ADOBE failure queries OCSP with DNIe and the new ACRAIZDNIE2 hierarchy

Report · Jul 03, 2018

787/5000

Hello, the signatures made on a PDF with the identification card of Spain (DNIe) the product does not manage to validate it correctly since the hierarchy that signs the OCSP response has been modified and instead of being signed by a subordinate the root itself does.

The OCSP response is signed by the following certificate:

https://www.dnie.es/descargas/certificados/Ocsp_Responder_AV_DNIE_FNMT_AC_RAIZ_DNIE_2_032018.zip

This certificate is issued directly by the Root Authority:
https://www.dnie.es/ZIP/ACRAIZ-DNIE2.zip

Why does the PDF indicate "certificate not valid for use?

There is a test set available to make a valid signature and another with certificate revoked at this link:
https://www.dnie.es/descargas/certificados/Set_Certificados_Pruebas.rar

Thank you very much

Report · Jul 03, 2018

The key usage of the OCSP signing certificate is: Digital Signature, Non-Repudiation (c0). The extended key usage is: OCSP Signing (1.3.6.1.5.5.7.3.9). The key usage of the root certificate is: Certificate Signing, Off-line CRL Signing, CRL Signing (06). But there is no extended key usage for OCSP signing in the root certificate.

Report · Jul 04, 2018

Thanks Margueritek,

but the sign isn't produced by the Root Certificate (CN =AC RAIZ DNIE 2), is produced by

CN = AV DNIE FNMT that is signed by the root AC RAIZ DNIE 2

AC RAIZ DNIE 2 (root)

AV DNIE FNMT (OCSP certificate)

Best Regards.

Report · Jul 04, 2018

Unfortunately, error messages from Acrobat are not entirely descriptive. You will need to make a formal bug report, and include a screen shot of the error message with "details" expanded.

Report · Jan 26, 2019

I have the same problem with the DNIe, few months ago the Acrobat and DNIe signed without any problem, Microsoft Word also signs with any problem.