diff --git a/xmlsecurity/qa/unit/pdfsigning/data/2good.pdf b/xmlsecurity/qa/unit/pdfsigning/data/2good.pdf
index af668fc20f16..10528c57f783 100644
Binary files a/xmlsecurity/qa/unit/pdfsigning/data/2good.pdf and b/xmlsecurity/qa/unit/pdfsigning/data/2good.pdf differ
diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index 4442ac54e0fd..1f9ef8341810 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -214,6 +214,9 @@ void PDFSigningTest::testPDFRemoveAll()
     aManager.mxSignatureStream = xStream;
     aManager.read(/*bUseTempStream=*/false);
     std::vector<SignatureInformation>& rInformations = aManager.maCurrentSignatureInformations;
+    // This was 1 when NSS_CMSSignerInfo_GetSigningCertificate() failed, which
+    // means that we only used the locally imported certificates for
+    // verification, not the ones provided in the PDF signature data.
     CPPUNIT_ASSERT_EQUAL(static_cast<std::size_t>(2), rInformations.size());
 
     // Request removal of the first signature, should imply removal of the
diff --git a/xmlsecurity/source/pdfio/pdfdocument.cxx b/xmlsecurity/source/pdfio/pdfdocument.cxx
index 20bbbbf819f0..a1ac63c2ef6e 100644
--- a/xmlsecurity/source/pdfio/pdfdocument.cxx
+++ b/xmlsecurity/source/pdfio/pdfdocument.cxx
@@ -1334,6 +1334,13 @@ bool PDFDocument::ValidateSignature(SvStream& rStream, PDFObjectElement* pSignat
         return false;
     }
 
+    // Import certificates from the signed data temporarily, so it'll be
+    // possible to verify the signature, even if we didn't have the certificate
+    // perviously.
+    std::vector<CERTCertificate*> aDocumentCertificates;
+    for (size_t i = 0; pCMSSignedData->rawCerts[i]; ++i)
+        aDocumentCertificates.push_back(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), pCMSSignedData->rawCerts[i], nullptr, 0, 0));
+
     NSSCMSSignerInfo* pCMSSignerInfo = NSS_CMSSignedData_GetSignerInfo(pCMSSignedData, 0);
     if (!pCMSSignerInfo)
     {
@@ -1456,6 +1463,8 @@ bool PDFDocument::ValidateSignature(SvStream& rStream, PDFObjectElement* pSignat
     PORT_Free(pActualResultBuffer);
     HASH_Destroy(pHASHContext);
     NSS_CMSSignerInfo_Destroy(pCMSSignerInfo);
+    for (auto pDocumentCertificate : aDocumentCertificates)
+        CERT_DestroyCertificate(pDocumentCertificate);
 
     return true;
 #else