General info on signing with Telia certificates
Telia Certificate Service offers two certificate types for signing Adobe® PDF documents electronically, AATL certificate and common client/server certificate. Both certificate types have widespread support in operating systems. In addition to this, the AATL certificate is also directly trusted by Adobe.
AATL certificate
Telia AATL certificate enables a genuine Adobe-level trust in your organizations PDF documents in all use cases involving Adobe PDF reader software worldwide and no default settings change required. An AATL certificate must be delivered to a customer according to Adobe regulations. In practice this means hardware storage and delivery of the certificate. It cannot be delivered using a pure software-based delivery like other Telia certificates. A Telia AATL certificate can be delivered to an identified customer repsentative using a Gemalto USB Token Model 5110 CC or via Internet into a customer Hardware Security Module (HSM) device.
The HSM device must conform to one of the following security standards:
- FIPS 140-2 Level 2
- Common Criteria (ISO 15408 & ISO 18045) - Protection Profiles CEN prEN 14169 (all parts applicable to the device type) or standards such as CEN EN 419 241 series or equivalent, for remotely managed devices
- Certified by an EU Member State as a Qualified Signature Creation Device (QSCD) after 1 July 2016, or that was recognized as a Secure Signature Creation Device (SSCD) by an EU Member State designated body before 1 July 2016.
AATL procedure is replacing an earlier solution based on a Adobe Root certificate.
Inquiries regarding AATL certificate ordering and pricing:
Telia client/server certificate
A standard Telia client or server certificate can be used in addition other uses to sign PDF documents. These certificate types include Key Usage attribute 'Digital Signature'. This attribute allows digital signing of documents, among them also PDF documents. A client certificate is delivered in PKCS#12 format and a server certificate is delivered in Base64 and DER formats. Both certificate types are trusted in all operating systems and web browsers. Delivery and certificate storage are purely software-based and no special hardware is required.
A challenge is user experience is lack of trust to Telia Root Certificate when Acroreader is using default settings. Trust to root certificate in Windows root certificate store is enabled by checking tab Validating Signatures on Acroreader prefences tab Signature Verification Preferences.
For inquiries about client certificates, please contact cainfo. Customers, who have Telia self-service certificate portal user account, can create client certificates as self-service for signing use.