Great! @Mr. Y for identifying the root cause, the correct approach for signing PDFs is to use certificates stored in Azure Key Vault instead of keys.

Thank you to @mkl for suggesting that I share this as an answer to help others who might face a similar issue.

• Replacing the key object (my-key) with a certificate object (my-vault.vault.azure.net/certificates/my-certificate) in Azure Key Vault. Certificates allow the certificate chain to be downloaded and embedded into the signed PDF.

Use the CryptographyClient.signData method to sign the raw PDF content instead of the digest.

Code:

CryptographyClient cryptoClient = new CryptographyClientBuilder()
    .keyIdentifier("<your-key-vault-url>/certificates/my-certificate")
    .credential(new DefaultAzureCredentialBuilder().build())
    .buildClient();

// Sign the raw PDF content
SignResult signResult = cryptoClient.signData(SignatureAlgorithm.RS256, pdfContent);
byte[] signature = signResult.getSignature();

• Embed the signature and the certificate chain into the PDF.

The signed PDF is now valid, as it contains the required certificate chain. Adobe Acrobat validates the signature successfully.