Acrobat DC Signature with Smartcard - Alogrithm

Addition: I have the latest Acrobat 2020 version (20.005.30436) on Windows 10 Pro (22H2), Build 19045.2486.

Signing PDF files with SecSigner (so without and outside of Adobe Acrobat) worked fine and the signatures can be successfully validated.

Nope, i did not find any solution. I am using a different software now to sign the pdfs.

I am also using SecSigner.

Thanks for your response, very much appreciated! It's quite a pitty - I tried all sorts of alternatives https://www.telesec.de/de/service/downloads/produkte-und-loesungen/#downloads-public-key-service-102 here, but after spending several hours on it today, I am about to give up, too. 😕 Related threads like https://community.adobe.com/t5/acrobat-reader-discussions/adobe-acrobat-reader-dc-pkcs-11-ecc-unsupp... and https://community.adobe.com/t5/acrobat-discussions/pdf-signing-error-your-signature-device-does-not-... don't have solutions either.

I used the latest Telesec libraries version 1.9.2.0, of course. My chipcard device is ReinerSCT secoder with the latest firmware. To cross-check whether my laptop may also be part of the problerm, I tested a brand-new laptop. The same error message (nicht unterstützter Algorithmus) also pops up on this new laptop, so it seems to me like a structural issue.

Hi Max,

I was able to successfully sign with a Telesec ECC smartcard in Adobe Reader. My approach does not use the PKCS#11 driver. Instead I installed the " Read Only Cardmodul zur "Signature Card 2.0" - Mit ECC-Unterstützung " (Service -> Downloads -> Produkte & Lösungen -> TCOS Cardmodul zum Microsoft® Smartcard BaseCSP). This loads the smart card certificates into the Microsoft certificate store.

After importing the certificate chain http://tqrca1.pki.telesec.de/crt/TeleSec_PKS_eIDAS_QES_CA_5.crt and http://tqrca1.pki.telesec.de/crt/TeleSec_qualified_Root_CA_1.crt into Windows, I was able to sign with the card using Adobe.

Hi Thomas,

thanks a lot, awesome! Indeed, after installing the "Read Only Cardmodul" and importing the certificates you mentioned (Hint for others: I had to choose explicitly to import the certificates into the "trustworthy root certificate store", the default settings during the import process are different!), the certificate shows up in the Windows Certificate Store.

When I then try to use it in Acrobat, I can select the certificate, but there now seems to be another connection error when the software tries to address the smartcard (see screenshot attached). The same error message is discussed on DATEV smartcard product page, but the only advice given is "remove and reinsert your card" which didn't help in my case. Did you maybe also came across this error message? Thanks in advance!

Das freut mich für dich - da ich aber MacOS nutze und es die SW/Treiber leider nicht für MacOS gibt, habe ich für mich noch keine Lösung gefunden...

For Adobe Acrobat on a Mac I receive exactly the same error message when trying to use an ECC smart card to sign documents with qualified electronic signatures following the EU eIDAS standard (here a TeleSec smart card).

Any news here?

Card: TeleSec PKS eIDAS QES CA 5
Card signature algorithm: SHA256 ECDSA

Adobe Acrobat: 2025.001.20476 (current)

PKCS#11 module: libpkcs11tcos_SigG_PCSC.dylib from https://www.telesec.de/de/service/downloads/produkte-und-loesungen (from either "PKCS#11 SDK" (TCOS 3.0 PKCS#11 SigG 1.19.0.0) or "TCOS Securetoken Treiber für MacOS" (TCOS 3.0 PKCS#11 SigG 1.18.1.0))

Reader: REINER SCT cyberJack one

Apple Mac
OS: macOS 15.5 (current)
Architecture: arm64
Processor: Apple M1

Output from commands "pkcs11-tool" (brew package: pkcs11-helper), "pcsctest", and "system_profiler SPSmartCardsDataType" is as expected:

$ pkcs11-tool --module /Library/TeleSec/libpkcs11tcos_PCSC_1-19-0_macOS_x86x64_arm64.dylib/libpkcs11tcos_SigG_PCSC.dylib -M
Using slot 0 with a present token (0x1000)
Supported mechanisms:
SHA-1, keySize={256,256}, digest
SHA256, keySize={256,256}, digest
SHA384, keySize={256,256}, digest
SHA512, keySize={256,256}, digest
RIPEMD160, keySize={256,256}, digest
ECDSA, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
ECDSA-SHA1, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
ECDSA-SHA256, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
ECDH1-DERIVE, keySize={256,256}, hw, derive, EC F_P, EC OID, EC uncompressed

$ pkcs11-tool --module /Library/TeleSec/libpkcs11tcos_PCSC_1-19-0_macOS_x86x64_arm64.dylib/libpkcs11tcos_SigG_PCSC.dylib -O
Using slot 0 with a present token (0x1000)
Public Key Object; EC EC_POINT 256 bits
[…]
label: Public eSign Signature Key ECC
[…]
Certificate Object; type = X.509 cert
label: ECC eSign Signature Certificate
[…]

$ pcsctest

MUSCLE PC/SC Lite Test Program

[…]
Testing SCardListReaders : Command successful.
Reader 01: REINER SCT cyberJack one
[…]
PC/SC Test Completed Successfully !

