How to Keep Signatures Verifiable After Certificate Expiry (eIDAS / QES)

[tta_listen_btn]

image showing how to keep signatures verifiable after certificate expiry

Table of Content

It is five years after signing. A dispute arises. You open the contract and the signature shows as ‘invalid’. Now what?

This scenario is far more common than many organisations realise. Certificate expiry is inevitable, but it should never mean losing the ability to verify and defend a signature. The difference between a signature that becomes legally worthless and one that remains defensible comes down to what you preserve at signing time, and how well you maintain that evidence over the years.

This article walks you through a practical framework to keep your signed records verifiable under scrutiny, no matter how long they must be kept. It explains the distinction between signature packaging (LTV) and true preservation, the misconceptions that trap organisations, and where eIDAS-qualified preservation fits in.

 

Why Signatures Become Hard to Verify Over Time

A digital signature is verified against evidence that changes constantly:

  • Certificates expire; expiry is the normal state of a certificate after its validity period ends.
  • Revocation information (OCSP/CRL) may no longer be available or provable; servers shut down, records are archived.
  • Cryptographic algorithms weaken; algorithms like SHA-1 and RSA-2048 that were considered secure may no longer be.
  • Trust anchors and validation policies evolve; regulatory requirements change, trusted root certificates are revoked.
  • Documents move between systems; every transfer risks breaking the chain of custody and losing context.

 

If you preserve only the signed file without capturing validation evidence, you may end up with a document that appears intact but cannot be defended under legal scrutiny.

 

What Verifiable After Expiry Really Means

When someone asks “Is this signature still valid?”, they are asking two distinct questions:

  • Was the signature valid at the time of signing? (Historical validity)
  • Can we still demonstrate that today, with reliable evidence? (Defensible proof)

 

Expiry does not automatically invalidate a signature created before the certificate expired. But expiry does remove the simple ‘online check’ path. After years, your ability to verify the signature depends entirely on what you preserved at signing time and how well you maintained that evidence through subsequent technology changes.

 

The Practical Preservation Checklist

Follow these steps to maintain verifiability over decades.

1. Capture Validation Evidence at or Right After Signing

Preserve the following alongside the signed document:

  • The full certificate chain (from signing certificate through all intermediates to the trust root)
  • Revocation status evidence (OCSP response or CRL snapshot at signing time)
  • Signature policy context and algorithm identifiers

 

For PDF signatures, use an appropriate PAdES profile (PAdES-LT or PAdES-LTA, depending on your retention horizon) that bundles this evidence into the document itself.

 

2. Add Trustworthy Timestamps and Plan for Renewal

A timestamp anchors proof in time and protects against the cryptographic weakening of the signature algorithm itself:

  • Use qualified timestamps (from eIDAS trust service providers) to prove when the signature existed.
  • For retention horizons longer than 10 years, plan for archival timestamps and evidence renewal as crypto standards evolve.

 

This protects you if the original signing algorithm becomes broken or obsolete.

 

3. Preserve Integrity and Provenance (Chain of Custody)

Store enough context to explain the record later:

  • Source channel and system (email, portal, DMS, etc.)
  • Capture timestamp and user who signed
  • Validation checks performed at ingest
  • Document version and finality indicators
  • Audit log of who has accessed the record and when

 

This context is what turns a bare file into a defensible record.

 

4. Separate Validation Packaging from Preservation Service

This is where many organisations fail. Understand the difference:

  • Long-Term Validation (LTV) is a packaging technique that bundles validation material (certificate chain, revocation info) into the signature container itself. LTV is necessary, but it is a one-time snapshot.
  • Preservation is an ongoing service that maintains verifiability and evidential strength over time, including evidence renewal, policy updates, and governance controls.

 

If your retention horizon is 10 to 30 years, LTV packaging alone is not enough. You need to plan for the latter.

 

5. Use Qualified Preservation When the Risk is High

For regulated, cross-border, or high-value records, use an approach aligned with eIDAS trust service controls:

  • Repeatable, auditable processes
  • Complete audit logs and version history
  • Evidence renewal tied to cryptographic or regulatory changes
  • Controlled retention and legally defensible deletion

 

In eIDAS terms, this is where Qualified Preservation (QPres) as part of Qualified Electronic Archiving (QeA) becomes relevant. It means the preservation service itself is auditable and compliant with eIDAS trust service requirements.

 

Common Misconceptions

“The certificate expired, so the signature is invalid”

Incorrect. Certificate expiry is normal and expected. The key question is whether you can still prove the signature was valid at the time of signing. If you captured revocation evidence and timestamps before the certificate expired, the signature remains defensible long afterwards.

“We can always re-validate later”

Only if you preserved the revocation evidence, timestamps, and certificate chain at signing time. If you did not, re-validating years later may be impossible. You cannot retrieve information retroactively from systems that no longer exist.

“LTV preserves signatures forever”

LTV is necessary but not sufficient. LTV is a snapshot of validation material at a point in time. For multi-decade defensibility, you need active preservation; this includes monitoring for algorithm obsolescence, planning evidence renewal, and maintaining a complete audit trail of all preservation actions.

 

How Docbyte Vault Helps

Docbyte Vault is an eIDAS-certified, OAIS-aligned platform designed for long-term preservation of evidential value. It is built specifically for signature-heavy processes, such as contracts, HR records, and regulated submissions. Vault supports:

  • Controlled ingest from multiple channels (email, portals, DMS, business applications) with automatic signature and evidence validation
  • Integrity verification and evidence mechanisms that remain auditable over decades
  • Lifecycle governance (retention policies, legal holds, controlled deletion with proof of disposal)
  • Audit-ready access and traceability; every action is logged and accessible for inspections
  • Preservation planning including evidence renewal, format migration, and algorithm monitoring

 

The qualification means that Vault’s preservation controls themselves are auditable and compliant with eIDAS trust service requirements, removing the burden of proving preservation adequacy from your organisation.

 

Next Steps

If you are unsure whether your signed records will remain verifiable for 10 or more years, run a simple assessment:

  • Pick three critical document types (e.g. contracts, board resolutions, compliance submissions).
  • Identify the current signing method, evidence capture, and retention policy for each.
  • Test how verification would work after the certificate expires and systems are offline.

 

This assessment is a first step to translating preservation risk into an implementable policy. Get in touch with Docbyte to walk through your critical document types and design a preservation strategy that keeps your signed records defensible under audit.

Related Docbyte solution pages

Continue with the solution pages that match this topic:

Picture of Frederik Rosseel
Frederik Rosseel

Hi, I’m Frederik, CEO of Docbyte. Having pioneered solutions in digital archiving and qualified trust services for years, I distill that invaluable experience into writing. My goal is to help businesses achieve robust data security and seamless regulatory compliance through crystal-clear insights

Contact Us


At Docbyte, we take your privacy seriously. We’ll only use your personal information to manage your account and provide the products and services you’ve requested from us.

Are you interested in contributing to our blog?
Recent Blogs