Why is my PDF signature invalid on EU's DSS tool?

English
, ,
#1

I bought a personal certificate from GlobalSign, which I use to sign e-mails.

Now I would like to sign PDF documents as well, and noticed that there has been some progress in the European Union that makes it easier to obtain a certificate for so called qualified signatures. I’m aware that I would need another GobalSign certificate to issue qualified signatures.

Never the less, the eSignature validation tool of the European Commission is reporting my PDF signature as invalid (not as not qualified)

Errors are:

Unable to build a certificate chain until a trusted list!

The result of the LTV validation process is not acceptable to continue the process!

The certificate chain for signature is not trusted, it does not contain a trust anchor.

Now, for configuring web servers I’m used to chaining certificates, but with LibreOffice or Firefox I do not see any option to do so. Also, isn’t the point of using trusted CAs that you don’t need to provide the anchor?

The validation tool is able to list the chain, actually:

Certificate Chain:
    
[My full name]
GlobalSign GCC R3 PersonalSign 2 CA 2020
GlobalSign

How would I go about signing PDFs with LO that pass as valid? Thanks a bunch!

#2

Are you sure that it is a problem of how LibreOffice creates the PDF rather than a problem of the EU’s validation tool? Did you open the PDF created from LibreOffice with a PDF reader and does the PDF reader also complain about an inability to build a certificate chain (I got some doubts that it does but I may be wrong)?

#3

Sorry for the late answer. Not really. I’m on Linux, and neither Gnome Document Reader, nor Firefox or Chrome would display a PDF Signature. I used pdfsid, which confirms validity and trustfulness of my PDF Signature. But that’s on my system…

#4

I’m more familiar with certificates for web traffic (HTTPS) than for digital signatures. The certificate authority chain must be valid but the “alternate names” must also match the hostname. Even with a valid certificate, a browser will object if it detects any discrepancy or mismatch. This is very common with Let’s Encrypt. There is perhaps an equivalent concept for digital signatures.

Since you are under Linux, double-click on your certificate to display details. Check if there is some extra constraint beyond the CA chain.

Impressum (Legal Info) | Datenschutzerklärung (Privacy Policy)   Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.