Skip to main content
Melis23165497yn91
Melis23165497yn91
Participant
March 18, 2026
Answered

Elliptic Curve Support

  • March 18, 2026
  • 3 replies
  • 189 views

Hi,


I am encountering an "Unsupported Algorithm" error when trying to sign documents with a NIST P-384 (EC) certificate via a PKCS#11 module, although RSA signatures work perfectly with the same setup. Since Adobe's official documentation states that Elliptic Curve cryptography is supported, but the signature cannot be created in this case, I would like to ask for your guidance on how to resolve this. Is there a specific configuration or a known compatibility issue in Acrobat Reader regarding hardware-based EC signatures that we should follow?

Best Regards,

Melis.

      Correct answer Melis23165497yn91

      Hi,

      I am happy to report that we have successfully resolved the "Unsupported Algorithm" issue for NIST P-384 certificates on our smart cards.

      The key to the solution was moving away from the PKCS#11 module completely. Steps taken:

      1. Removed the PKCS#11 module from Acrobat’s "Identities & Trusted Certificates" settings.

      2. Installed the KSP (Key Storage Provider) / Smart Card Minidriver package provided by our CA.

      3. Once the driver was installed, the certificate automatically appeared in the Windows Certificate Store (Windows Digital ID).

      4. Restarted Acrobat and selected the certificate under "Windows Digital IDs."

      Acrobat now signs successfully with NIST P-384. It seems Adobe has trouble handling CKK_EC via PKCS#11. By using the KSP/Minidriver path, Acrobat treats the signature as a native Windows operation, bypassing the PKCS#11 algorithm recognition bug.

      If you are facing this issue, check if your smart card vendor provides a Minidriver or KSP instead of relying on the PKCS#11 library.

      Best regards,

      3 replies

      Melis23165497yn91
      Melis23165497yn91AuthorCorrect answer
      Participant
      April 1, 2026

      Hi,

      I am happy to report that we have successfully resolved the "Unsupported Algorithm" issue for NIST P-384 certificates on our smart cards.

      The key to the solution was moving away from the PKCS#11 module completely. Steps taken:

      1. Removed the PKCS#11 module from Acrobat’s "Identities & Trusted Certificates" settings.

      2. Installed the KSP (Key Storage Provider) / Smart Card Minidriver package provided by our CA.

      3. Once the driver was installed, the certificate automatically appeared in the Windows Certificate Store (Windows Digital ID).

      4. Restarted Acrobat and selected the certificate under "Windows Digital IDs."

      Acrobat now signs successfully with NIST P-384. It seems Adobe has trouble handling CKK_EC via PKCS#11. By using the KSP/Minidriver path, Acrobat treats the signature as a native Windows operation, bypassing the PKCS#11 algorithm recognition bug.

      If you are facing this issue, check if your smart card vendor provides a Minidriver or KSP instead of relying on the PKCS#11 library.

      Best regards,

        MikelKlink
        MikelKlink
        Participating Frequently
        April 1, 2026

        This is more of a work-around than a solution, I think. While having such a work-around is great for the users affected (thanks for sharing!), Adobe should definitively look into compatibility of their PKCS#11 code with current PKCS#11 providers...

          Melis23165497yn91
          Melis23165497yn91Author
          Participant
          April 2, 2026

          I completely agree. Users shouldn't have to hunt for specific driver packages just to get a standard NIST P-384 certificate working. 

           

          Thank you all for your interest and valuable insights throughout this discussion.

          patrik.akd
          patrik.akd
          Participating Frequently
          March 27, 2026

          I can confirm the same issue. After extended PKCS#11 library debugging we’ve come to a conclusion that as soon as key has type CKK_EC (or deprecated CKK_ECDSA) Adobe fails with “Unsupported Algorithm”.

           

          So from my understanding it is not even an algorithm issue but Adobe does not support CKK_EC key type at all while using PKCS#11 libraries.

           

          There is no way to resolve this, it is an unsupported key type which Adobe should implement.

            MikelKlink
            MikelKlink
            Participating Frequently
            March 18, 2026

            Only very specific elliptic curves in combination with specific hash algorithms using a specific encoding are supported by Acrobat.

            Can you share an example PDF signed using your EC certificate for analysis?

            MikelKlink
            MikelKlink
            Participating Frequently
            March 18, 2026

            Oops, sorry, I read too superficially, you have the problem while signing  in Acrobat and I thought you had issues validating a so signed document.

            Melis23165497yn91
            Melis23165497yn91Author
            Participant
            March 23, 2026

            Hi Mikel,

            Thank you for your follow-up.

            While Adobe Acrobat successfully handles the validation of existing ECC-based signatures, the "Unsupported Algorithm" error occurs specifically at the creation of a new digital signature using a hardware-based PKCS#11 module.

            Could there be a hidden preference or a registry setting required to explicitly enable or troubleshoot hardware-based ECC signing?

            Terms & ConditionsAccessibility statement
            Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices