Copy link to clipboard
Copied
I'm attempting to use Acrobat 11 Standard to digitally sign a PDF document with a 2048 bit certificate from our internal certificate authority, and I'm receiving the following error:
Error encountered while signing:
The Windows Cryptographic Service Provider reported an error:
The requested operation is not supported.
Error Code: 2148073513
The operating system is Windows 7 Enterprise x64. When I remove Acrobat 11 Standard and install Acrobat 9 Standard on the same Windows 7 system, I am able to successfully sign the document using the same certificate that was giving the error with 11. Also we have been using Acrobat 9 on Windows XP with these same certificates for a long time and never encountered issues with digitally signing.
Any ideas of what might be causing this issue?
Thanks in advance
Josh
Hi all,
We have released a patch today that fixes the Digital Certificates issue that was recently introduced. If you are not already updated to the latest patch, simply open Acrobat and visit Help > Check for updates to apply this patch.
More details about this release and bug fixes is available here: https://helpx.adobe.com/acrobat/release-note/acrobat-dc-june-02-2016.html
Please give it a try and let us know.
Thanks,
-ashu
Copy link to clipboard
Copied
Hi Josh,
Just out of curiosity, is there any other software involved here besides Acrobat 11 and Windows 7? That is, is there a smart card in use or some kind of third party signature handler, or is it just Acrobat using a digital ID in either a file or maybe loaded into Windows?
Thanks,
Steve
Copy link to clipboard
Copied
Hi Steve,
The only other software involved is Entrust Security Provider 9.2 http://www.entrust.com/entelligence/security_provider/ which allows us to sync the certificates from the certificate authority to the local Windows store. Once the certificate is in the Windows store, it can be used by Acrobat just like any other digital ID. Again I have no issue with this exact configuration using the same certificate if I install Acrobat 9 instead of 11.
I came across a similar thread from December that did not appear to be resolved: http://forums.adobe.com/message/4876252#4876252
Thanks
Josh
Copy link to clipboard
Copied
I have this same issue, same operating system and software setup. Really frustrated. I bought the Acorbat XI PRO upgrade on 2/15/13.
Copy link to clipboard
Copied
Hi Josh,
Just to make sure that the Entrust software isn't involved in the signing operation:
What I'm curious about is what it selected for the Default Signing Method, that is, does it look like this:
Thanks,
Steve
Copy link to clipboard
Copied
Hi Steve,
Acrobat 11 is configured for Adobe Default Security exactly as shown in your screen capture.
Thanks
Josh
Copy link to clipboard
Copied
Hi Josh,
The error message comes from Windows (not Acrobat), but Acrobat 11 is probably asking Windows to do something that it can't. What it is I don't know because the error message is too vague. One thing we can do is to take Windows out of the picture and see if you can sign when Acrobat accesses the digital ID itself as opposed to asking Windows to do the work. This is a two step process, first, export the digital ID from Windows into a file, and then import the file into Acrobat (it's not really an import, but I'll leave it at that for now).
Step 1 - Export the Digital ID
Step 2 - Add the file to Acrobat
The next test is to see if you can sign a file. Please let me know if it works or not.
Thanks,
Steve
Copy link to clipboard
Copied
Steve,
Unfortunately the private key is not exportable. The option is grayed out. Let me know if there is something else we can try.
You had said that "Acrobat 11 is probably asking Windows to do something that it can't." So I assume that Acrobat 9 does not operate in the same fashion otherwise this same certificate and signing operation should fail in both 9 and 11 correct?
Thanks
Josh
Copy link to clipboard
Copied
Steve,
Any update on this issue? Is there any way we can get formal support on this? We're a Federal gov't organization and signature capability is very important to our workflow here.
Thanks
Josh
Copy link to clipboard
Copied
Hi Josh,
For years Microsoft used a system called CAPI (cryptographic application program interface) to handle all of their cryptographic operations. CAPI complient applications such as Acrobat were able to leverage the work Microsoft did and only needed to make an opertaion reques to CAPI and CAPI will do the cryptographic work amd return the encrypted data. The private key that is loaded into the Windows Certificate Store (which is really the UI front to CAPI) is only accessible to CAPI. If Acrobat want to use the key to sign the file it asks CAPI to do the work and thus Acrobat never gets it's hands on the actual private key.
Begining with Windows 7 Microsoft introduced a new feature called CNG (crytographic next generation) that sits on top of (metophorically speaking) CAPI. In an abstract way you could think of this as how DOS lived underneath Windows 95. The reason that CAPI is still there in Windows 7 is because older applications (of which you could lump Acrobat versions 7 through 10) were never built to take advantage of CNG so Microsoft left CAPI in place for backwards compatibility. Acrobat 11 however does make CNG calls and whatever it is requesting Microsoft CNG to do is being rejected by CNG, but it used to work with CAPI. It's not so much that older versions of Acrobat were capable of doing an operation that Acrobat 11 fails at, but rather Microsoft CAPI was capable of doing an operation that CNG balks at.
That said (and believe me when I say I realize no customer wants to hear that it's not Acrobat's fault when all they did was upgrade to a new version of Acrobat), what we need to figure out is what is it about the Entrust generated certificate that CNG doesn't like. Just like in the other forum post you linked to that had a similar problem, the issue only occurs when the signer's certificate comes from a particular source, in your case the Entrust Security Provider. My guess is there is something about this certificate that has been black listed by CNG.
What I'd like to do is get a look at the Entrust generated certificate. One thing would be if you have a file that was signed using CAPI that you could share I could look at that. If all your files are propriatary another thing to do is to export the public key. In the steps I wrote out above, where you get to the spot where the export private key option was greyed out if you continued on exporting just the public key could you send that to me?
Steve
Copy link to clipboard
Copied
Steve,
Thanks for your reply. Do you have an email address I can send you a sample doc?
Thanks
Josh
Copy link to clipboard
Copied
Hi Josh,
Thanks for sending me the file. The problem is the CRL (Certificate Revocation List) expired on Tuesday, February 12, 2013 12:43:14 PM. Without valid revocation information there is no way for Acrobat to validate the signature, and if it can't validate the signature at signing time then it won't create it.
One thing to try is to turn off require revocation checking:
Try to sign and see what happens. Please let me know.
Steve
Copy link to clipboard
Copied
Steve,
I tried disabling Require revocation checking to succeed whenever possible in Acrobat 11 but I still got the same 2148073513 error message when attempting to sign.
I have that same option enabled in Acrobat 9 and it did not prevent me from signing the document using the same certificate.
Thanks
Josh
Copy link to clipboard
Copied
Hi Josh,
Although I don't yet have the complete picture, I do see the anomaly. I opened the file you sent in version 10 and it validated, but it won't validate in 11. Whatever is causing that problem is related to the signature creation issue. Being able to reproduce a problem is usually our biggest obstacle to coming up with an answer, and now that I can recreate the validation issue we can move forward.
As an aside, even if I put you in touch with tech support, or the SE that works with the government contracts, this issue would still get escalated to me.
I'll let you know what we find.
Steve
Copy link to clipboard
Copied
Thanks Steve. Let me know if there is anything else I can do to facilitate the troubleshooting process on your end.
Thanks
Josh
Copy link to clipboard
Copied
I have been following this thread closely, albeit from a distance. Thanks for the time and effort you have both put into this. Hopefully we'll get a resolution soon.
Thanks,
Justin Bray
Copy link to clipboard
Copied
Hi Josh,
I was able to get the signature to validate after I assigned trust to the correct trust anchor, so my initial assessment was not correct. Of course I can’t test signing because I don’t have your signature creation environment setup, but what we can do is try to start afresh.
My plan is to have you export a set of registry keys as a backup and the remove them. Here are the steps:
Try to sign and let me know what happens.
Steve
Copy link to clipboard
Copied
Steve:
When I try this, my tree (step 3 above) stops at Acrobat 9.0. I'm sure that I have the Acobrat 11 program, thoughts/suggestions? I can get to Adobe 11 in: HKEY_LOCAL_MACHINE\Software\Adobe\Adobe Acrobat\11.0; however, there is no Security option.
Thanks,
Justin
Copy link to clipboard
Copied
Hi Justin,
You're looking under HKEY_LOCAL_MACHINE and you need to start at HKEY_CURRENT_USER
Steve
Copy link to clipboard
Copied
I'm sorry Steve, I didn't clearly state that I don't seem to have an 11.0 file as you directed in HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\11.0. See attached screen shot. For what its worth, I was able to successful sign a Word document using Entrust.
Copy link to clipboard
Copied
Are you using Acrobat or Adobe Reader?
Copy link to clipboard
Copied
I'm using Acrobat 11 Pro. I just (last week) upgraded from Acrobat 10 pro. I never had any issues with 10.
Copy link to clipboard
Copied
Ok, got it. You need to slide down four more keys to "Adobe Acrobat". It's in there that you'll find the 11.0 key.
Steve
Copy link to clipboard
Copied
I was able to export/delete/launch the security file as you direct Josh, however, I recieved the same error (pic1). I clicked "ok" then closed out my document. When it asked if I wanted to save changes I clicked "no". Acrobat closed down. I saw the file that I was use to test with appeared to be saved so I opened it and my signature was on the document. When I attempted to validate the signature I received a "BER decoding error..." (pic 2).
Pic 1:
Pic 2:
Copy link to clipboard
Copied
Hi Justin,
It didn't work for Josh either. Until we can replicate this in-house I'm out of ideas. Just out of curiosity, are you using any other software for managing your PKI environment?
As an aside, what you see on the page is not the signature proper, but rather a pictorial representation of the actual signature. The signature itself is a blob of hex encoded data written into the PDF file, and unless you were to open the file in a text editor it's not something you would normally see. The signature appearance that you see on the page is created before the actual signature so that the real signature will cover the appearance, and if someone were to try and tamper with the appearance it would invalidate the cryptographic signature.
Steve