Set up webhook mTLS in Adobe Acrobat Sign using CSR or up - New

Search
Adobe Acrobat Sign

Adobe Acrobat Sign

Open app
Alert

This article contains prerelease information. Release dates, features, and other information are subject to change without notice.

Secure webhook deliveries using mutual TLS with flexible private key management.

Webhook mTLS (mutual TLS) ensures that both Adobe Acrobat Sign and your endpoint authenticate each other during the TLS handshake. Administrators can choose to upload their own private key and certificate or have Acrobat Sign generate and store the private key. This flexibility reduces the requirements for handling private keys while maintaining compatibility with existing webhook behavior.

This feature is available to Acrobat Sign Solutions and Acrobat Sign for Government accounts.

Certificates can be configured at the account and group level.

  • Group-level settings override account-level settings.

How webhook mTLS works

Webhook mTLS uses a client certificate and private key to authenticate Acrobat Sign to your webhook endpoint during connection.

  • Acrobat Sign presents a certificate during the TLS handshake.
  • Your endpoint validates the certificate before accepting the connection.
  • Webhook payloads, events, and delivery behavior remain unchanged.

Choose a key management method

You must select how the private key is created and managed.

Upload your own private key and certificate

  • Generate the private key and certificate externally.
  • Upload as a PKCS#12 file (.p12 or .pfx).
  • You maintain full control over key generation and lifecycle.

Use this method if your organization requires external key management.

Let Acrobat Sign generate the private key

  • Acrobat Sign generates the private key and a certificate signing request (CSR).
  • The private key never leaves Adobe infrastructure.
  • Submit the CSR to your certificate authority.
  • Upload the signed certificate (PEM format).

Use this method to reduce private key exposure and simplify key handling.

Key differences

Capability Upload your own key Acrobat Sign generates the key
Private key location Customer-managed and stored in Acrobat Sign Generated and stored only within Acrobat Sign
Certificate format PKCS#12 (.p12 / .pfx) PEM (.pem / .crt / .cer)
Workflow Upload the key and certificate together Generate CSR, then upload the signed certificate
Key exposure Key handled externally before upload Key never leaves Adobe infrastructure
Security posture Standard Stronger

When to use each method:

  • Use the upload method if your organization requires external key control.
  • Use the Acrobat Sign-generated method when you want to minimize private key handling and improve security.

Configure webhook mTLS

Select a key management method

  1. Go to Security Settings >Webhook mTLS Certificate Management

  2. Select your preferred key management method:

    • Upload the client certificate
    • Generate CSR

  3. Save the configuration.

    The "Security Setting" page with teh "Webhook mTLS Certificate Management" options highlighted.

If you opt to upload your own certificate:

  1. Provide a password for the certificate.

  2. Upload the certificate (.p12 or .pfx).
    Must include both:

    • Private key
    • Certificate

  3. Save the configuration.

    The mTLS feature with the upload option selected.

After saving, the certificate becomes active immediately for webhook deliveries.

If you opt to let Acrobat Sign generate the private key:

  1. Enter the certificate details:

    • Certificate Name (required)
    • Organization
    • Organizational Unit
    • Location
    • State/Province
    • Country (Two-letter ISO code)
    • Email (Email format)
    • SAN-DNS Names (Optional, Enter one per line)
    • SAN - Email values (Optional, Email format, enter one per line)

  2. Select Generate CSR.

  3. Copy the generated CSR.

    The mTLS feature with the Acrobat Sign generated option selected.

  4. Submit the CSR to your certificate authority and obtain a signed certificate.

  5. Save the configuration.
    The CSR is only saved after selecting Save. If you leave the page, the CSR is lost.

Certificate requirements

PKCS#12 (upload method)

  • Format: .p12 or .pfx
  • Must include both private key and certificate
  • Requires a password

CSR (Acrobat Sign-generated method)

  • Format: PEM (.pem, .crt, .cer)
  • Must include clientAuth usage
  • Must match the generated CSR
  • Must be within its validity period
  • Include intermediate certificates if necessary

Things to know

  • If the certificate expires, webhook deliveries fail until a valid certificate is uploaded.
  • Acrobat Sign continues retry attempts based on the webhook retry policy.
  • Switching between key management methods does not delete existing certificates.
  • CSR and private key are only saved after selecting Save. Leaving the page discards them.
  • Group-level configuration is supported.
  • A new CSR is required only when the certificate subject details change.

Adobe, Inc.

Get help faster and easier

New user?

Quick links

View all your plans Manage your plans
View quick links
Hide quick links

Legal Notices    |    Online Privacy Policy