paiza
Back to trust page

Trust the paiza CA

If Adobe Reader, Chrome, Safari, or another viewer shows "Signer's identity is unknown" or "This certificate is not trusted" on a PDF signed via paiza, you need to add the CA certificate as trusted in the program or system you're using. Three paths are documented below — Adobe Reader (Adobe only), macOS Keychain (system-wide for Chrome + Safari + Mail), and Windows Certificate Store (system-wide for Chrome + Edge + Outlook). Each is a one-time install.

paiza Issuing CA certificate

This is the CA that issues certificates to citizens. DER format, ~1 KB.

https://api.eidmongol.mn/issuing-ca.cer

Download CA certificate (.cer)

Adobe Acrobat Reader

Affects Adobe Reader/Pro only. Other apps (Chrome, Preview, Mail) will still show as untrusted — for those, use the macOS Keychain or Windows section below.

  1. 1

    Download the certificate using the button above and save it somewhere convenient.

  2. 2

    Open Adobe Acrobat Reader and go to Edit → Preferences (Acrobat → Preferences on macOS).

  3. 3

    From the left-hand list click Signatures, then click More... in the Identities & Trusted Certificates section.

  4. 4

    In the new dialog go to Trusted Certificates on the left, then click Import at the top.

  5. 5

    Click Browse and select the eidmongol-issuing-ca.cer file you downloaded. Highlight the certificate that appears in the list and click OK.

  6. 6

    Switch to the Trust tab and tick the Use this certificate as a trusted root checkbox. Also enable the Sign documents and Certify documents options that appear, then click OK.

  7. 7

    Close all dialogs and reopen any PDF signed by paiza. The signature now shows a green tick and reads "valid".

macOS Keychain (system-wide for Chrome / Safari / Mail)

Root CAs installed in the macOS System Keychain are trusted by Chrome, Safari, Mail, and every other macOS application. Single install — affects the whole machine.

  1. 1

    Download the certificate using the button above and save it to your Downloads folder.

  2. 2

    Double-click eidmongol-issuing-ca.cer in Finder — Keychain Access opens automatically. If it doesn't, open Keychain Access from Spotlight and import via File → Import Items.

  3. 3

    When prompted for a keychain, choose "login" and click Add. Choosing "System" instead asks for an admin password and affects every user on the machine.

  4. 4

    In Keychain Access, go to the Certificates category on the left and locate the paiza Issuing CA certificate.

  5. 5

    Double-click the certificate and expand the Trust section in the dialog that opens.

  6. 6

    Set the When using this certificate dropdown to Always Trust. Closing the dialog prompts for a password — confirm with Touch ID or your password.

  7. 7

    Quit Chrome completely and relaunch it (including all other tabs). Reopen the PDF and check that the trust has been updated in the signature panel.

For CLI users (one-line terminal)
sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain \
  ~/Downloads/eidmongol-issuing-ca.cer

This command installs the certificate into the System Keychain with "Always Trust" status. Requires a sudo password. Equivalent result to the GUI steps.

Windows Certificate Store (system-wide for Chrome / Edge / Outlook)

A CA installed in the Windows Trusted Root Certification Authorities store is automatically trusted by Chrome, Edge, Outlook, Office, and every other Windows application.

  1. 1

    Download the certificate using the button above and save it to your Downloads folder.

  2. 2

    In File Explorer, right-click eidmongol-issuing-ca.cer and choose Install Certificate.

  3. 3

    Set Store Location to Local Machine (all users) or Current User (yourself only) and click Next.

  4. 4

    Select Place all certificates in the following store and click Browse. Choose Trusted Root Certification Authorities, then OK and Next.

  5. 5

    Click Finish at the end, and if Windows shows a security warning, click Yes to confirm.

  6. 6

    Quit Chrome / Edge entirely, relaunch, and check the PDF. Certificate trust is also updated in Outlook and Office.

Why is a manual install required?

Adobe Reader only auto-trusts CAs listed in the Adobe Approved Trust List (AATL) or the EU Trusted List. Enrolling paiza in AATL requires a WebTrust for CAs audit, fees, and several months of review — that work is ongoing.

Technically the signature cryptography is sound (SHA-256 + RFC 3161 timestamp + RFC 6960 OCSP); the only gap is that the CA name isn't yet in Adobe's worldwide trust store. Once you add the CA as a trusted root, every future signed PDF will validate automatically.

Chrome's built-in PDF viewer: Chrome / Edge's built-in PDF viewer (Chromium's PDFium engine) doesn't automatically validate PDF signature trust — no matter how many roots you install in the System Keychain, it still shows as "untrusted" in Chrome. This is a known Chromium limitation, not a problem with your configuration. To verify: verify server-side on the /verify page.
For verifiers: If you're an RP (relying party) verifying many PDF signatures, using the /verify endpoint on the website is more reliable — it runs CRL + OCSP checks on the backend, so it doesn't depend on the trust store of the user's PDF reader. Every PDF has an embedded QR code — scan it with your phone to go straight to the /verify/<id> page.