10.11.6 CAC signing not working with 11.0.17 Acrobat

Report · Jul 20, 2016

I have verified that I can sign on a 10.11.5 mac but when the OS is updated to 10.11.6 with the same Acrobat installation signing fails. The certificates show as valid and are used for login so I know they are valid. Any solutions so far?

Report · Aug 08, 2016

I was able to get the Centrify module to load, and can now sign PDFs with my CAC credentials. I noticed that if I accidentally included a leading space I too got the "Could not load" error message. Here is the path I entered:

/usr/local/share/centrifydc/lib/pkcs11/tokendPKCS11.so

I then followed the remainder of the instructions, choosing my EMAIL CA-31 certificate for signing, and it now works.

Report · Aug 08, 2016

I just now tried again and Adobe Acrobat Pro 11.0.17 still says it cannot load the module. The file exists and there was no space before the path. I also tried dragging the file into the dialog and having the path auto-filled that way, but that did not work either. I typed it out by hand, no go.

I don't understand how you got it to work.

Report · Aug 08, 2016

To be clear, I tried it with:

/usr/local/share/centrifydc/lib/pkcs11/tokendPKCS11.so

Which does exist on my system:

ls -l /usr/local/share/centrifydc/lib/pkcs11/tokendPKCS11.so

-rw-r--r-- 1 root wheel 336028 May 13 16:17 /usr/local/share/centrifydc/lib/pkcs11/tokendPKCS11.so

Report · Aug 08, 2016

Frank,

If you have permission, much like sillybaku's instructions earlier for CACKey, you probably need to update the permissions to 755 (+execute for all users) in order to get things working - unless you're running Adobe as root, which would of course be a really bad idea.

Good luck!

Sean

Report · Aug 09, 2016

Hi Sean,

Thank you for the suggestion about changing permissions. I did that and it still does not work for me.

Report · Aug 09, 2016

Sorry Frank,

I didn't have to modify the permissions on pkcs11.so, so I don't think that's it. Can your try with Adobe DC or 2015 instead?

Report · Aug 09, 2016

I tried with Adobe Reader XI and had the same problem. Thank you for the suggestion.

Report · Aug 10, 2016

Hi again Frank,

I just downloaded Adobe Reader XI (11.0.17 after applying updates). I confirm that it does NOT load the pksc11.so module properly. If you can upgrade to Reader 2015 or DC you will hopefully succeed as I did. Keep us posted...

John

Report · Aug 11, 2016

Hi John,

Someone at work has DC and was able to load the PKCS#11 module. However, he still cannot sign documents. But I got a new clue. Apparently his "Federal Bridge CA" cert was invalid. I checked my keychain and I do not even have such a cert in my keychain. Is that needed? Where do I get the valid "Federal Bridge CA" cert to important into my OS X keychain or Adobe Acrobat?

Report · Aug 11, 2016

Hi again Frank,

Glad you're getting closer. I got additional confirmation that this solution does NOT work with Acrobat/Reader XI, only with DC/2015. I don't know where the Federal Bridge CA came from, but a quick Google turned up this link,which might help:

https://www.entrust.com/resource/entrust-non-federal-ssp-pki-smart-credential-solutions-authenticati...

I think the way to fix this user's problem, however, is to make that CA always trusted via Keychain Access. Double click the Federal Bridge CA certificate in Keychain Access; open the 'Trust' disclosure triangle near the top; select 'Always Trust' under the topmost 'When using this certificate:' menu item. You'll have to do this using administrator privileges. Hopefully if that CA is fully trusted, the remainder of the process of setting the user's CAC certificate (the one for digital signing) will move forward. Getting there...

John

Report · Aug 16, 2016

We tried trusting the "Federal Bridge CA" but it did not work.

Report · Aug 09, 2016

Sorry this didn't work for you. In answer to a follow-up question: I don't think this trick works for Gentrify-Express. I have the FULL version of Centrify, and hence the pkcs11.so module.

Perhaps the reason it didn't work has to do with the version of Acrobat Pro or Reader you're using. I've updated to the Acrobat [Pro/Reader] 2015 (DC; classic track) vs. Acrobat XI. I'm not sure if that's the reason, but it worked for me.

As an aside, I was also able to get CACKey's module to load under macOS 10.12 public beta 3, again with Acrobat 2015.

Hope that helps a little. It would be better if Apple or Adobe just fixed this!

