Certificate error: Invalid policy constraint - DigiCert SHA2 Assured ID CA

Question

When I sign documents now, with Acrobat DC (22.001.20117), using my DigiCert SHA2 Assured ID CA certificate. This may be working as intended as I look into it, but I want to double-check here.

It looks like my certificate's Policy OID has "2.16.840.1.114412.4.1.2" which, from DigiCert's Certificate Profiles list appears to be tied to the SMIME validation type. If DigiCert authorized this certificate to be used for Document Signing, I think it would also need the OID codes of "2.16.840.1.114412.3.21 and 2.16.840.1.114412.3.21.2," but, not having another certificate from DigiCert to compare against, I do not know this for certain.

Can anyone here refute or confirm my understanding?

noelhenry · Answer

Okay, follow-up. It looks like I have a Client Certificate from DigiCert, which has document signing as a feature, but Adobe specifically does not trust Client Certificates enough to allow PDF signature validation.

I'm assuming it's because Document Signing Certificates are issued on FIPS 140-2 compliant hardware that issue 2FA for document signature, whereas Client Certificates do not. This seems a little extreme for most documents, especially where I can literally just sign my name with my mouse and not pay for a certificate tied to my email at all.

Is there no way to set the level of trust required lower for validating signatures on non-legally-binding documents? We're just collecting signatures for document approval and the documents are way too large to use the "request e-signatures" feature.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded