Updated:

How to Verify Digital Signatures on PDF Documents in India (Free Tool + Guide)

By in Business

You download your e-Aadhaar, open it in Adobe Reader, and see a yellow warning: "At least one signature has problems." You check your PAN card PDF. Same warning. An Income Tax notice from CPC Bangalore. Same thing. The signature says "UNKNOWN" or "NOT VERIFIED," and you are left wondering whether the document is genuine or tampered with.

This is one of the most common frustrations Indians face with digitally signed PDFs. The warning does not mean the signature is invalid. It means your PDF reader lacks the root certificate it needs to verify the signature chain. This article explains why this happens, what digital signature verification actually checks, and how to verify any signed PDF, whether it was signed with a DSC, Aadhaar eSign, or a government certificate.

Why Digital Signature Verification Matters

A digital signature on a PDF serves three purposes that a scanned image of a signature cannot: identity confirmation (proving who signed it), integrity assurance (proving the document has not been altered since signing), and non-repudiation (preventing the signer from denying they signed it). These three guarantees rely on cryptographic mathematics, not on the visual appearance of a signature.

Verification is the process of checking these three guarantees. Without it, you are trusting the document at face value. A forged physical signature might fool the eye, but a failed digital signature verification is mathematically conclusive: either the signature is valid or it is not.

For legal compliance, verification is essential. Under Section 4 of the Information Technology Act, 2000, an electronic record authenticated by a digital signature is deemed a duly signed document. But this legal standing depends on the signature being valid. Under Section 67A, a court will presume a secure electronic signature was affixed with the signer's intention, but only if the signature passes verification. A document with a broken or tampered signature loses these legal presumptions entirely.

The Critical Difference
"Signature Not Verified" in Adobe Reader usually means Adobe does not have the root certificate, not that the signature is invalid. "Signature Invalid" or a red X means the document may have been tampered with or the certificate has been revoked. These are fundamentally different results, and knowing the difference matters.

The "Signature Not Verified" Problem in Adobe Reader

When you open a digitally signed Indian PDF in Adobe Acrobat Reader, you will often see one of these messages:

  • "At least one signature has problems"
  • "Signature validity is UNKNOWN"
  • "Signature Not Verified"
  • A yellow warning triangle next to the signature

Why This Happens

Every digital signature relies on a chain of trust. At the top of this chain is a root certificate, issued by the root authority. For Indian digital signatures, this root authority is the Root Certifying Authority of India (RCAI), established by the Controller of Certifying Authorities (CCA) under Section 18(b) of the IT Act, 2000.

Adobe Acrobat Reader maintains its own list of trusted root certificates called the Adobe Approved Trust List (AATL). This list includes root certificates from certificate authorities around the world. However, India's CCA root certificate is not included in the AATL. This means Adobe Reader cannot complete the certificate chain verification for any Indian digital signature, and it displays the "unknown" warning by default.

This is purely a configuration issue, not a security issue. The signature itself is perfectly valid. Adobe simply does not have the reference point it needs to verify the chain. The solution is to import the CCA root certificate into Adobe Reader (explained below) or to use a verification tool that already trusts India's PKI, such as SignSetu's free signature verification tool.

Microsoft Windows Users

India's CCA root certificate (CCA India 2022) was added to Microsoft's Trusted Root Program in October 2022. This means Windows applications that rely on the OS certificate store (like Microsoft Edge or certain PDF viewers) may already trust Indian digital signatures. However, Adobe Reader uses its own separate trust store (AATL), so the Windows root certificate does not help with Adobe.

Understanding India's Public Key Infrastructure (PKI)

To understand digital signature verification, you need to understand the trust chain. India's PKI has three levels.

Level 1: Root Certifying Authority of India (RCAI)

At the top is RCAI, established by the CCA under the IT Act. RCAI issues a self-signed root certificate that serves as the ultimate trust anchor for all Indian digital signatures. The current root certificate is "CCA India 2022," valid until 2042. Previous versions include RCAI 2007, 2011, 2014, and 2015. Documents signed under older RCAI versions require the corresponding root certificate for verification.

Level 2: Licensed Certifying Authorities (CAs)

RCAI signs the certificates of Licensed CAs, which are the organizations authorized to issue Digital Signature Certificates to individuals and organizations. Currently licensed CAs in India include eMudhra Limited, Sify Technologies, (n)Code Solutions, National Informatics Centre (NIC), CDAC, Protean (formerly NSDL), Capricorn Identity Services, and XtraTrust.

Level 3: End-Entity Certificates

Licensed CAs issue certificates to individuals and organizations. These are the certificates you see when you inspect a signed PDF: they contain the signer's name, the issuing CA, the validity period, and the public key. For Aadhaar eSign, the certificate is generated per transaction with a validity of approximately 30 minutes. For DSC, the certificate is stored on a USB token and is valid for 1 to 3 years.

