unknown because it has not been included in your list of trusted certificates…
The signature itself is valid. This guide explains why the warning appears and walks you through the one-time setup that makes it disappear.
Why is this warning showing?
Section titled “Why is this warning showing?”Adobe Reader and most PDF viewers ship with a built-in list of certificate authorities (CAs) they automatically trust — Adobe’s Approved Trust List (AATL) and the EU Trusted List (EUTL). Athenty operates its own root certificate authority for signing documents and has not yet been added to those lists (the application is in progress).
Because your PDF reader has never seen Athenty’s certificate before, it displays a yellow caution banner. This is purely a chain-of-trust UI behaviour — it is not a statement that the signature is broken or forged.
The legal validity of a signature does not depend on whether your reader has been pre-configured to trust the issuer. The signature on your document is a PAdES-B-B compliant cryptographic signature, and its mathematical integrity can be verified by anyone with the public root certificate.
What this guide does is tell your computer, one time, that Athenty is a CA you trust. After that, the yellow banner is replaced with a green check mark.
The Athenty root certificate
Section titled “The Athenty root certificate”Download the root certificate
Section titled “Download the root certificate”The Athenty root CA certificate is published at:
https://api.athenty.com/v2/.well-known/athenty-root-ca.pemRight-click the link below and choose Save Link As… to download it to your computer:
Verify the fingerprint
Section titled “Verify the fingerprint”Before installing any root certificate — including this one — you should verify its SHA-256 fingerprint matches the value Athenty publishes here. This protects you against a malicious file substituted in transit.
The published SHA-256 fingerprint of the Athenty root CA is:
52:0B:67:F6:A4:21:F9:EF:54:17:28:91:3E:9F:AB:9F:DE:A6:B3:45:B5:E3:37:24:92:A7:AB:63:E9:C4:57:9CThe certificate is issued to CN=Athenty Root CA, O=Athenty Technology Inc., C=CA and is valid until 17 April 2046.
To compute the fingerprint of the file you downloaded:
macOS / Linux:
openssl x509 -fingerprint -sha256 -in athenty-root-ca.pem -nooutWindows (PowerShell):
Get-FileHash -Algorithm SHA256 athenty-root-ca.pem# Or use certutil for the same fingerprint format Adobe showscertutil -hashfile athenty-root-ca.pem SHA256If the value your computer prints does not match the value above character-for-character, do not import the certificate. Contact support@athenty.com and we will help you diagnose the discrepancy.
Adobe Acrobat Reader DC (Windows and macOS)
Section titled “Adobe Acrobat Reader DC (Windows and macOS)”Acrobat Reader is the most common PDF viewer and the one that produces the “Signer’s identity is unknown” warning most frequently. Adobe maintains its own trust list independent of your operating system — installing the certificate to Windows or macOS does not make Acrobat trust it. You must import it directly into Acrobat.
-
Open Adobe Acrobat Reader DC.
-
Open the menu:
- Windows: Edit → Preferences
- macOS: Acrobat Reader → Preferences (or press
⌘ + ,)
-
In the left sidebar, select Signatures.
-
Under Identities & Trusted Certificates, click More….
-
In the dialog that opens, select Trusted Certificates in the left pane.
-
Click Import in the toolbar.
-
Click Browse…, locate the
athenty-root-ca.pemfile you downloaded, and click Open. -
The certificate will appear in the Contacts list. Select it and click Trust… at the bottom.
-
In the Import Contact Settings dialog, check:
- Use this certificate as a trusted root
- Certified documents
- Dynamic content
- Embedded high privilege JavaScript
- Privileged system operations
Click OK.
-
Click Import to finalise. You should see a confirmation that one certificate was imported.
-
Close all dialogs. Re-open the signed PDF — the warning banner is replaced with a green check mark and “Signed and all signatures are valid.”
Adobe Acrobat Pro (Windows and macOS)
Section titled “Adobe Acrobat Pro (Windows and macOS)”The flow is identical to Acrobat Reader DC, with one menu-name difference:
- Open the menu:
- Windows: Edit → Preferences
- macOS: Acrobat → Preferences
- Follow steps 3–11 from the Acrobat Reader instructions above.
Acrobat Pro shares its trust list with Acrobat Reader on the same machine — if you have both installed, importing in one application makes the certificate available to the other.
Windows system trust store (for Edge, Chrome, and IT admins)
Section titled “Windows system trust store (for Edge, Chrome, and IT admins)”Importing into the Windows trust store affects browsers (Edge, Chrome) and any Windows application that relies on the system trust list. Acrobat Reader does not honour this trust store — see the Adobe sections above.
Per-user, GUI
Section titled “Per-user, GUI”- Press
Win + R, typecertmgr.msc, press Enter. - In the left pane, expand Trusted Root Certification Authorities.
- Right-click Certificates → All Tasks → Import….
- Click Next, then Browse…, change the file filter to All Files,
and select
athenty-root-ca.pem. - Click Next. On the Certificate Store screen, ensure Trusted Root Certification Authorities is selected, then Next → Finish.
- Windows will display a security warning showing the certificate’s thumbprint. Verify it matches the SHA-256 fingerprint published above, then click Yes.
