While the requirements on the Key Usage and Extended Key Usage extensions of X.509 certificates for signing PDF documents are somehow documented on A: Changes Across Releases — Digital Signatures Guide for IT, I was not able to find a similar documentation on the requirements for certifying PDF documents.
When I try to use my organization-issued digital certificate with the following KU/EKU purposes, it will be validated as trusted for document signing:
- KU: Digital Signature, Non-Repudiation
- EKU: Client Authentication, Email Protection
However, this certificate is not trusted for certifying documents and I receive the validation warning "The signer's certificate has not been trusted for the purpose of creating Certified documents".
I am not able to find any documentation on what KU/EKU purposes are necessary in order to create valid document certifications. Having said this: What KU/EKU purposes are required for a certificate to be trusted for certifying documents?