The verification chain works like this: To trust the signer's certificate, your PDF reader must trust the Licensed CA that issued it. To trust the Licensed CA, it must trust the RCAI root certificate. If the RCAI root certificate is missing from the trust store, the entire chain is "unknown," even if every link in the chain is perfectly valid.

Types of Digital Signatures on Indian PDFs

Different types of documents carry different types of digital signatures. Understanding the type helps you know what to expect during verification.

Digital Signature Certificate (DSC)

Since 1 January 2021, only Class 3 DSCs are issued in India (Class 1 and Class 2 were retired). Class 3 DSCs are used for MCA/ROC filings, GST registrations, Income Tax filings, and e-Tendering. The certificate is stored on a physical USB token and is valid for 1 to 3 years. Documents signed with DSC show the signer's full name and organization details in the signature panel.

Aadhaar eSign

Aadhaar eSign uses a short-lived certificate generated per signing session. The certificate is created after Aadhaar OTP authentication and is valid for approximately 30 minutes. Documents signed this way show the signer's Aadhaar-verified name and the ESP (like eMudhra) as the certificate issuer. Aadhaar eSign is used for rent agreements, employment contracts, NDAs, and other private agreements. Platforms like SignSetu use this method.

Government and Institutional Certificates

Various government bodies sign PDFs using DSCs issued under the CCA chain. These include:

  • UIDAI signs e-Aadhaar PDF documents
  • Income Tax Department signs e-PAN cards, IT notices, and assessment orders
  • NIC (National Informatics Centre) signs documents for various central ministries
  • State Governments sign birth certificates, caste certificates, domicile certificates, and income certificates
  • Courts sign e-Court orders and certified copies
  • DigiLocker documents are pre-signed by the issuing department and recognized as equivalent to originals under the IT Act

How to Verify Digital Signatures on PDF: 4 Methods

Here are the methods available for verifying digital signatures, from the simplest to the most technical.

Method 1: Use a Free Online Verification Tool (Easiest)

The quickest way to verify any digitally signed PDF is to use SignSetu's free signature verification tool. This browser-based tool verifies signatures without uploading your file to any server: all processing happens locally in your browser, keeping your document private.

The tool checks Aadhaar eSigned documents, DSC-signed documents, government certificates (e-Aadhaar, e-PAN, state certificates), and court orders. It displays the signer's name, signing timestamp, certificate issuer, certificate authority, and validity status. There is no signup required, no usage limits, and it works on Chrome, Firefox, Safari, and Edge.

Verify Your Signed PDF for FreeCheck if your digitally signed document is authentic and untampered. Works with Aadhaar eSign, DSC, e-Aadhaar, e-PAN, and government certificates. No upload to servers.
Verify Signature Now

Method 2: Adobe Acrobat Reader (After Root Certificate Import)

Adobe Reader is the most common PDF viewer, but it requires a one-time setup to verify Indian signatures. Here is the process.

  1. Download the CCA Root Certificate: Visit cca.gov.in/root_certificate.html and download the root certificate file (e.g., "CCA India 2022.cer"). For documents signed under older RCAI versions, download the corresponding root certificate as well.
  2. Open Adobe Reader Preferences: Go to Edit > Preferences > Signatures > Identities & Trusted Certificates, and click "More."
  3. Import the Certificate: Click "Trusted Certificates" in the left panel, then "Import." Browse to the downloaded .cer file and select it.
  4. Set Trust Levels: Select the imported certificate, click "Edit Trust," and check "Use this certificate as a trusted root" and "Certified documents."
  5. Reopen the PDF: Close and reopen your signed PDF. The signature should now show a green checkmark with "Signature is VALID" instead of the yellow warning.
Important Note
You only need to import the root certificate once. After that, all Indian digital signatures will verify correctly in Adobe Reader. If you encounter documents signed under different RCAI versions (2007, 2011, 2014, 2015, 2022), you may need to import each root certificate separately.

Method 3: Verify e-Aadhaar Specifically

For e-Aadhaar PDFs, UIDAI provides specific verification guidance. Download the UIDAI public certificate from the mAadhaar app dashboard or the UIDAI website. Import it into Adobe Reader following the same process above. After import, the last page of your e-Aadhaar PDF should display a green tick confirming the signature is valid and the document was signed by UIDAI.

Method 4: Programmatic Verification (For Developers)

Organizations that need to verify signed PDFs at scale can implement programmatic verification.

Java: Use Apache PDFBox (open source) with the Bouncy Castle library for certificate chain validation. Load the CCA root certificates into a Java KeyStore and validate each signature's certificate chain against it. iText is a commercial alternative with built-in signature verification APIs.

Python: The endesive library (available on PyPI) is specifically designed for digital signing and verification of PDF documents. It supports PKCS#7/CMS signatures and can validate certificate chains. Combine it with the cryptography library for comprehensive chain validation.

In all programmatic approaches, you must include the CCA root certificates in your trust store. Without them, the certificate chain validation will fail, producing the same "unknown" result you see in Adobe Reader.

What Does Digital Signature Verification Actually Check?

A proper verification involves multiple checks. Understanding what each check does helps you interpret the results correctly.

1. Certificate Chain Validation

The verifier checks whether the signer's certificate was issued by a Licensed CA, whether that CA's certificate was signed by the RCAI root, and whether the root certificate is trusted. The chain must be unbroken from the end-entity certificate all the way to the root. A broken chain (missing intermediate certificate or untrusted root) produces the "unknown" status.

2. Document Integrity (Tamper Detection)

At the time of signing, a cryptographic hash (SHA-256) is computed over the document contents and embedded in the signature. During verification, the same hash is recomputed over the current document. If the two hashes match, the document has not been altered since signing. If they do not match, the signature shows as "invalid," indicating tampering. Even changing a single space or character will cause this check to fail.

3. Certificate Validity Period

The verifier checks whether the signer's certificate was valid at the time of signing. For DSC, the certificate is valid for 1 to 3 years. For Aadhaar eSign, the certificate is valid for approximately 30 minutes. A signature created within the validity window is considered valid even if the certificate has since expired, provided a trusted timestamp is present.

4. Certificate Revocation Check

Certificates can be revoked before their expiry date (for example, if the signer's private key is compromised). Two mechanisms exist for revocation checking: CRL (Certificate Revocation List), a periodically published list of revoked certificates maintained by each CA, and OCSP (Online Certificate Status Protocol), a real-time query to the CA about a specific certificate's status. OCSP is more current but requires network connectivity.

5. Signature Algorithm Strength

Modern signatures should use SHA-256 or stronger hash algorithms (SHA-1 is deprecated and considered weak). The RSA key size should be 2048 bits or higher. Verification tools flag signatures that use deprecated algorithms, as they may be vulnerable to forgery.

6. Timestamp Verification

If the signature includes a trusted timestamp from a Time Stamping Authority (TSA), it proves the document existed and was signed at a specific point in time. This is important for Long-Term Validation (LTV): even if the signing certificate expires years later, the trusted timestamp proves the signature was created while the certificate was still valid.

Common Digitally Signed Documents in India

You encounter digitally signed PDFs more often than you might realize. Here are the most common ones.

Government Identity Documents

  • e-Aadhaar: Signed by UIDAI. The most commonly encountered digitally signed PDF in India. Downloadable from the UIDAI website or mAadhaar app.
  • e-PAN: Signed by the Income Tax Department / Protean. Instant e-PAN is issued via Aadhaar eKYC.
  • Digital Driving License: Available via DigiLocker, signed by state transport authorities.
  • Digital Voter ID (EPIC): Available as a digital copy via DigiLocker.

Financial and Tax Documents

  • Income Tax Notices and Assessment Orders: Digitally signed by Assessing Officers at CPC Bangalore.
  • GST Registration Certificates: Signed under Rule 26 of the CGST Rules, 2017.
  • Form 16 / Form 26AS: Available from the TRACES portal with digital signatures.
  • MCA/ROC Certificates: Certificate of Incorporation, annual filing acknowledgments.
  • e-Court Orders: Digitally signed copies of court orders and judgments.
  • Contracts and Agreements: Rent agreements, NDAs, employment contracts signed via Aadhaar eSign.

DigiLocker Documents

All documents stored in DigiLocker are digitally signed by the issuing department and recognized as equivalent to original physical documents under the IT Act, 2000. These include CBSE/State Board mark sheets, degree certificates, birth certificates (digital birth certificate system launched September 2025), caste certificates, domicile certificates, and income certificates.

Stamp Duty and Registration

  • e-Stamp Certificates: Issued by SHCIL, verifiable via UIN or QR code at shcilestamp.com. Also available through eSahayak's eStamp service.
  • Registered Document Copies: In states with digital delivery, Sub Registrar offices provide digitally signed copies of registered documents.

Several provisions of Indian law specifically address digital signatures and their verification.

IT Act, 2000

Section 3 establishes the legal framework for digital signatures using asymmetric cryptosystems and hash functions. Section 3A (added by the 2008 amendment) extends recognition to electronic signatures, including Aadhaar eSign. Section 4 provides that an electronic record authenticated by a digital signature is deemed a duly signed document. Section 5 grants electronic signatures the same validity as handwritten signatures. Section 67A creates a presumption that a secure electronic signature was affixed by the subscriber with the intention of signing.

