How to Verify a Qualified Electronic Signature (QES)
You’ve received a PDF document with a qualified electronic signature—but how do you know it’s legitimate? Can you trust that the signature is authentic, that the document hasn’t been tampered with, and that it carries legal weight?
Verification is where the true power of QES becomes apparent. Unlike handwritten signatures that require forensic analysis to authenticate, qualified electronic signatures can be verified instantly by anyone, anywhere, using free tools—and the verification is mathematically certain, not subjective.
This comprehensive guide shows you exactly how to verify QES signatures using multiple methods, what each validation check means, and how to interpret the results for complete confidence in your signed documents.
Why Signature Verification Matters
Before diving into the how-to, let’s understand why QES verification is a game-changer compared to traditional signatures.
The Problem with Handwritten Signatures
When you receive a document with a handwritten signature, verification is difficult and expensive:
- No built-in authentication: Anyone can forge a signature
- Subjective analysis: Handwriting experts may disagree on authenticity
- Costly process: Forensic analysis can cost thousands
- Time-consuming: Authentication takes days or weeks
- No tampering detection: Document modifications are difficult to detect
- Limited evidence: Only the signature itself provides proof
The QES Verification Advantage
Qualified electronic signatures solve all these problems:
- Instant verification: Results in seconds, not weeks
- Mathematical certainty: Cryptographic proof, not subjective opinion
- Free tools: Anyone can verify using standard PDF readers
- Automatic tampering detection: Any modification invalidates the signature
- Complete audit trail: Identity, timestamp, certificate chain, trust service provider
- Legal certainty: Verification confirms eIDAS compliance and legal equivalence
Real-World Scenario
Situation: You receive a €500,000 contract signed by a potential partner. Before committing your company’s resources, you need absolute certainty the signature is legitimate.
With handwritten signature: Hire forensic expert (€2,000-5,000), wait 1-2 weeks, receive subjective opinion that could be challenged in court.
With QES: Open PDF in Adobe Reader (free), receive instant mathematical proof of authenticity, complete identity verification, and tampering detection—all in 10 seconds.
What QES Verification Checks
When you verify a qualified electronic signature, multiple security layers are validated simultaneously:
1. Signature Authenticity
What it checks: Was this signature created using the private key associated with the certificate?
How it works: The verification software uses the public key from the certificate to decrypt the signature and compare it against a fresh calculation of the document’s hash.
What it proves: The signature was created by whoever controls the private key—no one else could have created this exact signature.
2. Signer Identity
What it checks: Who is the person behind this signature?
How it works: Extracts identity information from the qualified certificate (name, sometimes email, country, serial number).
What it proves: The identity was verified by a regulated Qualified Trust Service Provider (QTSP) before certificate issuance.
3. Document Integrity
What it checks: Has the document been modified since signing?
How it works: Recalculates the cryptographic hash of the current document and compares it to the hash embedded in the signature.
What it proves: Even a single character change would produce a completely different hash, instantly revealing tampering.
4. Certificate Validity
What it checks: Was the certificate valid when the signature was created?
How it works: Verifies the certificate was not expired or revoked at the time of signing.
What it proves: The signature was created during the certificate’s valid period.
5. Trust Chain Validation
What it checks: Is the certificate issued by a legitimate QTSP?
How it works: Traces the certificate back through the certificate chain to a root authority listed on the EU Trusted List.
What it proves: The signature comes from a regulated, supervised trust service provider meeting eIDAS requirements.
6. Timestamp Verification
What it checks: When was the signature created?
How it works: Validates the trusted timestamp from an independent timestamp authority.
What it proves: The exact date and time of signing, which cannot be backdated or manipulated.
All Six Checks Must Pass: For a qualified electronic signature to be valid, every single verification check must pass. If any one fails, the signature cannot be trusted. This all-or-nothing approach provides ironclad security.
Method 1: Verify with Adobe Acrobat Reader (Recommended)
Adobe Acrobat Reader is the most widely used and trusted method for verifying QES signatures. It’s free, handles all verification steps automatically, and works on Windows, Mac, and mobile devices.