PowerShell (single machine)
Section titled “PowerShell (single machine)”# Run as AdministratorImport-Certificate ` -FilePath "C:\path\to\athenty-root-ca.pem" ` -CertStoreLocation Cert:\LocalMachine\RootGroup Policy / MDM (IT admin section)
Section titled “Group Policy / MDM (IT admin section)”For organisations rolling this out across many machines, push the
athenty-root-ca.pem (or its .cer/.crt equivalent) into the
Trusted Root Certification Authorities store via:
- Group Policy: Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Trusted Root Certification Authorities
- Microsoft Intune: Devices → Configuration profiles → new profile with Trusted certificate template, destination store Computer certificate store - Root.
macOS Keychain (for Safari and IT admins)
Section titled “macOS Keychain (for Safari and IT admins)”Importing into the macOS Keychain affects Safari and any macOS application that consults the system trust store. Acrobat Reader does not honour Keychain trust — see the Adobe sections above.
Keychain Access GUI
Section titled “Keychain Access GUI”- Open Keychain Access (Applications → Utilities, or
⌘ + Space→ “Keychain Access”). - In the left sidebar, select the System keychain.
- Drag
athenty-root-ca.peminto the certificate list. You will be prompted for your administrator password. - The certificate now appears in the System keychain. Double-click it.
- Expand the Trust section at the top.
- Set When using this certificate to Always Trust, or set X.509 Basic Policy to Always Trust for a narrower scope.
- Close the window. You will be prompted for your administrator password again to save the trust change.
Terminal (single machine)
Section titled “Terminal (single machine)”sudo security add-trusted-cert -d -r trustRoot \ -k /Library/Keychains/System.keychain \ athenty-root-ca.pemMDM (IT admin section)
Section titled “MDM (IT admin section)”For Jamf, Kandji, Mosyle, or other macOS MDM solutions, deploy the certificate via a Certificate payload targeting the System keychain with trust enabled for X.509 Basic Policy.
Preview.app (macOS)
Section titled “Preview.app (macOS)”Preview can open and display PDFs but its support for verifying digital signatures is inconsistent and version-dependent. Recent versions of Preview do honour the macOS Keychain trust settings, but older versions silently ignore signatures entirely.
If signature verification matters to you on macOS, use Adobe Acrobat Reader rather than Preview. Adobe Reader is free and gives you a deterministic green check mark when the signature is valid and the issuer is trusted.
Linux (Evince, Okular)
Section titled “Linux (Evince, Okular)”Most Linux PDF viewers either do not validate signatures (Evince) or rely on the system NSS trust store (Okular). To install the Athenty root certificate into the NSS shared database used by Firefox and many Linux applications:
# Install certutil if you don't already have itsudo apt install libnss3-tools # Debian/Ubuntusudo dnf install nss-tools # Fedora/RHEL
# Add the certificate to the user-level NSS databasecertutil -d sql:$HOME/.pki/nssdb -A \ -t "C,," -n "Athenty Root CA" \ -i athenty-root-ca.pemFor deterministic signature verification on Linux we recommend using Adobe Reader (available via Wine) or opening the PDF on a Windows or macOS machine.
Chromium, Edge, and Firefox PDF viewers
Section titled “Chromium, Edge, and Firefox PDF viewers”Browsers that render PDFs in their own viewer (Chrome, Edge, Firefox) do not validate digital signatures at all. They will display the document contents but they will neither show a warning banner nor a green check mark.
To verify an Athenty signature, open the PDF in Adobe Acrobat Reader.
Will installing this certificate affect my own computer’s security?
Section titled “Will installing this certificate affect my own computer’s security?”No. Adding a root certificate authorises Athenty to issue certificates that
your software will trust — it does not give Athenty access to your machine,
your files, or your network. Athenty’s root CA is only used to sign PDF
documents; it cannot be used to issue server certificates that your browser
would trust for https:// traffic, because the certificate is constrained
by Extended Key Usage to document-signing only.
Why do I have to do this? Other PDFs I sign don’t show this warning.
Section titled “Why do I have to do this? Other PDFs I sign don’t show this warning.”Documents signed by issuers that are members of Adobe’s Approved Trust List (AATL) — DocuSign, Adobe Sign, Notarius, GlobalSign, and so on — are pre-trusted by Acrobat out of the box. Athenty is in the process of joining AATL. Until that completes, the manual install is the workaround.
When will this requirement go away?
Section titled “When will this requirement go away?”Once Athenty’s AATL submission is approved (tracked in our public roadmap), Acrobat Reader will trust Athenty signatures automatically and the manual install will no longer be necessary. Existing PDFs already signed will revalidate cleanly the next time they are opened in an updated Acrobat.
Is the signature still legally valid before I install the certificate?
Section titled “Is the signature still legally valid before I install the certificate?”Yes. The legal validity of an electronic signature in Canada (under PIPEDA and provincial e-commerce statutes) and in most jurisdictions worldwide depends on the integrity and authenticity of the cryptographic signature itself, not on whether your local PDF reader has been pre-configured to display a green check mark. The “identity unknown” warning is a UI convenience — it is not a legal finding.
I work in IT — how do I roll this out to all our staff?
Section titled “I work in IT — how do I roll this out to all our staff?”See the Group Policy / MDM section
under the Windows trust store, and the MDM section
under macOS Keychain. The same .pem file works for both. Contact
support@athenty.com if you need a .cer or
.crt formatted version, or guidance specific to your management tool.
Where can I get help?
Section titled “Where can I get help?”Email support@athenty.com with a screenshot of the warning your PDF reader is showing and the version of Acrobat (or other viewer) you are using. We will walk you through it.