Hi Laurent, The lack of the EKU extension does NOT prevent signing in Acrobat or Reader. When the certificate authority (CA) issues a certificate, they have certain controls as to how to limit the use of that certificate and those controls are the extensions that they may add to the certificate at cert creation time. However, there is nothing that says they have to limit the usage. If they (the CA) elects not to added any limitations then the certificate is considered good for any and all digital signature based operations. At a minimum, there is one limitation that always is placed on a certificate, and that is its validity period. No matter how long you make the life of the certificate it will expire at some point at which point it has reached a time limitation. Other that the expiration date there are other items that the CA may add to the cert in the form of extensions that tell the processing application (in our case that would be Acrobat & Reader) how to limit the use of the cert. It's not just the KU and EKU that can limit the use of a cert. For example there are constraints (path, name, basic) and policies which would also limit the use of the cert. With regard to the KU and EKU, the CA doesn't have to add either of those two extensions, but if they do it is incumbent Acrobat and Reader to respect the limitations the CA has imposed. If the CA adds the KU extension, then that particular extension must contain either the "digital signature" or the "non-repudiation" value in order for the cert to be considered good for signing a PDF file. Other values could be included in the KU, but at a minimum one of those two I listed must be present. They can both be there as they are not mutually exclusive, but at least one of them has to be there IF the KU is included in the cert. If the CA adds the EKU extension, then that particular extension must contain either the "any allowed", "e-mail protection", or "code signing" values. Again, and like the KU, any one value will suffice, and they can all be there, but at least one of them must be included in the EKU. Steve ... View more

Hi diber001, If the PDF file already contains a signature field, then the author of the document expects you to sign using a certificate (that is, create a cryptographically secure digital signature) and not use an annotation based unsecured electronic signature, and thus, all of the other options on the Place Signature dialog are disable other than the Use a certificate option. Steve ... View more

Hi Milos, Correct, Client Auth does not enable the cert for PDF signing, and for that matter neither does Smart Card Logon . There are a a lot of little bits to consider. A certificate with neither the Key Usage (KU) extension nor the Extended Key Usage (EKU) extension is to be considered good for every and all possible operations that a certificate can be used for. Once the certificate authority (CA) adds one, or both, of those two extensions they are in essence limiting the use of the certificate. Where things get a bit messy is coming to the realization that the two extensions (KU & EKU) are processed separately. Both (if they are both present) must allow for signing a PDF, or more correctly, neither must disallow signing a PDF. In the case of your certificate, the KU does allow for signing a PDF because it has the "Digital Signature" value, but the EKU does not allow for signing a PDF because it does not contain one of the three values (Allow Any, Email Protection, or Code Signing) that we require. At least one of those three values has to be there if the EKU is present for the certificate to be able to sign a PDF file. All of these rules are defined in the internationally accepted standard RFC 5280, sections 4.2.1.3 & 4.2.1.12. Steve ... View more

Hi Eric, The first two items (and I'm going to do this in English) ; Sign Transaction, and Sign Document are from the Key Usage extension (they represent the "digital signature" and "non-repudiation" bits respectively). Their presence limits the use of the digital ID to signing anything other than certificates and CRLs. If there was no Extended Key Usage (EKU) extension present you would still be able to sign a PDF file. However, the last item on the list (Client Authentication) is from theEKU extension and it tells the processing applications (in our case Acrobat & Reader) that the digital ID is further restricted to allowing the client (in other words, your computer) to authenticate to a server or system. A bit about digital IDs. They are issued by trusted third party Certificate Authorities (CAs) and it's the CA that determines for what purpose a digital ID that they have issued may be used. The CA controls what goes into the usage, constraints, and policy extensions, and together those extensions define and narrow the purpose a the digital ID. The CA is governed by a set of policies and practices that are defined in publicly available documentation, and their whole existence is dependent on not varying from those rules. If they say (through the cert extensions) that they want the digital ID limited to a particular operation then it is incumbent on the  processing application (again, in our case that means Acrobat and Reader) to respect those limitations.  Yes, Acrobat used to ignore the EKU and that was a flaw in Acrobat. As you may imagine, ignoring the EKU caused problems for certain users and thus brought this flaw to light, which is why it was fixed in version 11.0.9. The bottom line is, you need to coordinate with the CA that issued you your certificate and procure a new digital ID that is not restricted to client authentication. The three things that may be in the EKU that would allow signing of a PDF file are ; Allow Any, Email Security, and Code Signing. If the CA were to add one of those to the EKU along with Client Authentication, then you will be able to sign again. Steve ... View more

Hi sign forms, Proviso: This is harder without Acrobat to do some editing and image-to-PDF conversion. Let's start with the infrastructure of a signature appearance field. The field has two layers, a background and a foreground.  The foreground is additionally divided in half with the left half displaying graphics and the right half displaying text. If there is no graphic as part of the signature appearance then the whole of the foreground becomes one big text field. The same thing applies going the other way, if there is no text then the whole of the foreground becomes one big graphics field. The default background is the pink PDF trefoil logo. You have an option (we'll get to it in a bit) of not displaying the background at all, but you also have the ability to change the background image. If you want to use your own logo you need to put it in a PDF file, name the file SignatureLogo.pdf and save it to C:\Users\<user name>\AppData\Roaming\Adobe\Acrobat\11.0\Security\. You would want to crop the PDF page (you need a PDF editing toll such as Acrobat, you can't do this in Reader) so it is pretty much just the image, otherwise the logo will be too small when displayed in the signature field. To create a custom foreground appearance follow these steps: Select the Edit > Preferences menu item Select Signatures from the Categories list box Click the More button in the Creation & Appearance group box (the topmost button) Click the New button in the Appearances group box Here is another place you are going to be limited as a Reader user as you can only import a PDF file as an imported graphic. Reader does not have the ability to process image files like Acrobat does, thus all you can import are PDF files. It's on this dialog that you also have the ability to turn the background on & off via the Logo checkbox. As you turn items on and off you will see the Preview box reflect the changes. Here's an example of where I changes the background to a picture of a rubber duck, made the left side of the foreground a scanned image of my wet ink signature, and made the right side (the text side) of the foreground only have the Date and Version number: Steve ... View more

Hi Eric, One thing that since the beginning of digital signatures in Acrobat/Reader the app didn't process the Extended Key Usage (EKU) extension, but that was remedied with version 11.0.9. Now, in order to be able to use a digital ID for signing a PDF file, the digital ID must not be limited to its use via the EKU. My guess is (and since this was the only change to signing in 11.0.9), you are trying to sign with a digital ID whose purpose has been limited by the issuing CA because they add a value to the EKU.  Please follow these steps to get the usage setting and then let me know what they are: Select the Edit > Preferences menu item Select Signatures from the Categories list box Click the More button in the Identities & Trusted Certificates group box (the third button from the top) Highlight your digital ID in the list box and then click the Certificate Details button on the toolbar Highlight the text in the Intended Usage field on the Certificate Viewer dialog and copy the text You can then paste that text into your reply and I can then explain why the digital ID is not allowed for signing. Steve ... View more

Here are some links that explain the process: 4   Custom Signature Appearances — Digital Signatures Guide for IT http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CEwQFjAE&url=http%3A%2F%2Fwww.post.trust.ie%2FDownlo… http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0CFgQFjAG&url=http%3A%2F%2Fgeminisecurity.com%2Fwp-co… Adobe Acrobat X Pro * Setting up signing https://acrobatusers.com/tutorials/how-do-i-add-a-scanned-signature-to-a-digital-signature http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0CGoQFjAJ&url=http%3A%2F%2Fwww.chaffey.edu%2Fcsn%2Fp… Steve ... View more

Hi Sign Forms, You definitely don't want to create a digital ID if what you are looking for is an electronic signature. You, like Greg above, seem to be in a situation where the Place Signature default is locked onto the certificate based digital signature workflow. Follow what I mentioned directly above and see if that gets you into the desired state. However, and as an aside, should you ever decide to adopt the use of certificate based digital signatures for security purposes there are options to customize the signature appearance so it does not display the block letters you mentioned. Steve ... View more

Hi Greg, If upgrading from and earlier version of 11 to 11.0.9 caused the Place Signature tool to lose it's settings that would be a bug. I'll see if I can reproduce that behavior. That said, it seems that Place Signature now thinks it's default setting is to create a digital signature whereas you want it to be an electronic signature. What you need to do clear the settings and reset the default by selecting the drop-down menu just to the right of the button proper, and then select Change Saved Signature from the drop-down menu. That will allow you to chose a different option than a certificate based digital signature. Steve ... View more

Hi Greg, There a couple of different concepts that I fear are getting merged into one generic "signature" conversation blob. Let me start with some definitions: A digital signature - A cryptographic operation based on using a digital ID that provides both proof of document and signer integrity. The actual signature is a blob of encoded and encrypted data written into the PDF file, but it may reference a field in the document that is a graphical representation of the signature, and is known as the signature appearance. An electronic signature - An imaged added to a page in the PDF file that is a graphical representation of a "wet ink" signature. There is no cryptographic assurance that the signature is valid, or, what has purportedly been signed has not been altered. What you see on the page is all there is and there is no validation to check integrity. It sounds like you were using an earlier major version of Acrobat or Reader (by major version I mean the "11" part of 11.0.9. The zero dot nine is the minor version) and when you upgraded to version 11 (or XI as you see it in the marketing branding) you lost the link to the image file you were using in version 10 or earlier. It seems to me (correct me if I'm wrong) that you are trying to create an electronic signature with a image file that had the background opacity set to 0% so the background of the image did not obstruct the view of the text on the page. If you don't know where the original image file is you're not going to be able to use it in version 11. If you do know where it is you can do the following: Open the Fill & Sign pane on the toolbar Expand the Fill & Sign Tools panel Mouse over Place Signature and then select the drop-down menu by clicking the down-arrow button on the right Select Change Saved Signature from the drop-down menu Select the Use an image radio button Click the Browse button to the right of the File Name edit field Navigate to, and select the image you would like to use, and then click the Open button Click the Accept button on the Place Signature dialog At this point your mouse cursor is your signature. Click on the page wherever you'd like the electronic signature to appear and Acrobat will then revert to the normal editing mode. Steve ... View more

Hi, I assume when you say "another pop up" you really mean that your seeing this dialog... Let's start with some nomenclature so we are on the same page. What you are trying to do is create a "digital signature" and in order to do that you need a "digital ID". To think of this in physical world terms, the PDF file is a piece of paper, the digital ID is the pen and the digital signature is, well the signature. In order to create a digital signature you must have something to sign with, and that something is a public-key based digital ID. This digital ID can reside in several places. It can be in a password protected file and the file would have either P12 or PFX as the file extension to the file name. The digital ID could be locked onto a token or smart card, in which case you would get access to it using a PIN instead of a password. It could also be locked into the Operating System. On Windows that would be the Windows Certificate Store (think of "store" in this case as storage, not a market place), and on the Mac it would be the Keychain Access application. So the question is, do you currently have a valid digital ID (they do expire) or do you need to procure one? My guess is you need to procure a new digital ID and this is where you are being tripped up. If you do need to procure a new digital ID, the next question is, do you need to get a high assurance digital ID from a trusted 3rd-party Certificate Authority (you, as the signature creator are the 1st party, and whomever you send the signed PDF file to is both the signature recipient, and also the 2nd party). The thing that makes a Certificate Authority (CA) trusted is because they will do identity vetting in order to ensure that you are who you say you are before they issue you a digital ID. When you get a digital ID from a CA you can think of it as a drivers license or password, not for what they allow you to do (drive a car or cross a border), but rather as a trusted and generally accepted piece of identification. Yes, a digital ID issued to you from a CA allows you to sign data just like a pen, but more importantly it acts as a trusted piece of identification. All that said, if you don't need a high assurance digital ID that proves you are who you say you are, then you can create your own digital ID. In that case the digital ID is really just a pen for signing and does not provide any trust regarding your identity. The advantage to creating your own digital ID is it's quick, easy, and free. The downside to getting a digital ID from a CA is it is time consuming and not free. Since your have started down the path of creating your own digital ID already let's finish with that workflow and leave it for later to see if that meets the identity requirements of whomever you are sharing the signed file with. If you are seeing the dialog above select the bottom radio button next to "A new digital ID I want to create now", and then click the Next button. The contents of the next dialog you see is as dependent on whether you are on Mac or Windows. On Windows the next dialog asks you where you want to save the digital ID, either in a password protected file, or in the Windows Certificate Store. If you select the File option you will be asked to provide the password every time you sign a PDF file, whereas with the Windows option when you log into Window that provides the authentication to access the private key in the digital ID and thus when you sign a PDF file you won't be asked to provide a password. If you are on a Mac since saving the digital to a file is the only possible option this dialog is skipped. The next dialog is where you enter the information that you want contained in the digital ID that identifies you as the signer. If you've already filled out the Identity panel on the Preferences dialog then that data will be pulled in, but if not you you are going to need to add at a minimum a Name and an Email address, and then click the Next button. If you are saving the digital ID in a file, the next order of business is to pick a location where you want to save the file you are about to create and assign it a password to protect the private key from unauthorized access.  You're now on the last dialog for digital ID creation so you can click the Finish button. This takes you to the Sign dialog. If you already had a valid digital ID to sign with you would have seen this dialog right after you inscribed the signature field and would have shipped all of the digital ID creation dialogs. If you saved your new digital ID in a file the Sign dialog will ask you to provide the password you just used (don't forget this password because you'll need it when you want to sign files at some later date). Enter the password and click the sign button. You'll be asked where you want to save the signed file (you can overwrite the existing file if you like, or you can save it as a new file), and once you've done that you'll have a digitally signed PDF file. Steve ... View more

Please let me know which dialog you are seeing. Is this the dialog you are seeing?     Figure 1: Place Signature Or is it this dialog?     Figure 2: Drag New Signature Rectangle Thanks, Steve ... View more

Hi, Let's start with what application you are using (it's not Adobe because Adobe is a company, not a product). Is it Acrobat or is it Reader? If you are on Windows you can get the information from the Help > About <application name> menu. On the Mac it would be the Acrobat or Adobe Reader menu and then About <application>. Once you get the about screen up you will see a version number. If you can let me know what that is as well that would be great (I know you said the major version is 11, I'm also curious as the the minor version number). Thanks, Steve ... View more