Previously valid signing certificate shows invalid policy constraint in DC 2019

Question

We have previously been able to sign documents with certificates with the following intended usages: Digital Signature, Encrypt Keys, Email Protection, 1.3.6.1.4.1.6449.1.3.5.2

As per Steven.Madwin's response to Document signing requires code signing certificate this should be fine. However as of Acrobat Reader DC 2019 the signature is marked as invalid. The certificate path shows "Invalid policy constraint" for the issuing certificate paths and the signing certificate. The certificate we are using is issued by Sectigo and is AATL approved.

Has Acrobat become fussier about the types of certificates it will accept. If so what needs to be present in the certificate?

Steven_Madwin · Accepted Answer

Hi pingu7931,The Object Identifier (OID, the number in the Certificate Policies edit field) is a representation for a document that lays out all of the requirements of a the Sectigo AATL Policy. If the digital ID that Sectigo issued you met those requirements then they wound have include that specific OID in your Public-key Certificate (PKC), or more specifically, the Certificate Policy extension in your PKC.The missing piece of this picture puzzle is what is listed in your PKC? If you highlight your cert in the tree view on the left of the Certificate Viewer dialog, then select the Details tab, you can scroll the list view and find the Certificate Policy extension. If you click on that entry you will see a Policy OID that is a short-hand for which set of requirements your certificate met when it was issued. If it had matched the OID displayed above then the signature would have been valid.Steve

Steven_Madwin · Answer

Hi pingu7931,This is not a Key Usage/Extended Key Usage issue, but rather a Policy Restriction issue. Sectigo recently added the USERTrust RSA Certification Authority certificate to the Adobe Approved Trust List (AATL) program, and part of the requirements of being an AATL Member is we only trust signer's end-entity certificates if they comply with a specific set of policies. If you select the top most certificate in the tree view on the Certificate Viewer dialog, and then select the Policies tab, you will see the allowable set of policies. To see if your certificate meets one of the allowable policies select your cert from the tree view (the one you redacted), then select the Details tab, and finally, scroll to and select the Certificate Policies extension in the list view on the Details tab.Granted, displaying this as an invalid signature is incorrect as it should show as Unknown because ultimately it is not valid because trust has not been established and the Acrobat should treat this the same as when trusted certificate is not found. Although I'm not sure when, there is a plan to align the two behaviors.Thank you for sharing on the forum so others can benefit.Steve

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded