Invalid signer's ID: Invalid policy constraint on certificate

Report · Sep 02, 2023

I am trying to understand what is (apparently) wrong with my employer-provided certificate that is giving invalid digital signatures according to Acrobat Reader. I don't know if my company created my certificate incorrectly, or they need to reissue an updated version, or if recent changes at the root CA provider have caused problems.

I digitally sign documents infrequently with a certificate issued from my company's CA (which was valid from January 2020 and is signed by DigiCert Assured ID Root G2 certificate). On 1-Sep-2023, I signed a document, but the signature was invalid. My Acrobat Reader is the latest version, 2023.003.20284 (on Mac).

The signature properties indicates an invalid signer's ID.

Reader's propertes of my signing certificate indicate "invalid policy constraint".

I suspect my problem is similar to the problem answer in this thread so I focused on the policies.

Reader's policies tab will sometimes show a grayed-out policy OID 2.16.840.1.114412.3.21 (Adobe Qualified Signer) on the root cert

[Hmmm.... I do not see 2.16.840.1.114412.3.21.2 which is indicated to be required for document signing per this document.)

and sometimes not show any, as though it is dependent on what was clicked on previously (Reader bug?)

The policies tab for the company CA certificate and my certificate always show empty policies, but the company CA certificate has the policy OID 2.16.840.1.114412.5.2 (https://www.digicert.com/CPS).

A complicating factor is that DigiCert changed its policies related to S/MIME and Signing this past week. They indicate that existing certs should continue to work. From the little I know, that makes sense to me. But then I really don't know where the problem is.

I had another employee sign a document to confirm he had the same issue aa me.

I found a pdf that I signed over a year ago with a prior individual certificate but the same company CA and root CA. Looking at it today, it has the same problem. I don't trust that I would have caught an invalid signature then.

I would appreciate any help in figuring this out. What is causing Acrobat Reader to decide it is a invalid signer's ID? Thanks!

Report · Sep 05, 2023

I'd like to get confirmation on the signature process.

My company gets a certificate from Digicert that has Intended Usage as "Digital Signature, Sign CRL, Sign Certificate (CA), Client Authentication, Email Protection"
The company issues a certificate for me (since it has Sign Certificate usage) with Intended Usage as "Digital Signature, Encrypt Keys, Email Protection, Client Authentication"
I use that certificate to sign a document.

Digicert's certificate is in the trusted certificates of Acrobat Reader. I have NOT added the company's CA certificate to the trusted certificates in Acrobat Reader. I do not believe I need to do that since it was issued by a trusted root certificate. Even if I do that, it only affects my view of the signature, not whether the signature is valid or not to some third party who would not want to add my company's CA to their trusted store.

I sign a document but the signature is considered invalid.

I am told that if I add my company's CA to the trusted certs in MY Acrobat Reader, MY Acrobat Reader will show the signature as valid. But I believe if I then send the document to a third party, their Acrobat Reader will see the signature as invalid unless they either trustt my certificate or my company's CA certificate. That seems a good way to trust anyone's signature even if my company's CA were self-signed.

If my understanding is wrong, can someone please clarify what is wrong and how?