Important notice

According to https://www.pdf-insecurity.org/, most PDF readers, even from Adobe, do not check electronic signatures correctly. There are numerous diffent ways to trick these PDF readers into displaying forged content as genuine!

Obviously PDF internal signatures suffer from conceptual weaknesses. We therefore recommend to no longer trust PDF internal signatures at all.

Exceptions are possible if – as in the university administration – software is used for signature verification that is insensitive to all attacks mentioned on https:/www.pdf-insecurity.org. This must be checked again after each update of this website or the software.

Important notice

Unfortunately, the manufacturer Adobe Systems ships its Acrobat Reader and Acrobat Pro software with settings that explicitly prevent the use of our normal digital IDs to electronically sign PDF documents.

It is possible to change these settings. However, both those who want to sign PDF documents and those who want to verify the PDF signatures created in this way must make these setting changes.

For this reason, our digital IDs should only be used for internal PDF documents that do not leave the University of Münster. Because only then can you expect the recipient of the document to make the setting changes described below to verify the PDF signature.

Please do not use our digital IDs to sign PDF documents that are forwarded to entities outside Münster University. These entities will always see the signature as invalid!

In addition: Under certain circumstances, older “TCS” certificates are revoked prematurely without good reason. PDF signatures created with them that were originally valid will then be displayed as invalid.

Please do not use the digital “TCS” IDs to sign PDF documents that could be archived. Because it can happen that these signatures are later displayed as invalid!

There is a simple alternative: do not sign the PDF file, but the email you use to send the PDF file.

1. Correct root certificates

Unfortunately, all root certificates on which our digital IDs are based are not accepted by Adobe Acrobat Pro or Adobe Acrobat Reader.

Therefore, it is necessary to manually import the root certificates of the eligible digital ID issuers into the Acrobat software and set them as trusted.

If you import all of the following root certificates as described and set them as trusted, you will be able to correctly verify all signatures under internal university PDF documents in the future.

The University of Münster is currently clarifying which issuers' digital IDs will be used to sign internal university PDF documents in the future.

Once it is clarified which digital IDs are actually used, we will reduce this part of the instructions to the root certificates that are actually needed.

1.1 Please first save the following files:

  • PDF-CA.p7b = Root certificate of the WWU internal certification authority PDF-CA
    (The PDF-CA is intended specifically for WWU-internal PDF signatures.)

  • rsa-root-2001.p7b = Root certificate of the USERTrust RSA Certification Authority
    (This is the root certificate of our digital IDs “TCS” for the usual RSA key pairs. It is already included in the Acrobat settings, but explicitly blocked for PDF signatures.)

  • ecc-root-2001.p7b = Root certificate of the USERTrust ECC Certification Authority
    (This is the root certificate of our digital IDs “TCS” for explicitly requested ECC key pairs.)

  • rootca-2016.p7b = Root certificate of the T-Telesec Global Root Class 2
    (This is the root certificate of our digital IDs “Global”.)

  • TestbriefRSASigniert.pdf = a PDF file signed with a certificate from the USERTrust RSA Certification Authority

  • TestbriefECCSigniert.pdf = a PDF file signed with a certificate from the USERTrust ECC Certification Authority

Start Acrobat Reader or Acrobat Pro. In the menu „Bearbeiten“ (“edit”) click on the entry „Einstellungen“ (“preferences”):


The following instructions assume that you want to trust all qualified signatures according to the eIDAS regulation of the European Union as well as the root certificates used within the DFN-PKI and all root certificates selected by the Adobe company.

A reasonable alternative would be to trust only the qualified signatures and individual selected root certificates. To do this, you should delete all root certificates and then only import the EUTL and the selected root certificates, i.e. only follow the relevant parts of the instructions below. In particular, you should then not import the AATL!


1.2 First, have Acrobat Reader or Acrobat Pro import all root certificates delivered by Adobe and the European Union:

1.3 Then remove the hindering policy restrictions for the USERTrust RSA Certification Authority root certificate:

These are the reasons why you should not use our normal digital IDs under any circumstances to sign PDF documents that are forwarded to locations outside Münster University.

In addition, old digital IDs "TCS" that have not yet expired are automatically revoked when new digital IDs are requested. However, this causes the signatures created with them to be displayed as invalid under (archived) PDF files, even though they were previously displayed as valid. Digital IDs "TCS" are therefore in no way suitable for signing PDF files if they are to be retained for a longer period. We therefore recommend the PDF-CA for university internal PDF signatures.

From the long list you need to pick the USERTrust RSA Certification Authority, before you click the edit icon:

Here you can delete the preset guideline restrictions:

Updating the Adobe Approved Trust List would overwrite this setting again, so this update must be disabled:

(The European Union Trusted List contains the issuers of qualified signatures according to the EU's eIDAS Regulation and should therefore be kept up to date.)

1.4 Then import the root certificate of the USERTrust ECC Certification Authority and set the trust:

Here, too, old digital IDs "TCS" that have not yet expired are automatically revoked when new digital IDs are requested. However, this causes the signatures created with them to be displayed as invalid under (archived) PDF files, even though they were previously displayed as valid. Digital IDs "TCS" are therefore in no way suitable for signing PDF files if they are to be retained for a longer period. We therefore recommend the PDF-CA for university internal PDF signatures.

You should click the certificate in the upper window to enter it in the lower window, then click it in the lower window and do not import it immediately, but first adjust the trustworthiness:

You should not activate the indented items:

1.5 Then import the root certificate of the T-TeleSec GlobalRoot Class 2 Certification Authority and set the trust:

You should click the certificate in the upper window to enter it in the lower window, then click it in the lower window and do not import it immediately, but first adjust the trustworthiness:

You should not activate the indented items:

1.6 Then import the root certificate of the WWU internal certification authority PDF-CA and set the trust:

Execute the same steps as above with the “USERTrust ECC Certification Authority” (section 1.4) and with the “T-TeleSec GlobalRoot Class 2 Certification Authority” (section 1.5), but this time choose the file PDF-CA.p7b downloaded above.

1.7 Finally, you can close the settings and use the test PDF files downloaded above to check whether the settings for both USERTrust root certificates are now correct:

2. Import digital ID

To be able to sig own PDF files you have to import your digital ID.

In the menu „Bearbeiten“ (“edit”) click on the entry „Einstellungen“ (“preferences”):

Select the category „Unterschriften“ (“signatures”) and click under „Identitäten und vertrauenswürdige Zertifikate“ (“identities and trustworthy certificates”) on „Weitere“ (“Further”):

Under „Digitale IDs“ (“digital IDs”) select the area „Digitale ID-Dateien“ (“digital ID files”) and then click at the top on „Datei anhängen“ (“append file”):

Select the file with your digital ID and click on „Öffnen“ (“open”):

To open the encrypted file you have to enter the password:

Your digital ID should now appear in the list. You can now close all open dialogue windows:

3. Electronically sign a PDF file

Open the file to be signed and click on „Werkzeuge“ (“tools”):

Open the tool „Zertifikate“ (“certificates”):

In the so added tool bar click on „Digital unterschreiben“ (“digitally sign”):

If a windows with a notice appears, close it with “OK”:

Now use the mouse to drag a rectangle to the point in the PDF file where you want the information about the electronic signature to appear:

Then a dialogue box appears. Select your digital ID and click on „Weiter“ (“next”):

To actually sign the file, enter the password of your digital ID and click on „Unterschreiben“ (“sign”):

Select where and under which name the signed PDF file is to be saved and click on „Speichern“ (“save”):

Now the signed file with the information area is displayed. This information describes the properties of the electronic signature. The electronic signature itself is invisible.

You can now close the tool bar:

To display more information about the signature, click on the information area:

4. Verify an electronically signed PDF file

Actually, you don't need to do anything at all because Acrobat Reader and Acrobat Pro automatically verify each electronic signature and display the result.

However, you can click on „Unterschriftsfenstr“ (“signature window”) to get more information:

Expand the tree structure to display the different information to be displayed. For details on the signer, see„Zertifikatdetails“ (“certificate details”):