Welcome Dialog

Welcome to the Community!

We have a brand new look! Take a tour with us and explore the latest updates on Adobe Support Community.


Signature is invalid - Invalid Policy Constraint - Certificate from EUTL

New Here ,
May 13, 2021 May 13, 2021

Copy link to clipboard

Copied

Hello,

 

I have a digitally signed document with qualified certificate from EUTL - CA named "First certification authority, a.s." or https://www.ica.cz/.

As of today, signature with this certificate is showing as an Invalid, with error "Invalid Policy Constraint".

Version of my Acrobat Reader DC:  2021.001.20155

 

First, I tried is to turn off "load certificates from AATL server" and only left EUTL turned on in preferences, this did nothing, Acrobat is still showing source of trust obtained from AATL.

 

Second, I found this thread and it seems like in the end nobody solved it. https://community.adobe.com/t5/acrobat/previously-valid-signing-certificate-shows-invalid-policy-con...

 

Since this is policy constraint error, here I share the policies from root cert. in chain.

I also attached signed file.

Multiple certificates from different persons are returning this error.

policyError.PNG

  

Could you give me some advice how to solve this?

 

Kind regards,

John

TOPICS
Security digital signatures and esignatures

Views

819

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

New Here , Jun 10, 2021 Jun 10, 2021
I've solved it.Problem was in addressbook.acrodata I've deleted whole directory of "%appdata%\Adobe\Acrobat"Then manually updated AATL and EUTL list in Acrobat in Edit > Preferences > Trust Manager And it's validating signatures correctly now. Even it shows EUTL server in validated signature detail, before it showed only AATL.Probably some update of Acrobat Reader DC from last 2 months did this, because I have multiple computers with same problem.

Likes

Translate

Translate
Contributor ,
May 15, 2021 May 15, 2021

Copy link to clipboard

Copied

I have opened your PDF in Acrobat Reader here and got a "Signed and all signatures are valid." I even updated Adobe Reader to the same version 2021.001.20155 and explicitly updated the trust list information.

An interesting difference to your screen shot, though: Here the certificate path is only displayed up to the intermediary qualified CA certificate, not the root CA certificate. This suffices as that intermediary CA certificate already is trusted by the AATL and/or EUTL.

Thus, it looks like this is not a general issue but one specific to your configuration. Have you or has your system administrator changed relevant trust settings in a way that the intermediary CA certificate is not trusted directly anymore but trust requires the root CA certificate?

Indeed, that root CA certificate in the Adobe Reader trust settings is associated with the policy requirements you see in your screen shot, i.e. 0.4.0.2042.1.2 (NCP+), 0.4.0.194112.1.2 (QCP-n-qscd), or 0.4.0.194112.1.3 (QCP-l-qscd). But the end entity certificate in your certificate chain only has the related policy 0.4.0.194112.1.0 (QCP-n). Thus, if trust is based on the root CA, that end entity certificate does not fulfill the associated policy requirements.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 10, 2021 Jun 10, 2021

Copy link to clipboard

Copied

LATEST

I've solved it.

Problem was in addressbook.acrodata

 

I've deleted whole directory of "%appdata%\Adobe\Acrobat"

Then manually updated AATL and EUTL list in Acrobat in Edit > Preferences > Trust Manager

 

And it's validating signatures correctly now. Even it shows EUTL server in validated signature detail, before it showed only AATL.

Probably some update of Acrobat Reader DC from last 2 months did this, because I have multiple computers with same problem.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines