Digital Signature

Report · Jun 26, 2017

Hello,

I have a certificate that my company provided to me, to sign documents. Reader DC accepts the certificate, but does not allow me to use it to sign the documents.

I can't seem to find the reason.

I have created a digital signature using the tools that comes with the Reader DC and I am able to sign documents with that signature. But not with the certificate.

Can anyone guide me through the steps to verify that certificate is the problem. And what might be the problems with the certificate.

Thanks in advance.

Report · Jun 26, 2017

mmerol wrote
...
I have a certificate that my company provided to me, to sign documents. Reader DC accepts the certificate, but does not allow me to use it to sign the documents.
...

What happens when you try it?

Report · Jun 26, 2017

I can use the ID "LAPTOP-M/M to use for signing, but not the "Mehmet Murat EROL" ID

Report · Jun 26, 2017

Select the ID file on the left and change the "Usage Options".

Report · Jun 26, 2017

That is the problem.

I don't have the "Use for Signing" under "Usage Options" drop menu.

Report · Jun 26, 2017

What can you see at "Certificate Details"?

Report · Jun 26, 2017

Report · Jun 26, 2017

I don't know why you can't use it for signing.

Report · Jun 26, 2017

Thanks for trying Bernd.

I have also added certificate of my company to trusted certificates, but the problem persists.

Report · Jun 26, 2017

Check the Details tab in the Certificate viewer. Does the "Key Usage" look anything like the screenshot below? Does it say "Digital Signature" for one of the usage items?

Report · Jun 27, 2017

It says "Digital Signature", but there is an exclamation mark on the logo.

Report · Jun 27, 2017

Hello,

this certificate has an Extended Key usage that is intended for Authentication rather than for Content commitment (which is essentially the definition of a digital signature applied to a document).

Acrobat enforces Extended Key Usage extension according to RFC 5280 since version 11.0.9, see A: Changes Across Releases — Digital Signatures Guide for IT

This means that if the EKU extension is present in the certificate then Acrobat enforces its expected use.

Only certificates with EKU equivalent to the following list can be used for creating a digital signature.

emailProtection
codeSigning
anyExtendedKeyUsage
1.2.840.113583.1.1.5 (Adobe Authentic Documents Trust)

I would recommend your IT department or PKI team to have a look at the web page linked above to consider providing you a more suitable certificate for signing.

Regards

Andrea

Report · Jun 28, 2017

Thanks for your answer Andrea, I will talk with my IT department.

Report · Oct 22, 2020

@Andrea Valle , thanks for the detailed answer! It really helped me to understand what's happening.

But it's a pity, that the user interface is still so misleading, that I only was able to understand the issue after finding this your post. I've just posted this improvement suggestion, could you please take a look at it?

Adobe Community

Digital Signature

1 Correct answer