Add Long-Term Validation (PAdES-LTV) information to PDF signatures in C# and VB.NET

The Long-Term Validation (LTV) information for PDF signatures helps verify digital signatures long after their creation. Without LTV, a digital signature becomes unverifiable once the signer's certificate expires or revocation data is no longer available. This is often unacceptable for legal and financial PDF documents that must remain trustworthy for years.

This article consists of two parts: theoretical and practical. First, you will learn basic information about PAdES-LTV signatures. Then, you will explore how to add LTV information to PDF signatures in C# using Docotic.Pdf library. You can get the library and a free time-limited license key on the Download C# .NET PDF library page.

Docotic.Pdf library 9.7.18373 Regression tests 15,244 passed Total NuGet downloads 5,976,723

Long-Term Validation (LTV)

PAdES - PDF Advanced Electronic Signatures

European Telecommunications Standards Institute (ETSI) has published several standards for electronic signatures. In particular, the Institute defines the PDF Advanced Electronic Signature (PAdES) standard in the ETSI EN 319 142 specification. PAdES outlines how to make PDF signatures compliant with the European eIDAS regulations.

The core concept of LTV signatures involves embedding validation-related information (VRI) into a PDF. This information makes it possible to validate PDF signatures after a long period of time, even when the signing environment is no longer available.

The ETSI EN 319 142-1 specification defines four levels of PAdES baseline signatures: B-B, B-T, B-LT, and B-LTA. In this article, I will focus on the B-LT and B-LTA levels, as they relate to LTV-enabled signatures in PDF.

PAdES-B-B

Short-term digital PDF signatures in the ETSI.CAdES.detached format correspond to this level. The Sign PDF documents in C# and VB.NET article explains how to create such signatures.

PAdES-B-T

B-T signatures must meet the B-B level requirements and also include a timestamp.

PAdES-B-LT

B-LT signatures must conform to the B-T level. Additionally, a PDF file must include the Document Security Store (DSS) dictionary with the following data:

  • All certificates in the trust chain
  • Online Certificate Status Protocol (OCSP) responses
  • Certificate Revocation Lists (CRLs)

Advanced Electronic Signatures correspond to this level.

PAdES-B-LTA

B-LTA signatures must conform to the B-LT level. Additionally, a PDF file must include a document timestamp signature and VRI for the document timestamp certificate.

Qualified Electronic Signatures correspond to this level.

PAdES Validation

One option is to use Adobe Acrobat Pro or Adobe Reader. Open the Signature Panel and expand a digital signature to check its status. If the signature is valid, you will see either "Signature is LTV enabled" or "Signature is not LTV enabled and will expire after".

Signature is LTV enabled in Adobe Reader

Another option is to use the European Commission's PAdES validator. This method works best when validating EU (eIDAS)-compliant documents.

There is also the Signatures Conformance Checker from ETSI. This service is primarily designed for developers who work on signing or validation tools.

Keep in mind that these validators may provide different results for the same PDF document.

Talk is cheap. Show me the code.

Create LTV-enabled PDF signatures in C# and VB.NET

It's time to write some code! Docotic.Pdf provides the PdfDocument.AddLtvInfo methods to add LTV information to PDF signatures. To produce B-LTA signatures, you will also need the PdfDocument.TimestampAndSave methods to save PDFs with document timestamp signatures.

How to create PAdES-B-LT signatures in C#

The process of creating B-LT signatures consists of three steps:

  1. Create a B-T signature and save the document.
  2. Open the signed document and add LTV information.
  3. Save the final document incrementally.

Here is the C# code to create B-LT signatures. You can also download the full Create LTV-enabled PDF signature sample project from GitHub:

// 1. Create a PAdES-B-T signature
using var step1 = new MemoryStream();
using (var pdf = new PdfDocument())
{
    var options = new PdfSigningOptions(..)
    {
        DigestAlgorithm = PdfDigestAlgorithm.Sha256,
        Format = PdfSignatureFormat.CadesDetached,
    };
    options.Timestamp.AuthorityUrl = new Uri("http://timestamp.digicert.com");

    pdf.SignAndSave(options, step1);
}

// 2. Open the signed document and add LTV information
using (var pdf = new PdfDocument(step1))
{
    pdf.AddLtvInfo();

    // 3. Save the final document incrementally
    var incrementalOptions = new PdfSaveOptions()
    {
        WriteIncrementally = true,
    };
    pdf.Save("b-lt.pdf", incrementalOptions);
}

There are a few key points to consider. First, you can create PdfSigningOptions using a PKCS#12 certificate (.pfx or .p12 file) or an external signer. Regardless of the method, for PAdES conformance, the Format option must be set to PdfSignatureFormat.CadesDetached.

This code snippet uses http://timestamp.digicert.com, but you can use any other timestamp authority (TSA). Here are some popular alternatives:

http://timestamp.comodoca.com/rfc3161
http://timestamp.sectigo.com
http://timestamp.entrust.net/TSS/RFC3161sha2TS
http://rfc3161timestamp.globalsign.com/advanced

To comply with ETSI specifications, you should use an eIDAS-approved TSA. You can choose one using the EU/EEA Trusted List Browser.

Saving the intermediary document after the first step is mandatory. You must sign and save the document before appending LTV information. However, there is one exception to this rule, which I explain below in the Certify PDF with LTV section.

The WriteIncrementally = true line in step three enables incremental saving. Incremental updates do not invalidate digital signatures. You should always save PDF files incrementally when adding LTV information.

How to create PAdES-B-LTA signatures in C#

Generating B-LTA signatures is similar, except for step three. You should:

  1. Create a B-T signature and save the document.
  2. Open the signed document and add LTV information.
  3. Save the final document incrementally with a document timestamp signature.

This code sample shows how to create B-LTA signatures in C#:

var timestampAuthorityUrl = new Uri("http://timestamp.digicert.com");

// 1. Create a PAdES-B-T signature
using var step1 = new MemoryStream();
using (var pdf = new PdfDocument())
{
    var options = new PdfSigningOptions(..)
    {
        DigestAlgorithm = PdfDigestAlgorithm.Sha256,
        Format = PdfSignatureFormat.CadesDetached,
    };
    options.Timestamp.AuthorityUrl = timestampAuthorityUrl;

    pdf.SignAndSave(options, step1);
}

// 2. Open the signed document and add LTV information
using (var pdf = new PdfDocument(step1))
{
    pdf.AddLtvInfo();

    // 3. Save the final document incrementally with a document timestamp signature
    var timestampOptions = new PdfSignatureTimestampOptions
    {
        AuthorityUrl = timestampAuthorityUrl,
    };
    var incrementalOptions = new PdfSaveOptions()
    {
        WriteIncrementally = true,
    };
    pdf.TimestampAndSave(timestampOptions, "b-lta.pdf", incrementalOptions);
}

The final b-lta.pdf document contains two signatures—the main signature from step one and the document timestamp signature from step three. You might notice that Adobe Acrobat displays the "Signature is LTV enabled" message for both signatures. How is it possible that the document timestamp signature is LTV-enabled even though it was created after the AddLtvInfo call?

The key is to use the same TSA for both the signature timestamp and the document timestamp. The AddLtvInfo method adds VRI for the timestamp certificate. The document timestamp then uses the same certificate and reuses the associated data.

Can't use the same TSA for the document timestamp? I will review this case in the PAdES-B-T to B-LTA conversion section.

Add LTV information to existing PDF signatures in C# and VB.NET

So far, I have created LTV-enabled signatures from scratch. However, it's often necessary to modify existing PAdES-B-T signatures. For example, to convert them to B-LT or B-LTA, or to refresh LTV information.

As with previous examples, you need to:

  1. Open the signed document and add LTV information.
  2. Save the final document incrementally, with or without a document timestamp signature.

Here are the corresponding code snippets.

How to convert PAdES-B-T signatures to B-LT in C# 

using var pdf = new PdfDocument("b-t.pdf");
pdf.AddLtvInfo();

var incrementalOptions = new PdfSaveOptions()
{
    WriteIncrementally = true,
};
pdf.Save("b-lt.pdf", incrementalOptions);

How to convert PAdES-B-T signatures to B-LTA in C# 

using var pdf = new PdfDocument("b-t.pdf");
pdf.AddLtvInfo();

var timestampOptions = new PdfSignatureTimestampOptions
{
    AuthorityUrl = new Uri("http://timestamp.digicert.com"),
};
var incrementalOptions = new PdfSaveOptions()
{
    WriteIncrementally = true,
};
pdf.TimestampAndSave(timestampOptions, "b-lta.pdf", incrementalOptions);

Download the complete Add LTV information to existing signatures sample project on GitHub.

Add LTV information to a document timestamp signature

Existing B-T signatures might use an arbitrary TSA that differs from the one used in this example. In such cases, Adobe Acrobat will display the "Signature is not LTV enabled" message for the document timestamp signature.

How can you make it LTV-enabled? You need to add LTV information to the document timestamp signature:

var timestampOptions = new PdfSignatureTimestampOptions
{
    AuthorityUrl = new Uri("http://timestamp.digicert.com"),
};
var incrementalOptions = new PdfSaveOptions()
{
    WriteIncrementally = true,
};

using var intermediate = new MemoryStream();
using (var pdf = new PdfDocument("b-t.pdf"))
{
    pdf.AddLtvInfo();
    pdf.TimestampAndSave(timestampOptions, intermediate, incrementalOptions);
}

// Add LTV information to the document timestamp signature
using (var pdf = new PdfDocument(intermediate))
{
    pdf.AddLtvInfo();
    pdf.TimestampAndSave(timestampOptions, "b-lta.pdf", incrementalOptions);
}

Certify PDF with LTV in C# and VB.NET

Digital signatures in certified PDF documents do not allow any modifications. PDF reader applications display such signatures with a special icon and a caption that begins with "Certified by".

Certified PDF signature displayed in Adobe Acrobat

Any changes to a certified PDF will invalidate the signature, meaning you cannot add LTV information without breaking the certification.

Docotic.Pdf provides the ability to generate certified PDF documents with LTV information. Use the AddLtvInfo(PdfSigningOptions) overload to add LTV information during signing. This code sample demonstrates how to certify PDF with a B-LT signature in C#:

using var pdf = new PdfDocument();

var options = new PdfSigningOptions(..)
{
    DigestAlgorithm = PdfDigestAlgorithm.Sha256,
    Format = PdfSignatureFormat.CadesDetached,
    Type = PdfSignatureType.AuthorNoChanges,
};
options.Timestamp.AuthorityUrl = new Uri("http://timestamp.digicert.com");

pdf.AddLtvInfo(options);

pdf.SignAndSave(options, "certified-b-lt.pdf");

Explore the Certify PDF with LTV signatures code sample on GitHub.

As of June 2025, Adobe Acrobat supports certified PDF documents with B-LT signatures but considers B-LTA signatures in certified documents invalid.

Conclusion

You can add Long-Term Validation (LTV) information to PDF signatures to guarantee legal compliance and long-term trust. The PAdES standard defines rules and conformance levels for PDF signatures.

It is recommended to sign with at least PAdES-B-T signatures. B-T signatures can be converted to Advanced Electronic Signatures (B-LT) or Qualified Electronic Signatures (B-LTA) without breaking existing validations.

Use Docotic.Pdf library to add LTV information to PDF signatures in .NET applications. You can even certify PDF documents with LTV.

Explore code samples for digital signatures in PDF on GitHub. Check related articles for additional information:

Frequently Asked Questions

How do I avoid the "Signature validity is unknown" message in Adobe Acrobat?

Adobe Acrobat displays the "Signature validity is unknown" warning when it cannot verify the signer's certificate. This usually happens when the certificate is missing, untrusted, self-signed, revoked, expired, or not yet active.

Get the right certificate to avoid the warning or create EU (eIDAS)-compliant documents.

Alternatively, you can manually add certificates to "Trusted Certificates" in Adobe Acrobat. This option is available under: Menu > Preferences > Signatures > Identities & Trusted Certificates.

If you need to trust a certificate for certified documents, make sure to grant the corresponding permission:

Configuring trust settings in Adobe Acrobat

How do I check whether a PDF signature is LTV-enabled?

You can use Adobe Reader or European Commission's PAdES validator. Explore the PAdES validation section for more details.

Why does Adobe Acrobat display "The signature is not LTV enabled"?

Adobe Acrobat checks revocation information as part of the signature validation process. If it needs to download any data, the corresponding signature is not LTV enabled.

How do I make a PDF signature comply with ETSI specifications?

Follow the requirements for PDF Advanced Electronic Signatures. You need to use certificates issued by providers listed in the European Union Trusted Lists (EUTL).

How do I achieve the "Signature is LTV enabled" indicator in Adobe Reader?

First, the signature must conform to at least PAdES-B-T level. Then, you need to add LTV information, including all certificates in the trust chain, OCSP responses, and CRLs .

The sections Create LTV-enabled PDF signature and Add LTV information to existing PDF signatures explain how to add LTV information in C# and VB.NET.

How do I enable LTV for a document timestamp signature?

The process is similar to regular PDF signatures. You need to add LTV information for document timestamp signature to the DSS dictionary.

Refer to the code sample in the Add LTV information to a document timestamp signature section.

Is it possible to perform LTV and timestamping in the same operation?

Yes! Check the code sample in the How to convert PAdES-B-T signatures to B-LTA section.

How do I create a digital signature with LTV in C#?

Use Docotic.Pdf library. To produce Advanced Electronic Signatures, look at the code samples in the How to create PAdES-B-LT signature section. To create Qualified Electronic Signatures, check the How to create PAdES-B-LTA signature section.

How do I enable LTV for a signature when "no changes are allowed"?

For certified documents, Adobe Acrobat requires that all LTV data be included in the original signed document. Read the Certify PDF with LTV section for more details.

How do I enable Long-Term Validation (LTV) when signing PDF documents externally?

Use Docotic.Pdf library to sign PDF documents with LTV using USB tokens, smart cards, or cloud-based HSMs. Check the How to sign PDFs with USB tokens and HSM devices in C# and VB.NET article and the How to create PAdES-B-LT signature section.

How do I sign a PDF with multiple signatures and enable LTV?

Combine the Sign a PDF form by multiple people and Add LTV information to existing signatures code samples.