Symptom fingerprint
The exact strings, error codes, and UI surfaces that map to this issue:
| UI message | Surface | Code |
|---|---|---|
| The signer's identity is unknown because it has not been included in your list of trusted certificates | Signature Properties → Summary | — |
| Identity is not trusted | Show Signer's Certificate → Trust tab | — |
Why Acrobat trust is separate
Acrobat maintains its own trust store independent of the operating system. A certificate Windows or macOS trusts perfectly can still fire 'identity unknown' inside Acrobat. The three legitimate paths to trust are: AATL (automatic), Windows Integration (Windows only, off by default in enterprise), and explicit per-signer trust.
Windows vs macOS — what differs
Windows 10 / 11
- Enable Edit → Preferences → Signatures → Verification → More → 'Windows Integration' to honour Windows certificate store roots.
- Domain-joined machines that receive root CAs via Group Policy still need Windows Integration enabled for Acrobat to see them.
macOS Sonoma / Sequoia
- No Keychain integration available — every trust must be set in Acrobat directly or pulled via AATL.
- Use 'Manage Trusted Identities' inside Acrobat to import a corporate root .cer file from the issuing authority.
Browser-specific behaviour
Chrome
Browser viewers do not surface this error — only Acrobat does. Always validate in Acrobat.
Edge
Same — browser PDF viewers do not chain-validate.
Diagnostic sequence
Run each step in order. Stop at the first failing expectation — that's where the root cause lives.
1. Edit → Preferences → Trust Manager → Update Now
Expected: AATL list refreshes. If the signer's CA is on AATL, banner clears.
2. If still untrusted, Show Signer's Certificate → Trust → Add to Trusted Certificates
Expected: Per-signer trust persists in the local Acrobat trust store.
3. For organisation-wide CAs, import the root via Preferences → Signatures → Identities & Trusted Certificates → Trusted Certificates → Import
Expected: Root appears in the trusted list; all certificates issued under it now validate.
4. On Windows, enable 'Windows Integration' for Validating Signatures and Validating Certified Documents
Expected: Acrobat now honours roots present in the Windows store as well as AATL.
Frequently asked questions
Should I trust every CA root I import for any purpose?
No. When adding a root, tick only the purposes that match the credential's intended use — typically 'Sign documents or data' and optionally 'Certified documents'. Avoid blanket-trusting roots for 'Dynamic content' unless required.
Does importing a root require admin rights?
Acrobat-level trust is per-user and does not require admin. Windows-level trust (certmgr / certlm) does require admin if importing into Local Machine root.
How often does AATL refresh?
Every ~30 days by default. Force-refresh via Trust Manager → Update Now after any CA roster change.
Related services
Explore the consulting hub for this issue, or review session pricing.
Still seeing this error?
If these steps don't isolate the root cause inside your environment, an independent consultant can run a structured PKI diagnostic with you over a screen-shared session and deliver a written report identifying root cause, remediation, and — where relevant — the next responsible party (CA, internal IT, or software vendor).
Book a $49 Zoom diagnostic →Includes a written diagnostic summary. Independent consulting engagement — not affiliated with DocuSign, Adobe, or Microsoft.