Hi , I have given an ecdsa cert and its corresponding root ca paths full trust in adobe reader dc . However under usage options , i am still unable to select the cert for signing.
What requirements of a cert is required for it to be able to be selected for signing ? or is ecdsa certs not supported ?
The key usage for the cert has digital signature enabled and the cert is in a smart card.
Is this is just for you or are you trying to isuue out such certificate to many users?
Also, are using a governement form?
It is supported according to this document:
But if you run into configuration issues you may need to do further reading on how to implement them with the Windows Server: https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-generate-ECDSA-EC-certs/ta-p/18...
And do further research on the supported encryption algorithms and digest creation compatibility found in the first link that I posted above.
In any case, first you need to verify and test that your smart card reader works and actually has all drivers and middleware updated for your OS version.
Then you need to install your root and intermediate certficates in the appropriate certificate store path for your operating system. Here is a good thorough article: https://www.thesslstore.com/blog/root-certificates-intermediate/
Then you need to register in Acrobat the Identities and Trusted certificates.
To do so got to Edit --> Preferences--> Signatures. Click on the "More" button found in the " Identities & Trusted Certificates" section.
See more about erquirements in this topic: https://community.adobe.com/t5/acrobat/requirements-on-certificates-for-certification/td-p/9037280?p...
Hi Thank you for the reply . I have done the steps as listed above.
The root path and intermediate certs are also installed in the respective cert stores.
The user cert shows up in the "Windows Digital Id" section after i click on edit->preferences->Identities & Trusted Certificates->more but under "Usage Options" i am unable to select this cert for signing .
There is no option to use it for signing whereas the other certs are able to be selected.
It also shows that the cert is trusted . So i am not sure what other steps am I missing .
Are all of the other certificates that you can use for signing ECDSA or just the one that you're having issues with?
I would say , that just to rule out other trusted certificate issues, go to Edit --->> Preferences--->> "Trust Manager" and update both the "Automatic Adobe Approved Trust Lists(AATL) and the EUTL below that.
The other certs are non ECDSA, I have done your suggested steps and it is still showing me the same results . I am starting to think that it could be an issue with the cert itself.
Could be. Maybe the hashing algorythm is the issue. As SHA1 is basically deprecated I am not sure if Adobe Acrobat actually fully support SHA2 hashing yet.
I would say to check if you can change the length of a the keys for DSA / RSA. Sometimes that hasve worked me in other scenarios.
But I am not an expert in this subject, so please take what I just said as a careless assumption. The only thing I can think of is to check if the digest algorythm of this ECSDA certificate needs to be used with PKCS#11-compatible devices and RSA digest methods.
And more about the usage here: https://www.adobe.com/devnet-docs/etk_deprecated/tools/QuickKeys/Acrobat_DigSig_AlgorithmsAll.pdf
You can also refer to the RFC 5758 here: https://tools.ietf.org/html/rfc5758
Please ignore my previous reply; it has nothing to do with troubleshooting the certificate usage.
Please refer to this Adobe Helpx guidance: https://helpx.adobe.com/acrobat/using/digital-ids.html#digital_ids
Delete an create a new trusted Identity with the ECSDA certificate following the steps of the link above.
In the slide below, see what I marked; change the Key Algorithm to something smaller and also assign the usage for both Digital Signatures and Data Encryption:
Hi , thanks for the suggestions but I am only able to select 1024 or 2048 bit RSA for the key algorithm.
Also I can use the cert to sign office documents fine but unable to use it in Adobe Reader DC and Outlook SMIME.
I forgot to mention to change the default signing format : See slide:
If this doesn't work, have you checked if you can use the certificate from other programs, like a webmail service that requires email certificate to sign in?
ECDSA certs acceptable to Acrobat must be based on one of a few named curves. What curve is your certificate using?
Here's the Acrobat Digital Signatures Guide to help you answer margueritek's question: https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSigDC/standards.html
I would say that, if you're able to see more options from the drop down menu for the "Key Algorithm", to select ECDSA elliptic curve P256 with digest algorithm SHA256 .
P384 with digest algo SHA 384.
Did it worked?
Unfortunately , nothing seems to work.
Would you mind sharing where did you downloaded the root certificates from ? or are you are you creating self-signing certificates by hand via command line (or another software tool)?
I would like to check what documentation is available from the actual issuer.
At least is being recognized in Acrobat so you must be doing something right on your end; we just have to find out which step was missed.
Hi , The signature algo shows that it is Sha384 ECDSA but does it matter if my public key parameter shows ECDH_P384 instead of ECDSA_P384 ?
That is why I was suggesting to delete and recreate this certificate.
The issue seems related to how you installed the intermediate root certificate.
I've been trying to reproduce your issue on my end using the root CA's provided by my operating system. But my problem is different. I am not even able to access or see the certificate stores. Both on Ms Windows and Acrobat.
The question that I've been trying to answer first, is why you're not able to select the certificate usage.
You may notice, however, that since ECDSA certificates is still kind of new to the Web when compared to RSA based hashing, , the usage may be limited to just tosigning and maybe one more option in Acrobat and Windows.
I was able to read more about issuing authorities, like BigIP, GeoTrust, Comodo, etc and they all have different guidance, specuially implementin the SSL handshake part.
If you can please tell me where you downloaded and get the root certificates from I can research exactly what steps the issuing authority recommends.
You may have to configure other things at the operatung system level, not just the Adobe Reader part.
You Can See the benefit of adobe on my website فني ستلايت
Sorry SIX or more spam replies