Evidence Law: BSA 2023 (formerly Indian Evidence Act)

Section 63 of the Bharatiya Sakshya Adhiniyam (BSA), 2023 (replacing Section 65B of the Indian Evidence Act, 1872) governs the admissibility of electronic records. A digitally signed PDF is admissible as evidence if accompanied by a certificate from the person in charge of the computer resource. The BSA 2023 introduced a mandatory hash value requirement and a structured two-part certification format, strengthening the evidentiary framework.

Section 85B (still applicable through transitional provisions) creates two important presumptions: (a) a secure electronic record has not been altered since the secure status was established, and (b) a secure digital signature was affixed by the subscriber with the intention of signing or approving the record. Section 85C presumes that the information in an Electronic Signature Certificate is correct, unless the contrary is proved.

Practical Implication
If you receive a digitally signed document and the signature fails verification (shows as "invalid" or the document appears tampered), the legal presumptions under Sections 85B and 85C do not apply. This means the document cannot claim the same legal standing as a validly signed one. Always verify before relying on a digitally signed document for any legal, financial, or compliance purpose.

Best Practices for Handling Digitally Signed PDFs

  1. Install CCA Root Certificates Once: Download all RCAI root certificate versions (2007, 2011, 2014, 2015, 2022) from cca.gov.in and import them into Adobe Reader. This is a one-time setup that resolves the "unknown" warning for all Indian digital signatures going forward.
  2. Never Print and Re-scan a Signed PDF: The digital signature exists only in the electronic file. A printed or scanned copy has no cryptographic protection and carries no more legal weight than a photocopy.
  3. Do Not Modify After Signing: Adding annotations, filling form fields, "flattening" the PDF, or even re-saving with certain editors can break the signature. If you need to annotate, save a separate copy.
  4. Store the Original File Securely: The digitally signed PDF file IS the legally valid document. Back it up. Cloud storage, external drives, or secure document management systems all work.
  5. Verify Before Relying: Before accepting a digitally signed document for any legal, financial, or compliance purpose, verify the signature using SignSetu's free tool or Adobe Reader with the CCA root certificate imported.
  6. Check the Signing Date: A certificate may have been valid when the document was signed but later revoked. Use OCSP or check the CA's CRL for revocation status, especially for high-value transactions.
  7. Use Long-Term Validation (LTV): When creating signed documents, use LTV-enabled signatures. LTV embeds all the information needed for verification (certificates, CRLs, OCSP responses) within the PDF, so it can be verified years later.
  8. For Organizations Processing Signed Documents: Implement programmatic verification using libraries like Apache PDFBox (Java) or endesive (Python), with the CCA root certificates loaded into the trust store.

Verifying e-Stamp Certificates

e-Stamp certificates are different from digitally signed PDFs. They are issued by SHCIL (Stock Holding Corporation of India Limited) and carry a Unique Identification Number (UIN) and a QR code for verification.

To verify an e-Stamp certificate, visit shcilestamp.com and enter the UIN or scan the QR code. The portal will confirm whether the stamp certificate is genuine, the denomination, and the date of issue. This is separate from digital signature verification on PDFs. If you need eStamp paper for a document, you can order eStamp paper through eSahayak.

Common Verification Errors and What They Mean

When you verify a digitally signed PDF, you may encounter several status messages. Here is what each one means.

  • Green Checkmark: "Signature is VALID" means the certificate chain is trusted, the document has not been tampered with, and the certificate was valid at the time of signing. This is the ideal result.
  • Yellow Triangle: "Signature validity is UNKNOWN" means the root certificate is not in your trust store. The signature may be perfectly valid, but your PDF reader cannot confirm it. Import the CCA root certificate or use SignSetu's verification tool to check.
  • Red X: "Signature is INVALID" means either the document has been tampered with after signing, or the certificate has been revoked. Do not trust this document without further investigation.
  • "Certificate has expired" does not necessarily mean the signature is invalid. If the signature was created while the certificate was still valid (check the signing timestamp), the signature is still legally valid. This is particularly common with Aadhaar eSign certificates, which expire after approximately 30 minutes.
  • "Certificate revoked" means the CA has explicitly revoked the signer's certificate, possibly due to compromise. The document should be treated with caution and verified through other means.
Verify Your Signed PDF NowFree, instant, and private. Check if your digitally signed document is authentic and untampered. Works with Aadhaar eSign, DSC, e-Aadhaar, e-PAN, and all Indian digital signatures.
Verify Signature Free