• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Requirements on using a certificate for signing

New Here ,
Aug 02, 2020 Aug 02, 2020

Copy link to clipboard

Copied

Hi , I have given an ecdsa cert and its corresponding root ca paths full trust in adobe reader dc . However under usage options , i am still unable to select the cert for signing. 

What requirements of a cert is required for it to be able to be selected for signing ? or is ecdsa certs not supported ? 
The key usage for the cert has digital signature enabled and the cert is in a smart card. 

Thank you. 

TOPICS
Create PDFs , General troubleshooting , How to , Security digital signatures and esignatures

Views

3.7K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 02, 2020 Aug 02, 2020

Copy link to clipboard

Copied

Is this is just for you or are you trying to isuue out such certificate to many users?

 

Also, are using a governement form?

 

 

It is supported according to this document: 

https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSigDC/standards.html

 

But if you run into configuration issues you may need to do further reading on how to implement them with the Windows Server: https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-generate-ECDSA-EC-certs/ta-p/18...

 

And do further research on the supported encryption algorithms and digest creation compatibility found in the first link that I posted above.

 

In any case, first you need to verify and test that your smart card reader works and actually has all drivers and middleware updated for your OS version.

 

Then you need to install your root and intermediate certficates in the appropriate certificate store path for your operating system.  Here is a good thorough article: https://www.thesslstore.com/blog/root-certificates-intermediate/

 

Then you need to  register in Acrobat the Identities and Trusted certificates.

 

To do so got to Edit --> Preferences--> Signatures. Click on the "More" button found in the " Identities & Trusted Certificates" section.

 

See more about erquirements in this topic: https://community.adobe.com/t5/acrobat/requirements-on-certificates-for-certification/td-p/9037280?p...

 

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 02, 2020 Aug 02, 2020

Copy link to clipboard

Copied

Hi Thank you for the reply . I have done the steps as listed above. 
The root path and intermediate certs are also installed in the respective cert stores. 

The user cert shows up in the "Windows Digital Id" section after i click on edit->preferences->Identities & Trusted Certificates->more but under "Usage Options" i am unable to select this cert for signing . 
There is no option to use it for signing whereas the other certs are able to be selected. 

It also shows that the cert is trusted . So i am not sure what other steps am I missing .  

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 03, 2020 Aug 03, 2020

Copy link to clipboard

Copied

Are all of the other certificates that you can use for signing ECDSA or just the one that you're having issues with?

 

I would say , that just to rule out other trusted certificate issues, go to Edit --->> Preferences--->> "Trust Manager" and update both the "Automatic Adobe Approved Trust Lists(AATL) and the EUTL below that.

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 03, 2020 Aug 03, 2020

Copy link to clipboard

Copied

The other certs are non ECDSA, I have done your suggested steps and it is still showing me the same results . I am starting to think that it could be an issue with the cert itself. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 03, 2020 Aug 03, 2020

Copy link to clipboard

Copied

Could be. Maybe the hashing algorythm is the issue. As SHA1 is basically deprecated I am not sure if Adobe  Acrobat actually fully support SHA2 hashing yet. 

 

I would say to check if you can change the length of a the keys for   DSA / RSA. Sometimes that hasve worked me in other scenarios.

 

But I am not an expert in this subject, so please take what I just said as a careless assumption. The only thing I can think of is to check if the digest algorythm of this ECSDA certificate needs to be used with PKCS#11-compatible devices and  RSA digest methods.

 

See here: https://www.adobe.com/devnet-docs/etk_deprecated/tools/QuickKeys/Acrobat_DocumentSecurityAlgoAll.pdf

 

And more about the usage here: https://www.adobe.com/devnet-docs/etk_deprecated/tools/QuickKeys/Acrobat_DigSig_AlgorithmsAll.pdf

 

You can also refer to the RFC 5758  here:  https://tools.ietf.org/html/rfc5758

 

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 03, 2020 Aug 03, 2020

Copy link to clipboard

Copied

Please ignore my previous reply; it has nothing to do with troubleshooting the certificate usage.

 

Please refer to this Adobe Helpx guidance: https://helpx.adobe.com/acrobat/using/digital-ids.html#digital_ids

 

Delete an create a new trusted Identity with the ECSDA certificate following the steps of the link above.

 

In the slide below, see what I marked; change the Key Algorithm to something smaller and also assign the usage for both Digital Signatures and Data Encryption:

 

ecsdacerts.png

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 03, 2020 Aug 03, 2020

Copy link to clipboard

Copied

Hi , thanks for the suggestions but I am only able to select 1024 or 2048 bit RSA for the key algorithm. 

Also I can use the cert to sign office documents fine but unable to use it in Adobe Reader DC and Outlook SMIME. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 03, 2020 Aug 03, 2020

Copy link to clipboard

Copied

I forgot to mention to change the default signing format : See slide:

 

ECSDA CERTS.png

 

If this doesn't work, have you checked if you can use the certificate from other programs, like a webmail service that requires email certificate to sign in?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Aug 03, 2020 Aug 03, 2020

Copy link to clipboard

Copied

ECDSA certs acceptable to Acrobat must be based on one of a few named curves. What curve is your certificate using?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 03, 2020 Aug 03, 2020

Copy link to clipboard

Copied

Here's the Acrobat Digital Signatures Guide to help you answer margueritek's question: https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSigDC/standards.html

 

I would say that, if you're able to see more options from the drop down menu for the "Key Algorithm",  to select ECDSA elliptic curve P256 with digest algorithm SHA256 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 03, 2020 Aug 03, 2020

Copy link to clipboard

Copied

P384 with digest algo SHA 384. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 03, 2020 Aug 03, 2020

Copy link to clipboard

Copied

Did it worked?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 03, 2020 Aug 03, 2020

Copy link to clipboard

Copied

Unfortunately , nothing seems to work.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 03, 2020 Aug 03, 2020

Copy link to clipboard

Copied

Would you mind sharing where did you downloaded  the root certificates from ? or are you are you creating self-signing certificates by hand via command line (or another software tool)?

 

I would like to check what documentation is available from the actual issuer. 

 

At least is being recognized in Acrobat so you must be doing something right on your end; we just have to find out which step was missed.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 04, 2020 Aug 04, 2020

Copy link to clipboard

Copied

Hi , The signature algo shows that it is Sha384 ECDSA but does it matter if my public key parameter shows ECDH_P384 instead of ECDSA_P384 ? 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 04, 2020 Aug 04, 2020

Copy link to clipboard

Copied

That is why I was suggesting to delete and recreate this certificate.

 

The issue seems related to how you installed the intermediate root certificate.

 

I've been trying to reproduce your issue on my end using the root CA's provided by my operating system. But my problem is different. I am not even able to access or see the certificate stores. Both on Ms Windows and Acrobat.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 04, 2020 Aug 04, 2020

Copy link to clipboard

Copied

The question that I've been trying to answer first, is why you're not able to select the certificate usage.

 

You may notice, however, that since  ECDSA certificates is still kind of new to the Web when compared to RSA  based hashing, , the usage may be limited to just tosigning and maybe one more option in Acrobat and Windows.

 

I was able to read more about issuing authorities, like BigIP, GeoTrust, Comodo, etc  and they all have different guidance, specuially implementin the SSL handshake part.

 

If you can please tell me where you downloaded and  get the root  certificates from I can research exactly what steps the issuing authority recommends.

 

You may have to configure other things at the operatung system level, not just the Adobe Reader part.

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 24, 2022 Jan 24, 2022

Copy link to clipboard

Copied

I was happy when i make my wedsite see like abobe and you can look at it from this North Co

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 09, 2022 Feb 09, 2022

Copy link to clipboard

Copied

You Can See the benefit of adobe on my website فني ستلايت

Arabic TV is a rapidly growing industry. The number of Arabic satellite channels has increased from 10 to over 400 in the last decade.

Arabic TV has been around for decades but it was not until the 1990s that it began to grow in popularity.
The future of Arabic TV is shining bright with new channels and new shows popping up every day.
إذا كنت تبحث عن خدمة موثوقة يمكن أن تساعدك في حل مشاكل التكنولوجيا الخاصة بك ، فلا تبحث سوى عن فني تلفاز عبر الأقمار الصناعية.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 10, 2022 Feb 10, 2022

Copy link to clipboard

Copied

My Website is very good because i used adobe productes in it you can visit it شقق للبيع

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 21, 2022 Mar 21, 2022

Copy link to clipboard

Copied

Jag använder gärna denna Adobe-produkt på min taxi kurir-webbplats

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 13, 2024 Feb 13, 2024

Copy link to clipboard

Copied

LATEST

You May Wrong with link. The Right link is here: taxi kurir

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 29, 2022 Mar 29, 2022

Copy link to clipboard

Copied

im using this certificate for signing in my website to learn english, my web site is read english 1

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Apr 23, 2022 Apr 23, 2022

Copy link to clipboard

Copied

Sorry SIX or more spam replies 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines