PAdES-LTV: keeping signatures valid for decades

18 June 2026 · 7 min read · Nextarp B.V.

A signature that verifies today can quietly fail tomorrow. Certificates expire, revocation lists move, and trust anchors change. For documents that must stay provable for years - contracts, deeds, medical records - you need long-term validation (LTV).

The problem with basic signatures

A basic PAdES signature captures who signed and that the bytes are intact. But to prove the certificate was valid at signing time, a verifier needs the certificate chain and revocation data (CRL or OCSP) from that moment. Years later, that data may be unreachable - and the signature becomes "indeterminate".

What LTV adds

  • Embedded revocation data - the CRL/OCSP responses proving the certificate was good at signing time are stored inside the PDF.
  • Document timestamps - a trusted timestamp fixes when the signature existed, independent of the signer's clock.
  • The full certificate chain - so verification never depends on an external server.

PAdES-B-LTA and refreshing validity

The PAdES-B-LTA profile adds an archival timestamp over everything. Before the newest timestamp certificate itself ages out, you apply a fresh one - each timestamp vouching for the last, forming a chain of trust that can extend indefinitely.

In practice

DocsNG signs with PAdES-B-LTA by default and can refresh validity on a schedule, so a document signed today still verifies cleanly long after the original certificate has expired - with no dependence on a third party being online.

Related articles

DocsNG is the free, self-hostable platform for generating, signing and verifying documents. Get DocsNG or try the live demo.

← Back to the blog