"At least one signature has problems” message when signed PDF is opened

Question

Using iTextSharp to create and sign a PDF works fine. but when I open the document in Adobe Reader or Acrobat it displays

“At least one signature has problems”

Note: This is not the same as a similar known problem:

"At least one signature is invalid"

Which actually indicates that the certificate is invalid.

After reading a bit on the net, specially on Adobe forum, it seems that Adobe does not recognize the certificate as trusted. I have tried both self-signed certificate and an official verified and validated certificate we purchased from thawte that we use for code signing without any issues.

I can almost understand this warning for a self-signed certificate, but not for an official and commercial certificate bought from thawte.

All the "solutions" out there suggest that a user can manually add the certificate to a so called trusted list. the process is described here:

How to resolve “At least one signature has problems.” error in Adobe Reader?

The problem will be "solved" for that specific user/computer, but if you send the PDF to another customer, the message appears again!
That seems like a very unprofessional behavior. and this warning is just misleading and makes it much worst for the simple end-customers not knowing if they can trust the signed document!

What can be does to fix this issue?
If Adobe is selling a special certificate for PDF, we are willing to perches such certificate! is that an option?
I have searched all over, but could not find a proper solution.

The code I'm using:

using System;
using System.IO;
using System.Text;
using System.Security.Cryptography.X509Certificates;
using iTextSharp.text;
using iTextSharp.text.pdf;
using iTextSharp.text.pdf.security;

namespace Test
{
    class Program
    {        
        static void Main(string[] args)
        {
            System.IO.Stream stream = new MemoryStream();
            Document document = new Document();
            document.SetPageSize(PageSize.A4);
            PdfWriter writer = PdfWriter.GetInstance(document, stream);
            writer.CloseStream = false;
            document.Open();
            document.Add(new Paragraph("Hello World"));
            document.Close();
            writer.Close();

            string destPdfFileName = @"D:\out.pdf";
            string pfxFileName = @"D:\cert.pfx";
            string pfxPassword = "password";
            var cert = new X509Certificate2(pfxFileName, pfxPassword);

            stream.Position = 0;            
            Org.BouncyCastle.X509.X509CertificateParser cp = new Org.BouncyCastle.X509.X509CertificateParser();
            Org.BouncyCastle.X509.X509Certificate[] chain = new Org.BouncyCastle.X509.X509Certificate[] { cp.ReadCertificate(cert.RawData) };
            IExternalSignature externalSignature = new X509Certificate2Signature(cert, "SHA-1");
            PdfReader pdfReader = new PdfReader(stream);
            FileStream signedPdf = new FileStream(destPdfFileName, FileMode.Create);  // the output pdf file
            PdfStamper pdfStamper = PdfStamper.CreateSignature(pdfReader, signedPdf, '\0');
            PdfSignatureAppearance signatureAppearance = pdfStamper.SignatureAppearance;            
            signatureAppearance.Reason = "Reason";
            signatureAppearance.Location = "Location";
            signatureAppearance.SetVisibleSignature(new iTextSharp.text.Rectangle(20, 10, 170, 60), 1, "Signature");
            MakeSignature.SignDetached(signatureAppearance, externalSignature, chain, null, null, null, 0, CryptoStandard.CMS);

            Console.ReadKey();
        }
    }
}

---

Just to add to @mkl answer: From Adobe Approved Trust List:

How do I get an AATL-enabled signing credential?
Adobe does not sell these credentials but manages the program by which these credentials are trusted. To purchase AATL-enabled certificates, contact one of the members. Also check the list to see if your organization may already be a part of the AATL.

Answer 1

What can be does to fix this issue?

If Adobe is selling a special certificate for PDF, we are willing to perches such certificate! is that an option?

I have searched all over, but could not find a proper solution.

By default Adobe Reader trusts certificates with issuers from Adobe's own AATL (Adobe Authorized Trust List) and the EUTL (European Union Trust List).

For details read Adobe Trust Services:

Adobe facilitates trusted and secure exchange of electronic documents and information by means of trust services that enable individuals, governments and enterprises around the world to run their businesses safely based on principles of Security, Availability, Authenticity, Integrity, Confidentiality, and Privacy.

Adobe Authorized Trust List (AATL)

The Adobe Approved Trust List (AATL) is the largest Trust Service for electronic documents in the world allowing millions of users to create digital signatures that are trusted whenever the signed document is opened in the ubiquitous Adobe Acrobat or Acrobat Reader software. Over 6 billion electronic and digital signature transactions are processed through Adobe Document Cloud solutions every year.

Acrobat and Acrobat Reader have been programmed to reach out to an online service run by Adobe to periodically download a list of trusted digital certificates from leading Trust Service Providers.

Digital signatures created with a Digital ID that has been issued under any of the trustworthy certificates published in the AATL will appear as trusted in Acrobat and Acrobat Reader. This enormously simplifies the validation of these signatures without requiring any specialized software or custom configuration.

Visit the Adobe Authorized Trust List web page to know more about the AATL program and view the list of partners that provide trusted AATL Digital IDs.

Adobe European Union Trust List (EUTL)

EU Trusted lists are essential elements in building trust among electronic market operators by allowing users to determine the qualified status and the status history of trust service providers and their services.

The Adobe European Union Trust List (EUTL) is a reduced version of the combined trusted lists from all EU Member States and EEA countries which includes the information specified in Article 1 of European Commission Implementing Decision (EU) 2015/1505.

Some Member States may include in their trusted lists information on non-qualified trust service providers, but these services are excluded from the Adobe EUTL. Some Member States may also include in their trusted lists information on nationally defined trust services of other types than those defined under Article 3(16) of EU Regulation n. 2014/910. As these services are not qualified according to EU Regulation n. 2014/910, they are excluded as well from the Adobe EUTL.

Acrobat and Acrobat Reader have been programmed to reach out to an online service run by Adobe to periodically download the list of trusted digital certificates from EU Qualified Trust Service Providers that meet the requirements specified in Article 1 of the Implementing Decision (EU) 2015/1505.

Digital signatures created with a Digital ID that has been issued under any of the trustworthy certificates published in the EUTL will appear as trusted in Acrobat and Acrobat Reader. This enormously simplifies the validation of these signatures without requiring any specialized software or custom configuration.

Visit Adobe’s European Union Trust List (EUTL) web page to know more about the EUTL program and view a list of providers that issue EUTL trusted services.