Certification signature is always signed after the approval signatures
This is not allowed.
The PDF specification ISO 32000-1 indicates that
The signature dictionary of a certification signature shall be the value of a signature field and shall contain a ByteRange entry. It may also be referenced from the DocMDP entry in the permissions dictionary (see 12.8.4, “Permissions”). The signature dictionary shall contain a signature reference dictionary (see Table 253) that has a DocMDP transform method.
(section 12.8.1 Digital Signatures / General)
The DocMDP transform method shall be used to detect modifications relative to a signature field that is signed by the author of a document (the person applying the first signature). A document can contain only one signature field that contains a DocMDP transform method; it shall be the first signed field in the document. It enables the author to specify what changes shall be permitted to be made the document and what changes invalidate the author’s signature.
(section 12.8.2.2.1 Digital Signatures / Transform Methods / DocMDP / General)
I.e. a certification signature has a DocMDP transform method and the signature having a DocMDP transform method must be the first one signed in the document.
What you try to achieve, though, might be possible otherwise if PDF2 features are ok with you, cf. Bruno's white paper Digital Signatures for PDF documents section 2.5.5 Locking fields and documents after signing:
Since PDF 1.5, it’s possible to lock specific fields when signing a document. In PDF 2.0, there will be a new feature that allows you to define the document-level permissions that are already available for certification signatures, but now also for approval signatures.
For details (which go beyond the size of an answer here) read that section...
