Error 2148073513 When Attempting To Digitally Sign In Acrobat 11 Standard

Hi Steve,

The only other software involved is Entrust Security Provider 9.2 http://www.entrust.com/entelligence/security_provider/ which allows us to sync the certificates from the certificate authority to the local Windows store.  Once the certificate is in the Windows store, it can be used by Acrobat just like any other digital ID.  Again I have no issue with this exact configuration using the same certificate if I install Acrobat 9 instead of 11.

I came across a similar thread from December that did not appear to be resolved: http://forums.adobe.com/message/4876252#4876252

Thanks

Josh

Hi Josh,

Just to make sure that the Entrust software isn't involved in the signing operation:

• Select the Edit > Preferences menu item
• Select Signatures from the Categories list box
• Click the top More button in the Creation and Appearance group box

What I'm curious about is what it selected for the Default Signing Method, that is, does it look like this:

Thanks,

Steve

Hi Steve,

Acrobat 11 is configured for Adobe Default Security exactly as shown in your screen capture.

Thanks

Josh

Hi Josh,

The error message comes from Windows (not Acrobat), but Acrobat 11 is probably asking Windows to do something that it can't. What it is I don't know because the error message is too vague. One thing we can do is to take Windows out of the picture and see if you can sign when Acrobat accesses the digital ID itself as opposed to asking Windows to do the work. This is a two step process, first, export the digital ID from Windows into a file, and then import the file into Acrobat (it's not really an import, but I'll leave it at that for now).

Step 1 - Export the Digital ID

• Launch Acrobat
• Select the Edit > Preferences menu item
• Select Internet from the Categories list box
• Click the Internet Settings button
• Select the Content tab on the Internet Properties dialog
• Click the Certificates button
• Highlight your digital ID and then click the Export button
• Click the Next button on the Welcome panel of the Certificate Export Wizard
• Select the Yes, export the private key radio button, and then click the Next button. If this radio button is disabled you can stop here and let me know that the private key is not exportable
• Select the Include all certificates in the certification path if possible checkbox & the Export all extended properties checkbox and then click the Next button. Only select the top and bottom checkboxes, DO NOT delete the private key!
• Create passwords for the file and then click the Next button. You will need this password to sign with so make sure it is something you can remember.
• Pick a file name and location. Browse for a location you can remember as you will need to know where you put the file in order to use it to sign with. Click the Next button.
• Click the Finish button
• Click the OK button on the confirmation dialog
• Click the Close button on the Certificates dialog
• Click the OK button on the Internet Properties dialog

Step 2 - Add the file to Acrobat

• Select Signatures from the Categories list box
• Click the More button in the Identities & Trusted Certificates group box
• Click the Add ID toolbar button
• Click the Next button
• Click the Browse button
• Navigate to and select the file you exported above and then click the Open button
• Enter the password you used above and then click the Next button
• Click the Finish button
• You will see two items in the list box with the same name. Highlight the one whose Storage Mechanism is "Digital ID File"
• Click the Usage Options toolbar button and then select Use for Signing
• Close the Digital ID and Trusted Certificate Settings
• Click the OK button on the Preferences dialog

The next test is to see if you can sign a file. Please let me know if it works or not.

Thanks,

Steve

Steve,

Unfortunately the private key is not exportable.  The option is grayed out.  Let me know if there is something else we can try.

You had said that "Acrobat 11 is probably asking Windows to do something that it can't."  So I assume that Acrobat 9 does not operate in the same fashion otherwise this same certificate and signing operation should fail in both 9 and 11 correct? 

Thanks

Josh

Steve,

Any update on this issue?  Is there any way we can get formal support on this?  We're a Federal gov't organization and signature capability is very important to our workflow here.

Thanks

Josh

Hi Josh,

For years Microsoft used a system called CAPI (cryptographic application program interface) to handle all of their cryptographic operations. CAPI complient applications such as Acrobat were able to leverage the work Microsoft did and only needed to make an opertaion reques to CAPI and CAPI will do the cryptographic work amd return the encrypted data. The private key that is loaded into the Windows Certificate Store (which is really the UI front to CAPI) is only accessible to CAPI. If Acrobat want to use the key to sign the file it asks CAPI to do the work and thus Acrobat never gets it's hands on the actual private key.

Begining with Windows 7 Microsoft introduced a new feature called CNG (crytographic next generation) that sits on top of (metophorically speaking) CAPI. In an abstract way you could think of this as how DOS lived underneath Windows 95. The reason that CAPI is still there in Windows 7 is because older applications (of which you could lump Acrobat versions 7 through 10) were never built to take advantage of CNG so Microsoft left CAPI in place for backwards compatibility. Acrobat 11 however does make CNG calls and whatever it is requesting Microsoft CNG to do is being rejected by CNG, but it used to work with CAPI. It's not so much that older versions of Acrobat were capable of doing an operation that Acrobat 11 fails at, but rather Microsoft CAPI was capable of doing an operation that CNG balks at.

That said (and believe me when I say I realize no customer wants to hear that it's not Acrobat's fault when all they did was upgrade to a new version of Acrobat), what we need to figure out is what is it about the Entrust generated certificate that CNG doesn't like. Just like in the other forum post you linked to that had a similar problem, the issue only occurs when the signer's certificate comes from a particular source, in your case the Entrust Security Provider. My guess is there is something about this certificate that has been black listed by CNG.

What I'd like to do is get a look at the Entrust generated certificate. One thing would be if you have a file that was signed using CAPI that you could share I could look at that. If all your files are propriatary another thing to do is to export the public key. In the steps I wrote out above, where you get to the spot where the export private key option was greyed out if you continued on exporting just the public key could you send that to me?

Steve

Steve,

Thanks for your reply.  Do you have an email address I can send you a sample doc?

Thanks

Josh

Hi Josh,

Thanks for sending me the file. The problem is the CRL (Certificate Revocation List) expired on Tuesday, ‎February ‎12, ‎2013 12:43:14 PM. Without valid revocation information there is no way for Acrobat to validate the signature, and if it can't validate the signature at signing time then it won't create it.

One thing to try is to turn off require revocation checking:

• Select the Edit > Preferences menu item
• Select Signatures from the Categories list box
• Click the More button in the Verification group box (second from the top)
• Deselect the Require revocation checking to succeed whenever possible checkbox
• Click the OK button on the Signature Verification Preferences dialog
• Click the OK button on the Preferences dialog

Try to sign and see what happens. Please let me know.

Steve

Steve,

I tried disabling Require revocation checking to succeed whenever possible in Acrobat 11 but I still got the same 2148073513 error message when attempting to sign.

I have that same option enabled in Acrobat 9 and it did not prevent me from signing the document using the same certificate.

Thanks

Josh

Hi Josh,

Although I don't yet have the complete picture, I do see the anomaly. I opened the file you sent in version 10 and it validated, but it won't validate in 11. Whatever is causing that problem is related to the signature creation issue. Being able to reproduce a problem is usually our biggest obstacle to coming up with an answer, and now that I can recreate the validation issue we can move forward.

As an aside, even if I put you in touch with tech support, or the SE that works with the government contracts, this issue would still get escalated to me.

I'll let you know what we find.

Steve

Thanks Steve.  Let me know if there is anything else I can do to facilitate the troubleshooting process on your end.

Thanks

Josh

Hi Josh,

I was able to get the signature to validate after I assigned trust to the correct trust anchor, so my initial assessment was not correct. Of course I can’t test signing because I don’t have your signature creation environment setup, but what we can do is try to start afresh.

My plan is to have you export a set of registry keys as a backup and the remove them. Here are the steps:

• Make sure Acrobat is closed
• Click the Start button, type regedit into the Search field, and then press Enter
• Expand the tree view so you see HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\11.0
• Click on (highlight) Security under Acrobat\11.0\
• Right mouse click on Security and then select Export from the pop-up menu
• Select Desktop (or anywhere you are comfortable with and can remember) as the Save in location
• Type Security11 into the File name edit field, and then click the Save button
• Double check that the file is on your Desktop (or selected Save In location)
• Right mouse click on Security (again) and select Delete from the pop-up menu
• Click the Yes button on the Conformation dialog
• Launch Acrobat

Try to sign and let me know what happens.

Steve

Hi Justin,

You're looking under HKEY_LOCAL_MACHINE and you need to start at HKEY_CURRENT_USER

Steve

Are you using Acrobat or Adobe Reader?

Ok, got it. You need to slide down four more keys to "Adobe Acrobat". It's in there that you'll find the 11.0 key.

Steve

Hi Justin,

It didn't work for Josh either. Until we can replicate this in-house I'm out of ideas. Just out of curiosity, are you using any other software for managing your PKI environment?

As an aside, what you see on the page is not the signature proper, but rather a pictorial representation of the actual signature. The signature itself is a blob of hex encoded data written into the PDF file, and unless you were to open the file in a text editor it's not something you would normally see. The signature appearance that you see on the page is created before the actual signature so that the real signature will cover the appearance, and if someone were to try and tamper with the appearance it would invalidate the cryptographic signature.

Steve