Types of DocuSign certificate errors
DocuSign throws three broad classes of certificate error. Identifying which one you have determines the fix.
- Validation errors — "Your certificate could not be validated": the certificate exists but fails a check (expired, revoked, or chain incomplete).
- Trust errors — "Certificate is not trusted by DocuSign": the issuing CA isn't on DocuSign's accepted list, or intermediates are missing.
- Not-found errors — "No digital ID found": DocuSign can't see any usable signing certificate at all (token/middleware/browser problem).
Error: "Your certificate could not be validated"
Validation fails when the certificate is present but doesn't pass DocuSign's checks. Work through these in order.
- Confirm the certificate hasn't expired (check the Not After date in certmgr.msc).
- Check your computer clock — a clock more than ~5 minutes off UTC breaks timestamp validation.
- Ensure the full chain (root + intermediates) is installed, not just the end-entity certificate.
- Verify the certificate isn't revoked (the CA's CRL/OCSP must be reachable).
certutil -verify -urlfetch C:\path\to\exported-cert.cer
Error: "Certificate is not trusted by DocuSign"
This means the chain doesn't resolve to a certificate authority DocuSign accepts. Either an intermediate certificate is missing locally, or the issuing CA simply isn't on DocuSign's list.
Add the certificate to the Windows trusted store
- Export the missing intermediate/root from your CA's site.
- Run certmgr.msc → import the intermediate into Intermediate Certification Authorities and the root into Trusted Root Certification Authorities.
- Re-open the DocuSign signing flow and try again.
certutil -addstore -user CA intermediate-ca.cer certutil -addstore -user Root root-ca.cer
DocuSign's approved certificate authorities
DocuSign's certificate-based signing only trusts certificates that chain to a CA on its accepted-issuer list — including DocuSign-issued certificates and several public trust-service providers. A self-signed certificate will appear in the picker but fail at submission.
- DocuSign-issued signing certificates (via DocuSign's own CA).
- Recognised public CAs and EU/eIDAS trust-service providers for qualified signatures.
- Indian DSCs are generally used for local PDF/portal signing rather than DocuSign's cloud certificate flow — confirm your use case before relying on a DocuSign envelope.
DocuSign eSignature vs digital signature
A lot of confusion comes from mixing these up. DocuSign eSignature (the everyday product) records your intent with audit trails and doesn't need a certificate token. DocuSign's digital signature / Signing Service uses a cryptographic certificate (yours or DocuSign-issued) and is where certificate errors appear.
| eSignature | Digital signature | |
|---|---|---|
| Needs a certificate? | No | Yes |
| Uses your USB token? | No | Optionally |
| Throws certificate errors? | Rarely | Yes |
| Typical use | Standard agreements | Regulated / qualified signing |
Enterprise admin: enable certificate signing
If your whole organization gets "not trusted" or can't choose certificate signing, the account may not have it enabled. A DocuSign admin needs to:
- Enable digital signatures / Signing Service in account settings.
- Configure the allowed signature providers (DocuSign Express, your own certificate, or a partner TSP).
- Whitelist the DocuSign signing browser extension via Group Policy if browsers are managed.
Browser extension requirements
Certificate-based signing in DocuSign relies on a browser bridge. If your environment blocks extensions, signing silently fails.
- Chrome / Edge — both read the Windows certificate store; install or allow the DocuSign signing extension.
- Edge IE Mode — disable it for docusign.net, as it changes how certificates enumerate.
- Firefox — uses its own NSS store; load your token's PKCS#11 module under Security Devices.
Frequently asked questions
Which certificates does DocuSign accept?
For certificate-based digital signing, DocuSign accepts certificates that chain to a CA on its accepted-issuer list — DocuSign-issued certificates and recognised public/eIDAS trust-service providers. Self-signed certificates will show in the picker but fail when the envelope is submitted.
Does DocuSign work with an Indian DSC?
Indian DSC tokens are designed primarily for local PDF and government-portal signing rather than DocuSign's cloud certificate flow. They may work for in-person/local certificate signing depending on your account configuration, but for cross-border DocuSign envelopes confirm acceptance first. For Indian portal signing, our SafeNet and DSC guides are the better path.
How do I fix "certificate is not trusted" in DocuSign?
Install the missing intermediate and root certificates from your CA into the Windows trusted store (certmgr.msc), confirm the issuing CA is on DocuSign's accepted list, then retry. If the CA simply isn't accepted, you'll need a certificate from a supported provider.
DocuSign says 'no digital ID found' even with my token plugged in — why?
That's a detection problem, not a trust problem. Your token's middleware (SafeNet Authentication Client, YubiKey minidriver) may not be loaded, the Smart Card service may be stopped, or the browser isn't enumerating the certificate. Fix detection first, then trust.
Related guides & services
DocuSign still rejecting your certificate?
Trust-chain and digital-ID errors can be tricky to isolate. Get expert help on a remote session and we'll get DocuSign accepting your certificate or token.
Independent consulting engagement — not affiliated with DocuSign, Adobe, Microsoft, or any certificate authority.