Report · Aug 08, 2016

SillyBaKu's solution (aug 3, 4p) worked for me on Sierra public beta 3. Thanks for posting. (Problem appeared both on my machine and on a family members' running El Capitan.)

Adobe, get on it! Ridiculous to have to do that and many users couldn't manage it.

Report · Aug 08, 2016

I don't have a pkcs11 directory under /usr/local/share/centrifydc/lib.

I uninstalled and reinstalled Centrify Express for Mac

(Centrify-Express-For-Smart-Card-5.2.4-mac10.8.dmg)

/usr/local/share/centrifydc/lib was created, but just a bunch of dylib's there, no pkcs11 subdirectory. Where does this come from?

Report · Sep 05, 2016

Sillybaku,

thanks. I tried all the other methods that Adobe said would supposedly work but yours is the only one that works. I do find it weird that on signing I end up using my PIN code two times which I never had done so before.

I do think it sends a wrong message that it took awhile for Adobe to admit that the problem is on your end and Apple's. That info should have been pushed to us some way and not also get conflicting solutions that didn't work. This is the first time that I know that an Apple update broke the CAC as for as I know so seems to be some breakdown in the process or communications (or lack of with Apple). It did work so thanks. I do reflect the other views that this needs to be fixed as you can't expect most users to have to go through this table. At least you solution didn't involve going through terminal as some experts said on the adobe forums!

Report · Sep 25, 2016

Thank you this was the solution for signing. Do you know the process for removing digital signatures?

Report · Sep 26, 2016

In my opinion it is not a good idea to remove digital signature from a signed PDF file. However, if you must:

http://www.isunshare.com/blog/remove-delete-digital-signature-pdf-document/ - this seems to suggest that it is possible and fairly simple.
Removing signatures in a digital signature field - this seems to suggest that you can remove only your signature (because you need to have access to the private/signing key).
delete digital signature (Sign and Send PDFs) - yet another method, still saying only the signature owner can remove it (and then edit the signed file).

I suggest - try these, and post here whether any of the above helped you to remove digital signature from a signed PDF file.

Report · Oct 01, 2016

I am new to make. How do I even start verifying permissions?

Report · Aug 05, 2016

Hi everyone, I have this same problem. Since we use Centrify, I too cannot use the workaround.

I wanted to add a clue that I see the following error with my cert when I view details: "The selected certificate has errors: Invalid policy constraint" and "Validation Model: Shell".

I tried to add the path for the PKCS#11 module as:

/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/MacOS/libccid.dylib

But Adobe Acrobat does not accept it.

I have tried 2 different CAC readers to no avail. The SCM3500 and the HID Omnikey 3121.

Any workaround would be welcome.

Report · Aug 12, 2016

Just wanted to add that we're seeing the same issue here. Centrify environment (thankfully not a ton of folks are making use of digital signatures as of yet) but I've tried Adobe Acrobat X, XI and Pro DC on 10.11.6 with zero success on signatures with certificates.

Made a 10.11.5 virtual machine to test it out and, of course, it worked just fine. I'll look into trying some of the other possible solutions (ie: trusting the Federal Bridge CA Certificate in Keychain Access, etc.). Any idea of a potential fix to this on the Adobe side yet? Rolling back just isn't acceptable.

Report · Aug 16, 2016

I'd encourage people to report this as a bug here: Feature Request/Bug Report Form

Posting here sometimes will get an issue into Adobe's system, but it's no guarantee, even if Adobe staff respond in the forums.

Report · Aug 29, 2016

Has there been any fix issued by Adobe for this? We tried the work arounds suggested within this post but have not had any success.

We are using CACs with 10.11.6. Signing used to work using 10.10, but after upgrading to 10.11.6, unable to sign...

Report · Sep 01, 2016

Some new ideas? We still having this problem and we need to resolve this problem as soon as possible?

Report · Sep 02, 2016

No solutions other than what's posted above. Again, that workaround only seems to work with Acrobat Pro/Reader DC and NOT with Pro/Reader XI. I found that it worked with the full version of Centrify, but not with Centrify Express. Finally, yesterday's security update 2016-001 for El Capitan didn't fix it either...

Sorry,

John

Report · Sep 02, 2016

I am working with the Acrobar Reader DC and the "solution" above dindt resolve the problem. I need a real solution to this problem.

Adobe Community

10.11.6 CAC signing not working with 11.0.17 Acrobat

1 Correct answer