What is a digital certificate, and how does it secure a signature?
A digital certificate is a small, tamper-resistant electronic credential — usually in the X.509 format — that binds a verified identity to a public key. It's issued by a trusted certificate authority (CA), which vouches that the key really belongs to the named party. When you sign a document, the certificate lets anyone verify two things: that the signature was made with the private key matching that certificate, and that a trusted authority stood behind the identity. That's what turns a scribble into a signature you can actually trust.
The problem a certificate solves
Cryptography gives us a neat trick: a pair of mathematically linked keys. One is private (kept secret by the owner), and one is public (shared freely). Anything signed with the private key can be verified with the public key — and only that matching key. This is the foundation of digital signatures.
But there's a gap. A public key on its own is just a long number. How do you know whose key it is? If someone hands you a key claiming to be "Acme Corp," what stops an impostor from doing the same? That's exactly the problem a digital certificate solves: it's a credential that ties a public key to a verified identity, signed by a party everyone already trusts.
What's actually inside a certificate
A digital certificate follows a widely used standard called X.509. Inside, it carries a handful of fields:
- Subject — the identity the certificate belongs to (a person, an organization, a server)
- Public key — the key that pairs with the owner's secret private key
- Issuer — the certificate authority that issued and vouched for it
- Validity period — the "not before" and "not after" dates it's good for
- Serial number — a unique identifier for this specific certificate
- The CA's own digital signature — the authority's cryptographic stamp over all of the above
That last field is the important one. The certificate authority signs the certificate with its private key, so anyone can verify the certificate hasn't been forged or altered — using the CA's well-known public key.
Who vouches for whom: the certificate authority
A certificate authority (CA) is an organization whose job is to verify identities and issue certificates. Before issuing one, a reputable CA checks that the requester really is who they claim to be. Once issued, the CA's signature on the certificate is a statement: "We've verified this identity, and this public key belongs to them."
Your trust doesn't rest on the CA alone, though. Certificates form a chain of trust: your certificate is signed by an intermediate CA, which is signed by a root CA. The root's certificate is pre-installed and trusted by your operating system or PDF reader. Verification walks up that chain until it reaches a root you already trust.
How this secures a signature
When you sign a document with a certificate-backed digital signature, three things happen:
- The software computes a cryptographic hash (a fingerprint) of the document.
- It encrypts that hash with your private key — that encrypted hash is the digital signature.
- It attaches your certificate (which contains your public key and identity) to the document.
To verify, anyone can decrypt the signature with the public key from your certificate, recompute the document's hash, and compare. If they match, two facts are proven at once: the document hasn't changed since signing, and the signature was made by the holder of the private key tied to that verified identity.
Where AATL fits in
For PDF signatures specifically, Adobe maintains the Adobe Approved Trust List (AATL) — a curated set of certificate authorities that Adobe has vetted. When a document is signed with a certificate that chains up to an AATL-listed CA, common PDF readers like Adobe Acrobat display a green trust banner automatically, without the recipient having to configure anything. It's a shortcut to recognized trust across the tools most people already use.
Certificates expire — and can be revoked
Two practical points often surprise people. First, certificates have an expiry date; a signature made while the certificate was valid remains valid afterward (especially when paired with a trusted timestamp). Second, a CA can revoke a certificate before it expires — say, if a private key is compromised. Verifiers check revocation status through mechanisms like a Certificate Revocation List (CRL) or OCSP.
How PearSign uses certificates
PearSign seals every completed document with a digital certificate backed by the Adobe Approved Trust List (AATL). That means the signature isn't just visually present — it's cryptographically bound to a trusted certificate, so standard PDF readers can confirm the document's integrity and the trust chain behind it, automatically.
FAQ
What is a digital certificate in simple terms?
A digital certificate is an electronic credential that links a verified identity to a public cryptographic key. It's issued and signed by a trusted certificate authority, which vouches that the key genuinely belongs to the named person or organization — so a signature made with the matching private key can be traced back to that verified identity.
What is the difference between a certificate and a digital signature?
A digital signature is what you produce when you sign a document — an encrypted fingerprint of the file made with your private key. A digital certificate is the credential that proves whose key made that signature. The signature demonstrates integrity and origin; the certificate ties that origin to a verified identity.
What is a certificate authority (CA)?
A certificate authority is a trusted organization that verifies identities and issues digital certificates. By signing a certificate with its own key, the CA vouches that a particular public key belongs to a particular identity. Trust flows through a chain from your certificate up to a root CA that your device already trusts.
What is the AATL and why does it matter?
The Adobe Approved Trust List is a set of certificate authorities that Adobe has vetted. When a document is signed with an AATL-backed certificate, common PDF readers automatically recognize it as trusted and show a validity banner — no manual configuration required by the recipient.
Does a signature become invalid when the certificate expires?
No. A signature made while the certificate was valid stays valid after expiry, particularly when it's paired with a trusted timestamp that records when the signing occurred. Expiry mainly means the certificate can't be used to make new signatures.
Ready to send your first document with PearSign?
AI drafts it, places the fields, and collects every signature — sealed and audit-trailed.
This article is general information about electronic signatures and related standards — not legal advice. For your specific situation, consult qualified counsel in your jurisdiction.