Skip to main content
M
MichelangeloB.
Participant
September 4, 2020
Question

Digital certificate specs to digitally sign PDFs

  • September 4, 2020
  • 1 reply
  • 3249 views

I am trying to produce a suitable digital certificate to digitally sign PDF documents

I already configured a Digicert certificate within Adobe Acrobat DC Pro.

To prepare the test PDF to be signed, I choose Prepare Form, then insert the 'Add a Digital Signature' field, then close the form tool. I then proceed to sign the document with the Digicert certificate. The certificate is a Terena Personal CA 3.

 

Looking at the certificate via Adobe Acrobat:

Summary Tab

Intended Purposes: Digital Signature, Encrypt Keys, Client Authentication, Email Protection

Details Tab

Key Usage: Digital Signature, Encrypt Keys.

Revocation Tab

'There were errors encountered while building the certificate chain to a certificate designated as a trusted anchor. Revocation checks were therefore not performed on this certificate. See the message at the bottom of this dialog for an explanation.'

Note: no further info on that tab, and 'Signer details...' and 'Problems encountered...' buttons are greyed out.

Trust Tab:

This certificate is trusted to:

Sign Documents or data

Certify documents

 

After signing and reopening the document, I get a certificate validation error 'Signer's certificate invalid'

Error details are no more that what is shown in the certificate details.

 

Now, this error goes away when the option to trust root certificate in Windows certificate Store as follows:

Preferences/Signatures/Signature Verification Preferences the

Windows Integration/ Trust all root certificates in the Windows Certificate Store for:

- Validating Signatures (off by default- ENABLE )

- Validating Certified Documents

Selecting either of these options may result in arbitrary material being treated as trusted content. Take care before enabling these features.

 

The whole point on adding certificates to the Windows Certificate Store is to make them trusted to the OS. Root CA certificates work this way and certificate updates are provided (windows update for Windows, a dedicated package for Ubuntu, etc.) through OS updates to confirm emitted certificates.

Digicert Root CA is already in the Windows Certificate Store. I have however addedDigicert rootCA and intermediate certs;  Why should I need to configure  Acrobat Pro DC  to " Trust all root certificates in the Windows Certificate Store for: Validating Signatures" just to have it properly follow the certificate validation chain?

On a side note, a PDF signed with a self signed certificate created within Adobe Acrobat Pro  does not yeld signature validation errors and does not need the option above  enabled to be recognized as a valid signature on the signer computer (yes, any receiving end will need to add the signer certificate to his own OS certificate store to properly validate the PDF signature)

 

So my questions are:

- Is there an explanation on the above behaviour? Am I missing something?

- What kind of certificate should I request to commercial certificate providers to implement a reliable digital signature?

My aim is to produce signed PDF conforming to eIDAS regulation.

Thank you!

 

 

 

 

This topic has been closed for replies.

1 reply

ls_rbls
Community Expert
ls_rblsCommunity Expert
Community Expert
September 4, 2020
  • Why should I need to configure Acrobat Pro DC to " Trust all root certificates in the Windows Certificate Store for: Validating Signatures" just to have it properly follow the certificate validation chain?

 

You shouldn't. Adobe doesn't recommends that.  

 

Because Adobe Acrobat does not produce digital certificates (meaning that it is not a certificate issuing authority) ,  you need to update both the "Automatic Adobe Trust List(AATL) and the "Automatic Eurpean Union Trusted Lists (EUTL)  in EDIT--->>> PREFERENCES. 

 

If you've missded this step Acrobat may not work with third-party trust service providers.

 

Are you saying that you still get this error even if you update the Adobe Approved trusted lists?

 

  • My aim is to produce signed PDF conforming to eIDAS regulation.

 

Are you asking about multi-factor authentication?

 

You may need to employ Adobe Sign with your current Acrobat forms workflow.  Some features are exclusive  to business and enterprise plan subscriptions..

    M
    MichelangeloB.Author
    Participant
    June 24, 2021

    Thanks for answering. Coming back here after a while, hope you still follow this thread.

    You shouldn't. Adobe doesn't recommends that.  

    I get it. The root cert store could hold unverified certificates (self signed for which a private key is on the host, whatever) so Adobe would report verified certificates when they are not. 

    Your next question is an hint: to sign as qualified electronic signature a valid certificate AND 2FA is required. 

    The question is the : how do I implement in Adobe Acrobat qualified electronic signatures? I expect a market solution providing 2FA, but have no experience there. Can you recoomend one, or a way to move forward?

     

    ls_rbls
    Community Expert
    ls_rblsCommunity Expert
    Community Expert
    June 28, 2021

    If by qualified electronic signatures you're referring to certificate-based digital signature see here how it is setup with Adobe Sign: https://helpx.adobe.com/sign/using/digital-signatures.html

     

    More info in this thread : https://community.adobe.com/t5/adobe-sign/digital-signatures-using-adobe-sign/td-p/8956868

     

    For 2FA using Adobe Sign see here: 

     

     

    Additional interesting solutions:

     

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices