Skip to main content
ArchieS32
ArchieS32
Participant
April 11, 2026
Answered

Certificate signing with a custom CNG Key Storage Provider (KSP) for remote signing fails in Protected Mode

  • April 11, 2026
  • 1 reply
  • 34 views

I am implementing remote signing through a custom Windows CNG Key Storage Provider (KSP) and testing it in Adobe Acrobat Reader.


Everything seems to work fine as long as “Enable Protected Mode at startup” is disabled:

  • I can “Use a certificate → Digitally Sign”, the certificate is visible and selectable in Acrobat
  • I can preview the signature, click sign and apply the siganture
  • The file saves without a problem

As soon as I “Enable Protected Protected mode at startup”, it seems to work well up untill I click sign:

  • I can “Use a certificate → Digitally Sign”, the certificate is visible and selectable in Acrobat
  • I can preview the signature
  • Nothing happens when I click sign; no error message, not anything; jsut nothing


I understand “Protected Mode” may block some of the components; as far as I can tell, it loads the KSP DLL, calls GetKeyStorageInterface, calls OpenProvider, then stops. No calling of GetProviderProperty,  EnumAlgorithms, etc.


Is certificate signing through a third-party custom CNG KSP supported by Acrobat when Protected Mode is enabled? If yes, are there any specific trust, signing, registration, or sandbox compatibility requirements for the provider DLL?

 

    Correct answer Souvik Sadhu

    Hi ​@ArchieS32,

     

    Hope you are doing well. Thanks for writing in!

     

    What you’re seeing is expected: the sandbox allows enumeration (certificate visible) but blocks actual signing operations from non-trusted providers.

     

    This is because, the sandbox prevents access to private key material and cryptographic providers that are not explicitly trusted, and thus, Acrobat does not surface an error, it simply drops the operation.

     

    This is what you can try:

    Instead of direct KSP usage, integrate via Windows CryptoAPI (CSP/KSP via standard providers) by ensuring that your provider behaves like a Microsoft-compatible KSP. It may fail if not sandbox-compliant.

     

    OR,

    Use Adobe Cloud Signature Consortium (CSC) APIs Or Adobe’s External Signing workflow.

    They are fully supported in Protected Mode, and are designed for remote signing, HSM-backed keys, and network-based providers.

    More reference here: Cloud signature providers

     

    Hope this gives some clarity.

     

    Regards,

    Souvik

    1 reply

    Souvik Sadhu
    Community Manager
    Souvik SadhuCommunity ManagerCorrect answer
    Community Manager
    April 20, 2026

    Hi ​@ArchieS32,

     

    Hope you are doing well. Thanks for writing in!

     

    What you’re seeing is expected: the sandbox allows enumeration (certificate visible) but blocks actual signing operations from non-trusted providers.

     

    This is because, the sandbox prevents access to private key material and cryptographic providers that are not explicitly trusted, and thus, Acrobat does not surface an error, it simply drops the operation.

     

    This is what you can try:

    Instead of direct KSP usage, integrate via Windows CryptoAPI (CSP/KSP via standard providers) by ensuring that your provider behaves like a Microsoft-compatible KSP. It may fail if not sandbox-compliant.

     

    OR,

    Use Adobe Cloud Signature Consortium (CSC) APIs Or Adobe’s External Signing workflow.

    They are fully supported in Protected Mode, and are designed for remote signing, HSM-backed keys, and network-based providers.

    More reference here: Cloud signature providers

     

    Hope this gives some clarity.

     

    Regards,

    Souvik

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices