Symptom fingerprint
The exact strings, error codes, and UI surfaces that map to this issue:
| UI message | Surface | Code |
|---|---|---|
| The certificate chain could not be validated | Adobe Acrobat signature properties | — |
| Unable to build chain to trusted root | Windows event log / certutil -verify output | CERT_E_UNTRUSTEDROOT |
Where chains actually break
A chain failure means the validator (Acrobat, DocuSign, Windows CAPI, macOS Keychain) couldn't follow the path from the end-entity certificate back to a trusted root. The break is almost always one of three: a missing intermediate, an unreachable AIA URL, or a revocation check that times out.
Windows vs macOS — what differs
Windows 10 / 11
- CAPI auto-fetches missing intermediates via AIA URLs if egress to those URLs is allowed. Egress proxies often block this silently.
- Use 'certutil -verify -urlfetch <cert.cer>' to force AIA fetch and watch the chain build live.
macOS Sonoma / Sequoia
- Keychain does not auto-fetch as aggressively as CAPI. Manually import missing intermediates via Keychain Access → File → Import Items.
- Set trust on the intermediate to 'Use System Defaults' rather than 'Always Trust' to preserve revocation enforcement.
Browser-specific behaviour
Chrome
Uses platform validators on Windows/macOS; same failure modes apply.
Firefox
Uses NSS, which has its own intermediate cache (cert_override.txt). Clear via Settings → Privacy → Manage Certificates → Authorities tab.
Diagnostic sequence
Run each step in order. Stop at the first failing expectation — that's where the root cause lives.
1. Export the signing certificate as .cer (DER or PEM)
Expected: File saved.
2. Inspect AIA extension
certutil -dump <cert.cer> · look for 'Authority Information Access' → CA Issuers - URI
Expected: URL pointing to the intermediate. Open in browser; should download a .crt or .p7c.
3. Force chain build with revocation
certutil -verify -urlfetch <cert.cer>
Expected: 'Verified' at the end, no 'CERT_TRUST_*' flags set.
4. If revocation fails, test the OCSP URL
Open the OCSP URL from the AIA in a browser
Expected: HTTP 200 with binary body. 4xx/5xx or timeout = OCSP unreachable, must remediate at firewall/proxy or switch to CRL fallback.
5. Import missing intermediate
certutil -addstore -user CA <intermediate.crt>
Expected: 'Certificate added to store' — chain now builds.
Frequently asked questions
Why doesn't Adobe just download the missing intermediate?
Acrobat does follow AIA URLs when 'Enable signature verification by retrieving certificates' is enabled in Trust Manager. Most enterprise installs disable this — re-enable it under Preferences → Trust Manager.
Is a missing intermediate ever the signer's fault?
Yes — best practice is to embed the full chain in the signature container (PAdES-B-LT). If the signer embedded only the end-entity, validators must fetch intermediates themselves.
What does a timestamp server error have to do with chain validity?
The timestamp authority is itself a certificate that must chain to a trusted root. If the TSA's intermediate is missing or its OCSP is unreachable, the signature's long-term validity collapses even though the signing certificate is fine.
Related services
Explore the consulting hub for this issue, or review session pricing.
Still seeing this error?
If these steps don't isolate the root cause inside your environment, an independent consultant can run a structured PKI diagnostic with you over a screen-shared session and deliver a written report identifying root cause, remediation, and — where relevant — the next responsible party (CA, internal IT, or software vendor).
Book a $49 Zoom diagnostic →Includes a written diagnostic summary. Independent consulting engagement — not affiliated with DocuSign, Adobe, or Microsoft.