[Update] Signing a file manually using shell commands works:

$ pkcs11-tool --module /Library/PKCS11/lib/telesec-1.19.0.dylib --sign --id ffffffffffffffffffffffffffffffffffffffff -m ECDSA-SHA256 --signature-format openssl -i test.txt -o test.txt.sig
Using slot 0 with a present token (0x1000)
Using signature algorithm ECDSA-SHA256
$ openssl x509 -in cert.cer -pubkey -noout > pubkey.pem
$ openssl dgst -sha256 -verify pubkey.pem -signature test.txt.sig test.txt
Verified OK
$ openssl verify -CAfile TeleSec_qualified_Root_CA_1.crt -untrusted TeleSec_PKS_eIDAS_QES_CA_5.crt cert.cer
cert.cer: OK

[Second update] Using a different smart card reader, behavior is fully identical.

Same error message with Adobe Acrobat, but signing a file manually using shell commands works.

So obviously the problem has nothing to do with the smart card reader or its device driver,

but either with Adobe Acrobat (Mac), the TeleSec smart card (or its PKCS#11 module), or the interplay between Adobe Acrobat (Mac) and the TeleSec smart card (or its PKCS#11 module).

As reports above indicate that the combination Adobe Acrobat (Windows) + TeleSec smart card works with a particular Windows smart card module Read Only Cardmodul zur "Signature Card 2.0" - Mit ECC-Unterstützung provided by TeleSec, most likely a corresponding Mac module/library to be provided by TeleSec is missing.

I am sorry to read that the whole process - still - doesn't seem to work out of the box! I am not using MAC, so I can't help, but maybe it's worthwhile to approach the Telesec support which was quite responsive in 2023 when I explored the problem. I pulled up the email from my archieve - I used the email address: Telesec_Support@telekom.de - good luck!

Hi @wolfgang_0508,



Thanks for the detailed report and testing — your findings are very insightful. And sorry for the troubled experience.

Based on everything you’ve confirmed (including the successful command-line signing), this issue most likely originates from how Acrobat for Mac integrates with external PKCS#11 modules for ECC smart cards.

Here’s what we suggest:

1. Double-check that the PKCS#11 module is added in Acrobat under:

   • Preferences > Signatures > More… > Digital IDs > Add ID > PKCS#11 Modules and Tokens

   • Select your module .dylib file manually.

    

2. Ensure that your certificate appears and is trusted in Acrobat. If not, manually import and trust the root/intermediate CA in the Trust Manager.

3. Note that full support for ECC-based smart card signing on macOS is still evolving. Unlike Windows, Acrobat on macOS does not always fully support 3rd-party ECC modules out of the box.

4. We recommend contacting TeleSec support to confirm whether they provide a read-only or Acrobat-certified PKCS#11 module for macOS that supports eIDAS QES and Apple Silicon compatibility.

5. If you’re open to sharing logs, you can enable verbose logging via Help > Troubleshooting > Enable Verbose Logging, reproduce the issue, and check logs in ~/Library/Logs/Adobe/Acrobat.

Let us know what you find.

As a result of the smartcard errors on my primary laptop, I also tested a second new laptop. After installing the module suggested by Thomas above, the device manager shows a new category "Smartcard" and lists the Telesec smartcard. My primary laptop doesn't even show this new Smartcard category.

@Thomas28220369yjvb : Do you enter the PIN using the card reader or a Windows PIN prompt? On my second new laptop, I get a Windows Security PIN prompt which I can successfully use to add a digital signature to a document using Acrobat. However, I would prefer to use the external card reader to enter the PIN for security reasons, but I haven't found a way to do this.

@maxmichels: Sorry to hear that you're using MacOS and that the solution doesn't help you.

I am not familar with details of the architecture of Microsoft Base CSP. It uses the card modules to connect to the smartcard. I experienced the same issue once I unintentionally installed multiple card modules. Another software I used to access my smart card also installed its own card module. You can look in the registry for sub keys of "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards" if there are multiple card modules present. Each card modules creates a sub key for each type of smart card it supports. The Telesec card module creates the sub key named "T-TeleSec TCOS 3 Signature Card".

I dont know any possibilities to debug the Microsoft Base CSP or its card modules to find out the cause of any malfunction nor a way to clean up the installed card modules. It seems not to work to simply delete the not used sub keys of the mentioned registry key.

I never tried to use the Telesec card module using a smart card reader with PIN pad.

For anyone who may be interested in this in the future, I finally found a workaround. Telesec support pointed to the support of ReinerSCT. ReinerSCT swifted responded and explained that PIN pad is controlled by the software initiating the signature process. Having reached out to Intarsys (the producer of the Telesec cards), the support just wanted to sell licenses for their software instead of resolving the problem. In fact, even their commercial software wasn't able to add a signature to PDF signature fields. Finally, I discovered that the the product "digiseal office" is able to add a digital signature to PDF signature fields. So I purchased this software and have a (solid) workaround.