Error While Signing PDF with DSC India: Complete Fix Guide 2026

Signing a PDF with a DSC in India involves more moving parts than most people realize: the USB token, the token driver, the PDF application (Adobe Acrobat or others), the certificate trust chain, and sometimes a timestamp server. When any of these breaks, you get an error — and the error messages from PDF software are notoriously unhelpful.

Whether you're signing annual report PDFs, MCA forms, audit certificates, contracts, or any other document, this guide covers every PDF-DSC signing error with concrete, step-by-step solutions.

📋 Table of Contents

How PDF DSC Signing Works in India
PDF Signing Tools Comparison
Setting Up Adobe Acrobat for DSC Signing
Fix: Certificate Not Showing in Acrobat
Fix: Signing Failed / Error During Signing
Fix: Signature Shown as Invalid After Signing
Fix: Certificate Path Not Trusted
Fix: 'Document Modified After Signing' Warning
Fix: PIN Dialog Not Appearing During Signing
Adding CCA India Root Certificate to Trust Store
Using Timestamp Server for Long-Term Validation
Signing MCA/ROC PDF Forms
Signing GST-Related PDF Documents
Alternative Free PDF DSC Signing Tools
Frequently Asked Questions

1. How PDF DSC Signing Works in India

Understanding the technical process helps diagnose exactly where it's failing. When you click "Sign" in Adobe Acrobat with a DSC token:

PDF App requests certificate

→

PKCS#11 enumerates token certs

→

User selects cert + enters PIN

→

Token signs the PDF hash

→

Signature embedded in PDF

Additionally, for signature verification to work correctly, the recipient's PDF viewer must be able to verify the certificate chain from your DSC all the way up to a root CA that it trusts. In India, the root authority is the Controller of Certifying Authorities (CCA India), which sits above all Indian CAs (eMudhra, Sify, NSDL, etc.).

Adobe Acrobat's "approved trust list" (Adobe AATL) does not include Indian CAs by default. This is why Indian DSC signatures often show as "unverified" in Adobe — even when the signature is mathematically valid. The fix is to manually add CCA India's root certificate to Acrobat's trust store (covered in Section 10).

2. PDF Signing Tools Comparison

Most Used

Adobe Acrobat Pro

Industry standard. Full DSC signing support via PKCS#11. Requires paid license (₹1,500+/month). Versions 2020/2023/2024 recommended. Avoid Acrobat XI (2013) — outdated.

Free

Adobe Reader

Can sign only if PDF is "rights-enabled." Cannot add signature fields to a regular PDF. Limited use for DSC work.

Free

PDF24 Creator

Free offline tool. Supports PKCS#11 token signing. Good alternative to Acrobat for basic signing needs.

Paid

Foxit PDF Editor

Strong PKCS#11 support. Less expensive than Acrobat (₹800/month). Popular among CA firms and tax practitioners.

Govt. Portal

MCA21 Form Utility

MCA's offline form utility with built-in DSC signing for ROC forms. Free. Does not require Adobe.

Free

LibreOffice Draw/Impress

Can sign PDFs using DSC via PKCS#11. Limited in PDF handling. Useful as a last resort if Acrobat is unavailable.

3. Setting Up Adobe Acrobat for DSC Signing

Before fixing errors, ensure Acrobat is properly configured for DSC use. These are one-time setup steps:

Register PKCS#11 Module in Acrobat

Go to Edit → Preferences → Signatures → Identities & Trusted Certificates → More. In the window that opens, click PKCS#11 Modules and Tokens → Attach Module. Navigate to your token's PKCS#11 DLL:
• ePass2003: C:\Program Files\ePass2003\pkcs11\eps2003pkiP11.dll
• SafeNet eToken: C:\Program Files\SafeNet\Authentication\SAC\x64\aetpkss1.dll
• Proxkey: C:\Program Files\Proxkey\pkcs11\proxkey.dll
After adding, click OK. Your DSC certificate should now appear in Acrobat's signing dialog.

Add CCA India Root Certificate

In the same Identities & Trusted Certificates window, select Trusted Certificates → Import. Browse to the CCA India root certificate you downloaded from cca.gov.in. Select it, then click Trust and check "Use this certificate as a trusted root." This enables Acrobat to validate all Indian DSC signatures. (Detailed steps in Section 10.)

Configure Timestamp Server (Optional but Recommended)

Go to Edit → Preferences → Signatures → Creation & Appearance → More. In the timestamp section, add a timestamp server. Free options include: http://timestamp.digicert.com or http://tsa.startssl.com/rfc3161. A timestamp makes your signature valid even after the certificate expires. (More details in Section 11.)

4. Fix: Certificate Not Showing in Acrobat Signing Dialog

You go to sign the PDF, the certificate selection dialog opens — but your DSC certificate is not listed, or the list is empty.

❌ No digital IDs found / Certificate list is empty in signing dialog

PKCS#11 module not registered in Acrobat (most common — see step 1 above)
Token driver not installed or outdated
Token not inserted before opening Acrobat (Acrobat reads token list at startup)
Certificate is expired — Acrobat hides expired certificates by default
Wrong certificate purpose (encryption-only certificate, not signing)

Quick Fix: Insert your token BEFORE launching Acrobat. Then register the PKCS#11 DLL in Acrobat preferences as described in Section 3, Step 1.

Show Expired Certificates in Acrobat

If you suspect the certificate is expired but want to check, you can force Acrobat to show expired certificates:

In the signing dialog, look for "Show all" or "Include expired certificates" checkbox
If no such option, go to Acrobat Preferences → Signatures → Creation & Appearance → More → check "Show expired certificates"

Insert Token Before Opening Acrobat

Acrobat enumerates available PKCS#11 tokens and certificates at startup. If you plug in the token after Acrobat is already open, the certificate may not appear. Solution: close Acrobat completely, insert the token, wait for Windows to recognize it, then reopen Acrobat and try signing.

5. Fix: Signing Failed / Error During Signing

❌ "An error occurred while attempting to sign this document." / "Signing operation failed."

This generic error can have several root causes:

Wrong PIN entered: Acrobat will prompt again — enter the correct PIN. After 3–5 wrong attempts, the token locks.
Token disconnected mid-signing: USB connection interrupted. Reinsert token firmly in a USB 2.0 port.
Signature field conflict: The PDF already has a certified signature that prevents additional modifications. Sign before certifying, or request the document creator to allow additional signatures.
Acrobat version mismatch with cryptographic algorithm: Older Acrobat versions don't support SHA-256 signatures used in modern Class 3 DSCs. Update Acrobat to version 2020 or later.
PDF is locked/restricted: The document author applied security settings preventing modifications. You cannot sign a password-protected or edit-restricted PDF without the owner password.

Update Adobe Acrobat

Go to Help → Check for Updates. Install all available updates. Modern Indian DSCs use SHA-256 with RSA 2048-bit or 4096-bit keys — older Acrobat versions have issues with these. Acrobat DC 2020 or later is required for full compatibility.

Remove Security Restrictions from PDF (If Applicable)

If the PDF has owner-level security restrictions, go to File → Properties → Security → Show Details. Check if "Signing" is listed as "Not Allowed." If so, you need the document owner to remove restrictions, or you cannot sign it without the owner password.

Sign a Copy of the PDF

If the original PDF has issues, try: File → Save As (make a copy) → then sign the copy. Some PDF structure issues are resolved by recreating the file via Save As.

Try Signing with a Different Application

If Acrobat consistently fails, try PDF24 or Foxit to sign the same PDF. If another application signs successfully, the issue is Acrobat-specific (usually a PKCS#11 module configuration issue).

6. Fix: Signature Shown as Invalid After Signing

After signing, Acrobat shows a red X or warning — "Signature is invalid" or "At least one signature has problems."

❌ "Signature is INVALID" / Red X on signature panel

Certificate chain not trusted: Most common cause in India. Acrobat doesn't trust Indian CA certificates by default. Fix: add CCA India root certificate (Section 10).
Certificate expired: The signing certificate has expired. The signature is technically invalid after expiry unless a timestamp was embedded at signing time.
Document modified after signing: Even minimal modification (metadata update, print setting change) invalidates the signature. See Section 8.
Revoked certificate: The CA revoked the certificate (due to token loss report, key compromise, etc.). Contact your CA.

Add CCA India Trust Certificate

This fixes "not trusted" invalid signatures in most cases. See Section 10 for complete procedure. After adding CCA India root certificate, close and reopen the signed PDF — the signature should now show as valid (green checkmark).

Check Certificate Validity Period

Right-click the signature in Acrobat → Show Signature Properties → Signer's Certificate → Validity tab. Note the "Valid from" and "Valid to" dates. If the signing date is within the validity period but is now expired, and if a timestamp was embedded, the signature should still be considered valid at the time of signing.

Verify Revocation Status

In the Signature Properties → Signer's Certificate → Revocation tab, Acrobat will attempt to check if the certificate is revoked. If it shows "Unable to check revocation" and you have internet access, your firewall may be blocking the OCSP/CRL check. Temporarily disable firewall and retry, or contact your CA directly to confirm revocation status.

7. Fix: Certificate Path Not Trusted

This is the most common PDF signing problem in India. Adobe Acrobat's Adobe Approved Trust List (AATL) doesn't include Indian CAs — so signatures by Indian DSCs appear as "not trusted" even though they're perfectly valid under Indian law.

💡 Legal Note: "Not trusted" in Acrobat is a display issue, NOT a legal validity issue. Under the Information Technology Act 2000, a Class 3 DSC issued by a licensed Indian CA is legally valid regardless of what Acrobat shows. The "not trusted" warning is simply because Acrobat's default trust list doesn't include Indian CAs. Adding CCA India's root certificate fixes the display.

Complete fix is covered in Section 10. The short version: download CCA India root certificate from cca.gov.in, add it to Acrobat's Trusted Certificates with "Use as trusted root" checked.

8. Fix: 'Document Modified After Signing' Warning

This warning appears when Acrobat detects any change to the PDF after the signature was applied. Even seemingly minor changes invalidate the signature cryptographic integrity.

🔴 Critical Understanding: A digital signature on a PDF is mathematically tied to the exact bytes of the PDF at the moment of signing. Any change — even a single byte — breaks the signature. This is a feature, not a bug. It's how you prove the document hasn't been tampered with.

Common Causes of Unintended Modification

Action	Does it Modify PDF?	Safe to Do?
Save (Ctrl+S) after signing	No — incremental save	✅ Safe
Save As after signing	Yes — may restructure PDF	❌ Invalidates signature
Print and scan the signed PDF	Yes — creates new PDF	❌ Removes digital signature entirely
Print to PDF from signed document	Yes — creates new PDF without signature	❌ Do not do this
Annotate/comment on signed PDF	Depends on permission — if allowed at signing, no	⚠️ Only if signature permitted it
Emailing the signed PDF	No — file bytes unchanged	✅ Safe
Opening in different PDF viewer	No — read-only viewers don't modify	✅ Safe
Compressing/optimizing PDF after signing	Yes — modifies file structure	❌ Invalidates signature

Fixing "Document Modified" Warnings

If you see this warning on a PDF you didn't intentionally modify:

Check if Acrobat's autosave feature added any content — go to Preferences → Documents → uncheck "Automatically save document changes to temporary file every X minutes"
Check if Acrobat updated metadata on opening — some versions add metadata on first open; disable: Preferences → General → uncheck "Update metadata"
If the modification happened during transmission (e.g., email gateway added a footer), the sender must re-sign after adding the footer, not before

9. Fix: PIN Dialog Not Appearing During Signing

You select the certificate, click Sign, and wait — but the PIN entry dialog never appears. The signing process appears to hang or fail silently.

Check if PIN Dialog is Behind Acrobat Window

The token PIN dialog is a separate window. It may have opened behind the Acrobat window. Press Alt+Tab to cycle through open windows and look for a PIN entry dialog. Bring it to the front, enter your PIN.

Check in Task Manager

Open Task Manager (Ctrl+Shift+Esc) → Applications tab. Look for any application titled "Enter PIN," "Token PIN," or similar. Click it to bring it to focus.

Try Minimizing All Windows

Press Win + D to show desktop, then check if a PIN dialog is visible on the desktop or minimized in the taskbar.

Disable Always-on-Top Applications

Applications with "always on top" mode can obscure PIN dialogs. Common culprits: sticky note apps, task management tools, screen recording software. Close or minimize these before attempting PDF signing.

Reinstall Token Software

The PIN dialog is generated by the token management software (ePass Manager, SAC). If the software is corrupted, the PIN dialog generation may fail. Reinstall the token software.

10. Adding CCA India Root Certificate to Adobe Acrobat

This is the single most impactful configuration for PDF signing in India. Once done, all signatures by Indian CA-issued DSCs will show as trusted in Acrobat.

Download CCA India Root Certificate

Open a browser and go to cca.gov.in. Navigate to CCA Services → Download Certificates. Download: (a) "CCA India 2014" root certificate, and (b) "CCA India 2022" root certificate (for newer DSCs). Save both .cer files to your desktop.

Open Acrobat's Trust Certificate Store

In Adobe Acrobat: Edit → Preferences → Signatures → Identities & Trusted Certificates → More. In the Digital ID and Trusted Certificates dialog, select "Trusted Certificates" in the left panel.

Import CCA India Root Certificate

Click "Import" at the top. Browse to the CCA India 2014 .cer file you downloaded. Click Open. Acrobat will show certificate details.

Set as Trusted Root

After import, select the CCA India certificate in the list and click "Edit Trust." Check "Use this certificate as a trusted root" and also check "Certified documents" and "Dynamic content." Click OK.

Repeat for CCA India 2022

Repeat steps 3–4 for the CCA India 2022 certificate. Also import your specific CA's certificates (eMudhra, Sify, etc.) if needed for older DSCs.

Verify

Close the preferences dialog. Open a PDF that was signed with an Indian DSC. The signature should now show a green checkmark and "Signature is valid" instead of the red X.

11. Using Timestamp Server for Long-Term Validation

A timestamp embedded in the PDF signature proves when the document was signed. This is critical because: after your DSC certificate expires, the signature's validity in Acrobat would normally show as "unknown" or "expired." But if a trusted timestamp was embedded, Acrobat can prove the signature was created when the certificate was still valid — making the signature perpetually verifiable.

Adding a Timestamp Server in Acrobat

Go to Edit → Preferences → Signatures → Creation & Appearance → More
Under "Default signing method," ensure your DSC method is selected
Find the "Timestamp server" section — click "New"
Enter server name: DigiCert Timestamp and URL: http://timestamp.digicert.com
Leave username/password blank (it's a free, public timestamp server)
Click Verify to test connectivity, then OK
Check "Include signature's revocation status" if available

After adding the timestamp server, every PDF you sign will automatically include a cryptographic timestamp from DigiCert. This is a globally recognized timestamp authority. Your signatures will remain verifiable for decades after your certificate expires.

12. Signing MCA/ROC PDF Forms

MCA forms (like AOC-4, MGT-7, DIR-3 KYC, SH-7, etc.) are signed through the MCA21 portal workflow — not directly through Adobe Acrobat. Here's the correct process:

Download the Form

Log in to mca.gov.in. Navigate to MCA Services → E-filing → Download the relevant form (it's a fillable PDF with built-in logic).

Fill the Form Using Offline Tool

Open the downloaded PDF in the offline form utility provided by MCA (not Adobe Acrobat). The MCA offline form utility is based on a specific PDF library that handles the MCA-specific signing workflow.

Pre-scrutiny Check

Before signing, click "Pre-scrutiny" in the form to check for data errors. Fix all validation errors first. Signing a form with errors will result in rejection after upload.

Attach DSC (via MCA signing workflow)

Click "Attach DSC" in the form. This triggers the MCA-specific signing mechanism (similar to emSigner). Select your certificate from the dropdown, enter PIN, and sign.

Upload Signed Form

After signing, upload the signed PDF to the MCA portal. Do NOT open the signed file in Adobe Acrobat or make any changes. Upload the exact file as signed.

⚠️ MCA Form Signing Error: "DSC attached but not visible in portal"
This happens when the signing was done but the portal didn't register it. Fix: try signing again — if the "Attach DSC" button still shows instead of "Remove DSC," the previous signing didn't complete. Try in a different browser (Firefox recommended for MCA also).

13. Signing GST-Related PDF Documents

GST-related PDFs (like audit reports, appeal documents, or letters to tax authorities) are typically signed via Adobe Acrobat or another PDF tool, not directly through the GST portal. The GST portal itself uses emSigner for return filing (handled in the browser), not PDF-level signing.

For GST audit reports (Form GSTR-9C format), the chartered accountant or tax auditor signs the PDF using their Class 3 DSC via Adobe Acrobat, following the process in this guide. The signed PDF is then uploaded to the GST portal as an attachment.

Key requirements for GST audit PDF signatures:

Signed using a Class 3 (Individual) DSC in the CA/CMA/tax practitioner's name
Signature must be visible and include the certificate details
PDF must not be password-protected (GST portal may reject encrypted PDFs)
File size: keep signed PDF under 2MB for portal upload (compress images if needed before signing)

14. Alternative Free PDF DSC Signing Tools

If Adobe Acrobat is not available or consistently throwing errors, these alternatives work with Indian DSC tokens:

Free

PDF24 Creator

Download from pdf24.org. Under Sign → Digital signature → Use PKCS#11 module. Point to your token's PKCS#11 DLL. Simple and reliable for basic signing.

Free

Okular (Windows/Linux)

Open-source PDF viewer with digital signature support. Supports PKCS#11 certificates. Good for verification; signing capabilities are basic.

Paid

Nitro PDF Pro

Full PDF editor with DSC signing. Less expensive than Acrobat. Supports PKCS#11 modules. Popular in Indian CA firms as Acrobat alternative.

