I am looking at getting a document signing certificate to sign PDFs as per Adobe's AATL however I noticed, for example that Digicert charge significantly different prices for a Document Signing Certificate than a Code Signing Certificate. We plan to use the certificate to do automated signing of PDFs so I can't see the USB token (offered by the Document signing certificate) being that useful. Considering both certificate/private key pair as signed by the same CA: Digicert, and are on the AATL (and therefore their root cert be the same?) would using a code signing certificate be suffice to validate on Adobe readers?
Customer support at Digicert say:
if you're using the certificate through your own software then a code signing certificate may work since it chains back to the trusted DigiCert root. I can't confirm whether or not the code signing signature will translate to a PDF however since we don't officially support PDF signing with a code signing certificate.
If anyone has experience with this I'd appreciate it.
Most likely those code signing certificates have an extKeyUsage (2 5 29 37) extension with value codeSigning (1 3 6 1 5 5 7 3 3) and probably also commercialCodeSigning (1 3 6 1 4 1 311 2 1 22) but no values allowing other uses. (At least that is the case for a code signing certificate I have at hands here.)
RFC 5280 specifies for the Extended Key Usage extension that if the extension is present, then the certificate MUST only be used for one of the purposes indicated.
Thus, if the extended key usages in the certificates in question are set as mentioned above, using such a code signing certificate for signing non-code violates the basic specification for X.509 Public Key Infrastructure Certificates.
So concerning your central question
We plan to use the certificate to do automated signing of PDFs ... would using a code signing certificate be suffice to validate on Adobe readers?
chances are that Adobe Reader rejects PDF signatures generated using a code signing certificate, and if it doesn't now, it may very well in a future version.