Step-by-Step Verification Process
1Download and Install Adobe Acrobat Reader
If you don’t already have it:
- Visit get.adobe.com/reader
- Download the free version for your operating system
- Install following the standard prompts
- No premium subscription needed—free version handles QES verification
2Open the Signed PDF
Open your signed PDF document in Adobe Acrobat Reader. You’ll immediately see visual indicators of the signature:
- Blue banner at top: “Signed and all signatures are valid”
- Signature panel: Left sidebar showing signature details
- Signature field: Visual signature box in the document
3Click on the Signature
Click directly on the signature field in the document or on the signature in the left panel. A pop-up window appears showing:
- Signature validity status
- Signer’s name
- Signing date and time
- Certificate details
4View Signature Properties
Click “Signature Properties” in the pop-up to see detailed information:
- Signer tab: Full identity information from certificate
- Date/Time tab: Timestamp details
- Legal tab: Signature validity and document status
- Advanced tab: Technical certificate details and trust chain
5Verify Certificate Details
In the Advanced tab, click “Show Certificate” to examine:
- Subject: Signer’s verified identity
- Issuer: QTSP that issued the certificate
- Validity period: Certificate start and expiry dates
- Certificate chain: Trust path to root authority
- Extensions: Qualified certificate indicators
Interpreting Adobe’s Validation Results
✓ Valid – All verification checks passed. The signature is cryptographically valid, the certificate was valid at signing time, and the document has not been modified.
✗ Invalid – One or more verification checks failed. The signature may be forged, the document may be tampered with, or the certificate may have been revoked.
⚠ Unknown – Adobe cannot verify the trust chain, usually because the QTSP’s root certificate is not in Adobe’s trusted list. This doesn’t mean the signature is invalid—just that additional verification is needed.
Automatic Trust List Updates
Adobe Acrobat Reader automatically checks the EU Trusted List and updates its trusted certificates. To ensure you have the latest trust information:
- Go to Edit → Preferences → Signatures → Verification
- Enable “Verify signatures when the document is opened”
- Enable “Require certificate revocation checking”
- Adobe will automatically download updates from the EU Trusted List
Pro Tip: Enable “Verify signatures when the document is opened” in Adobe preferences. This ensures automatic verification every time you open a signed PDF—no manual checking required.
Method 2: Use Online Validation Services
Online validation services provide independent verification, useful when you need a second opinion or are working with documents signed by less common QTSPs.
DSS Validator by European Commission
Website: ec.europa.eu/digital-building-blocks/DSS/webapp-demo/validation
Best for: Official EU validation with guaranteed eIDAS compliance checking
How to use:
- Visit the DSS Validator website
- Upload your signed PDF
- Click “Validate”
- Review the detailed validation report
What you get:
- Comprehensive validation report
- eIDAS compliance assessment
- Signature level determination (QES, AES, SES)
- Certificate path validation
- Revocation checking
- Timestamp verification
National Validation Portals
Many EU member states provide their own validation services:
- Belgium: FedICT signature verification service
- Germany: BundesIdent signature verification
- France: ANSSI signature validation
- Spain: @Firma verification service
- Italy: AgID signature validation
Advantages: Optimized for national QTSPs, sometimes provide additional legal documentation
QTSP Verification Tools
Some Qualified Trust Service Providers offer their own verification tools:
- itsme signature verification
- Evrotrust validation service
- Adacom signature checker
- Other QTSP-specific validators
Note: While convenient, these validate primarily their own certificates. For third-party verification, use EU or national validators.
Understanding Online Validation Reports
Online validators typically provide detailed reports including:
- Validation conclusion: TOTAL-PASSED, TOTAL-FAILED, or INDETERMINATE
- Signature format: PAdES, XAdES, CAdES identification
- Signature level: QES, AES, or SES determination
- Certificate chain: Complete trust path visualization
- Revocation status: OCSP or CRL checking results
- Timestamp analysis: Trusted timestamp validation
- Document integrity: Hash comparison results
Method 3: Alternative PDF Readers
Several alternative PDF readers also support QES verification, though with varying levels of EU Trusted List integration.
Foxit PDF Reader
Signature verification: Yes, with EU Trusted List support
How to verify:
- Open signed PDF in Foxit Reader
- Click on the signature field
- View signature details and validation status
- Check certificate chain in properties
Advantages: Lighter than Adobe, faster load times
Limitations: Trust list updates may be less frequent than Adobe
PDF-XChange Editor
Signature verification: Yes, supports qualified signatures
Features:
- Detailed signature panel with validation results
- Certificate chain visualization
- Timestamp verification
- Customizable trust settings
Browser-Based PDF Viewers
Chrome, Edge, Firefox built-in viewers:
Signature verification: Limited or none
Recommendation: Do not rely on browser viewers for QES verification. They may display signature fields but lack proper validation capabilities.
Important: Always use dedicated PDF software or official online validators for QES verification. Browser PDF viewers and simple PDF readers often cannot properly validate qualified signatures or check the EU Trusted List.
Understanding Validation Results
Knowing how to interpret validation results is crucial for making informed decisions about signed documents.
Complete Validation Success
Indicators:
- Green checkmark or “Valid” status
- Blue banner: “Signed and all signatures are valid”
- All certificate chain elements trusted
- Document integrity confirmed
- Timestamp validated
Meaning: The signature is cryptographically valid, created by the named individual, the document hasn’t been modified, the certificate was valid at signing time, and the QTSP is legitimate.
Action: You can confidently accept this document as legally binding.
Validation Warnings
Indicators:
- Yellow warning icon
- Message: “At least one signature has problems”
- Status: “Unknown” or “Cannot be verified”
Common causes:
- Trust list not updated: QTSP not in your software’s trusted list
- Offline verification: Software cannot reach revocation servers
- Expired certificate: Certificate expired after signing (but signature may still be valid via LTV)
- Unknown timestamp authority: Timestamp source not recognized
Action: Use an online validator like DSS Validator for independent verification. Check if your PDF software needs trust list updates.
Validation Failures
Indicators:
- Red X or “Invalid” status
- Message: “Document has been altered or corrupted”
- Certificate revoked or not valid
Common causes:
- Document modified: Content changed after signing
- Certificate revoked: Certificate was revoked after signing
- Forged signature: Signature doesn’t match document hash
- Corrupted file: PDF file damaged during transmission
Action: Do not accept the document. Contact the sender to verify authenticity and request a new signed copy if legitimate.
Critical: Never Accept Invalid Signatures
If verification shows a signature as invalid or the document as tampered, stop immediately. Request clarification from the sender before proceeding. An invalid signature has no legal effect under eIDAS.
Verifying Multiple Signatures
Documents may contain multiple signatures from different signers—contracts with multiple parties, approval workflows, counter-signatures.
How Multiple Signatures Work
Each signature is independent and self-contained:
- Each signer creates their own signature with their own certificate
- Signatures are added sequentially or in parallel
- Each signature references the document state at the moment of signing
- Later signatures cover earlier signatures (providing additional integrity protection)
Verifying Multi-Signature Documents
In Adobe Acrobat Reader:
- Open the document—all signatures appear in the signature panel
- Adobe validates all signatures automatically
- Green checkmark appears only if all signatures are valid
- Click each signature individually to review details
- Check that all signers have qualified certificates
Signature Order and Timestamps
When verifying multi-signature documents, check:
- Signature sequence: Who signed first, second, third, etc.
- Timestamp accuracy: Ensure signing order matches expected workflow
- Certificate validity windows: All certificates valid at their respective signing times
- Document versions: No content changes between signatures (unless expected)
Counter-Signatures: Some documents use counter-signatures where a second party signs the first signature (not the document). This creates a “signature of a signature” for additional validation. Adobe displays counter-signatures hierarchically in the signature panel.
Long-Term Validation (LTV) Explained
One of QES’s most powerful features is Long-Term Validation—the ability to verify signatures even decades after creation.
The Long-Term Validation Problem
Digital signatures face unique time-based challenges:
- Certificates expire: Typically valid 1-3 years
- Algorithms become obsolete: Cryptographic methods weaken over time
- Revocation data disappears: OCSP/CRL servers may not maintain historical records
- Trust services evolve: QTSPs may change or cease operations
Without LTV, a signature might become unverifiable after a few years—even though it was valid when created.