Free

LibreOffice Draw → Export as PDF

LibreOffice supports digital signatures via PKCS#11 when exporting to PDF. Go to File → Export as PDF → Digital Signatures tab → Select certificate. A free last-resort option.

Using PDF24 to Sign PDF with Indian DSC

Install PDF24

Download PDF24 Creator from pdf24.org and install. It's free and ad-free.

Open PDF24 → Sign

In the PDF24 launcher, select "Sign PDF" or drag your PDF onto the app.

Add Digital Signature

Click "Add digital signature." In the certificate selection, choose "Select from PKCS#11 module." Browse to your token's PKCS#11 DLL. Your DSC certificate should appear — select it.

Enter PIN and Sign

Enter your token PIN when prompted. PDF24 signs the PDF and saves it with the digital signature embedded.

Frequently Asked Questions — PDF Signing with DSC

Why does Adobe Acrobat show an error when signing PDF with DSC?

Adobe Acrobat PDF signing errors are caused by: token driver not installed, PKCS#11 module not registered in Acrobat preferences, outdated Acrobat version not supporting modern cryptographic algorithms, the PDF being locked, or certificate not in Acrobat's trust store. The most common fix: register the PKCS#11 DLL in Acrobat preferences and add CCA India root certificate to the trust store.

What does 'Signature is invalid' mean on a signed PDF?

'Signature is invalid' means: certificate not in Acrobat's trusted roots (most common — add CCA India root cert), certificate expired, document modified after signing, or certificate revoked. Adding CCA India's root certificate to Acrobat's trusted identities fixes 90% of "invalid" signature displays.

How do I sign a PDF with DSC in Adobe Acrobat?

Insert DSC token before opening Acrobat. Open PDF in Acrobat (Pro, not Reader). Tools → Certificates → Digitally Sign. Draw a signature field. Select your DSC certificate. Enter PIN. Save. If certificate doesn't appear, register the PKCS#11 DLL in Acrobat Preferences first.

Can I sign PDF with DSC in Adobe Reader (free version)?

Adobe Reader can sign PDFs only if they are "rights-enabled" by the creator using Acrobat Pro. For non-rights-enabled PDFs, use Acrobat Pro (paid), PDF24 (free), Foxit, or LibreOffice. MCA forms use their own offline form utility for signing.

How to add CCA India root certificate to Adobe Acrobat trusted store?

Download CCA India root certificate from cca.gov.in. In Acrobat: Edit → Preferences → Signatures → Identities & Trusted Certificates → More → Trusted Certificates → Import the CCA India .cer file → Edit Trust → check "Use as trusted root" → OK. Repeat for CCA India 2022 certificate.

Why is my DSC certificate not showing in Adobe Acrobat's signing dialog?

DSC not showing: PKCS#11 module not registered (go to Preferences → Signatures → PKCS#11 Modules → Attach Module → add your token's DLL), token not inserted before opening Acrobat, or certificate expired. Register the PKCS#11 DLL first — this is the most common fix.

What PDF signing software works with DSC in India besides Adobe?

PDF24 Creator (free), Foxit PDF Editor (paid), Nitro PDF Pro (paid), LibreOffice Draw (free), and government-specific tools like MCA's offline form utility. PDF24 is the most popular free alternative and works well with Indian DSC tokens via PKCS#11.

Error: 'The certificate path is not trusted' while signing PDF. How to fix?

Download the complete certificate chain from your CA's website (Root CA, Sub CA, intermediate certificates). In Acrobat, import all certificates under Trusted Certificates with "Use as trusted root" checked. Alternatively, import just the CCA India root certificate which covers all Indian CAs.

Can I sign MCA/ROC PDF forms with DSC without Adobe Acrobat?

Yes. Use MCA's own offline form utility — it has built-in DSC signing that doesn't require Adobe. Fill the form in the MCA utility, click "Attach DSC" in the utility itself, sign with your token, then upload the signed file to the MCA portal without opening it in Acrobat.

Why does signed PDF show 'Signature valid but document modified' warning?

"Document modified" means any change happened after signing — including Save As (use Save instead), compression, printing to PDF, or some PDF viewers adding metadata. After signing, use only Ctrl+S (Save), never Save As. Do not print, compress, or restructure the signed PDF. Send the original signed file as-is.

PDF Signing Issues Blocking Your Compliance Filing?

ClearlyComply helps businesses set up correct DSC PDF signing workflows for MCA, GST, and audit-related documents — ensuring your signatures are valid, trusted, and accepted first time.

Get PDF Signing Help →