The integrity of an individual certificate can be tested because its content is itself signed with a private key. A test certificate may be "self signed" but normally a Certificate Authority (CA) will issue user certificates signed by the CA itself or an intermediate CA.
Windows is pre-installed with a number of certificates that can be "trusted" and these are typically located in the Trusted Root Authorities Certificate store. EscapeE will give a trusted status to PDF files that are signed by a certificate ultimately linked to a trusted root certificate. By default, Adobe Reader® will only trust certificates that chain to a CA on the Adobe Approved Trust List (AATL), were signed when the certificate was in date, and have not been revoked. A large enterprise like a government body may act as its own certificate authority but end-users buying a signing certificate for PDF operations can simplify housekeeping by selecting a vendor from AATL.
If a private key is lost or compromised then its trust status can be refuted by posting the certificate name on a certificate revocation list (CRL). To completely validate a PDF trust status the CRL must be checked – this typically requires access to the Internet. Large enterprise also impose other restrictions on how a certificate may be used ("Intended use").