How LTV Solves This
Long-Term Validation embeds all validation data directly in the signed document:
- Complete certificate chain: From signer to root authority
- Revocation information: OCSP responses or CRLs at signing time
- Trusted timestamps: Prove signature creation time
- Trust anchor information: Link to EU Trusted List
Verifying LTV-Enabled Signatures
Verification works even years later because:
- All validation data is embedded in the PDF
- Timestamps prove the signature was created when the certificate was valid
- Revocation data shows the certificate wasn’t revoked at signing time
- No internet connection needed for verification
Legal Permanence: Thanks to LTV, a QES created today remains legally valid and verifiable for decades—even after your certificate expires, the QTSP changes systems, or cryptographic standards evolve.
Common Verification Issues and Solutions
Issue: “Cannot Verify Certificate” Warning
Cause: Your PDF reader doesn’t have the QTSP’s root certificate in its trusted list.
Solution:
- Update Adobe Acrobat Reader to the latest version
- Enable automatic trust list updates in preferences
- Use the EU DSS Validator for independent verification
- Manually import the QTSP’s root certificate (advanced)
Issue: “Revocation Status Unknown”
Cause: Your computer cannot reach the revocation checking servers (OCSP/CRL).
Solution:
- Check your internet connection
- Verify firewall isn’t blocking OCSP/CRL requests
- For LTV-enabled signatures, revocation data is embedded—no internet needed
- Use online validators that handle revocation checking server-side
Issue: “Signature Validity Unknown”
Cause: Multiple possible causes including unsupported signature format or missing validation data.
Solution:
- Try opening in a different PDF reader
- Upload to DSS Validator for comprehensive analysis
- Contact the signer to verify the signature creation method
- Check if the signature is actually a qualified signature (QES) or a lower level
Issue: Expired Certificate but Valid Signature
Cause: The certificate expired after the document was signed (this is normal).
Solution:
- This is actually correct behavior—not an error
- Check that the signature timestamp is before the certificate expiry date
- If timestamp is within validity period, the signature remains valid
- LTV data preserves this validity permanently
Issue: “Document Has Been Modified”
Cause: The document content changed after signing.
Solution:
- Contact the sender immediately—this could indicate tampering
- Request an unmodified original
- Check if modifications were intentional (e.g., adding a counter-signature)
- Some PDF operations (compression, OCR) can invalidate signatures
Verification Comparison Table
| Verification Method | Cost | Speed | Trust List Coverage | Best For |
|---|---|---|---|---|
| Adobe Acrobat Reader | Free | Instant | Excellent | Everyday use, routine verification |
| EU DSS Validator | Free | 10-30 seconds | Complete | Official verification, detailed reports |
| National Validators | Free | 10-30 seconds | Excellent (national focus) | Local QTSPs, legal documentation |
| Alternative PDF Readers | Free/Paid | Instant | Variable | Adobe alternative, specific features |
| QTSP Validators | Free | Instant | Limited (own certificates) | Quick checks, specific QTSPs |
Key Takeaways
- Instant verification with mathematical certainty: Unlike handwritten signatures requiring expensive forensic analysis, QES can be verified in seconds by anyone using free tools like Adobe Acrobat Reader, with cryptographic proof rather than subjective opinion.
- Six critical security checks automatically performed: Verification confirms signature authenticity, signer identity, document integrity, certificate validity, trust chain to EU Trusted List, and timestamp accuracy—all six must pass for a valid signature.
- Adobe Acrobat Reader is the recommended method: Free, universally available, automatically updates the EU Trusted List, and provides instant validation results with detailed certificate information—open the PDF and verification happens automatically.
- Multiple verification methods provide flexibility: Beyond Adobe, use the EU DSS Validator for official reports, national validation portals for local QTSPs, or alternative PDF readers—each method cross-validates the same cryptographic proof.
- Long-Term Validation ensures permanent verifiability: LTV embeds all validation data directly in signed PDFs, making signatures verifiable decades later even after certificates expire, QTSPs change systems, or revocation servers disappear—legal validity preserved forever.
Create Verifiable QES Signatures in Minutes
QES-Sign provides instant access to three certified QTSPs (itsme, Evrotrust, Adacom) covering 85 countries worldwide. Every signature you create includes automatic Long-Term Validation and can be verified by anyone using free tools—no subscription required.