PDF sign

Question

HiI have signed a pdf file using a certificate installed in the windows. I am sure the certificate is valid because I have used it to sign XML files.  After signing the pdf (using SecureBlackBox from NSoftware) and trying to open the pdf using Acrobat  Reader the problem with signature appears. If I move the certificate to "Trusted" area (using Reader to so so) the signature become valid. In other words, in my computer the pdf seems OK but when I send it to another user it become invalid. I have contacted NSoftware that told me the process of signing is correct and it seems the Adobe Reader does not "like" the certficate. Is there something I can to to solve this problem ? You can contact me at eduardo@hpro.com.br and the pdf signed is attached.

MikelKlink · Answer

If you open the signature properties and look at the signer certificate in the certificate viewer, you'll see this:

In particular you can read here that The selected certificate has errors: Invalid policy constraint.

This means that the trust anchor in your certificate chain has been added to the AATL (Adobe Approved Trust List) with the restriction that only those certificates issued by this certificate authority shall be trusted which contain a certificate policy identifier from a given set of IDs and that your certificate does not contain an identifier from that set.

Specifically in your case the trust anchor is the root certificate of the chain, Autoridade Certificadora Raiz Brasileira v5, for which the certificate viewer shows this on the "Policies" tab:

If one looks it up in detail, one sees that the set of allowed policy identifiers consists of the two ranges 2.16.76.1.2.3.1 through 2.16.76.1.2.3.138 and 2.16.76.1.2.4.1 through 2.16.76.1.2.4.58.

Looking at your certificate, though:

one sees that your certificate has the policy id 2.16.76.1.2.1.96 which is not in the set of trusted identifiers in your CA.

Thus, if you want to sign PDFs with a certificate issued by Autoridade Certificadora Raiz Brasileira v5, you should ask your CA for a certificate with a policy ID from the ranges 2.16.76.1.2.3.1 through 2.16.76.1.2.3.138 and 2.16.76.1.2.4.1 through 2.16.76.1.2.4.58.

(Beware, those policy identifiers usually have a meaning and imply requirements; e.g. such a policy might imply that the identity of the certificate owner has been thoroughly verified or that the private key is located on a secure signature creation device, e.g. a smart card. You, therefore, may have to go through a specific procedure to get such a certificate, or you may use it only with a smart card.)

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded