Highlighted

Digital certificate specs to digitally sign PDFs

New Here ,
Sep 04, 2020

Copy link to clipboard

Copied

I am trying to produce a suitable digital certificate to digitally sign PDF documents

I already configured a Digicert certificate within Adobe Acrobat DC Pro.

To prepare the test PDF to be signed, I choose Prepare Form, then insert the 'Add a Digital Signature' field, then close the form tool. I then proceed to sign the document with the Digicert certificate. The certificate is a Terena Personal CA 3.

 

Looking at the certificate via Adobe Acrobat:

Summary Tab

Intended Purposes: Digital Signature, Encrypt Keys, Client Authentication, Email Protection

Details Tab

Key Usage: Digital Signature, Encrypt Keys.

Revocation Tab

'There were errors encountered while building the certificate chain to a certificate designated as a trusted anchor. Revocation checks were therefore not performed on this certificate. See the message at the bottom of this dialog for an explanation.'

Note: no further info on that tab, and 'Signer details...' and 'Problems encountered...' buttons are greyed out.

Trust Tab:

This certificate is trusted to:

Sign Documents or data

Certify documents

 

After signing and reopening the document, I get a certificate validation error 'Signer's certificate invalid'

Error details are no more that what is shown in the certificate details.

 

Now, this error goes away when the option to trust root certificate in Windows certificate Store as follows:

Preferences/Signatures/Signature Verification Preferences the

Windows Integration/ Trust all root certificates in the Windows Certificate Store for:

- Validating Signatures (off by default- ENABLE )

- Validating Certified Documents

Selecting either of these options may result in arbitrary material being treated as trusted content. Take care before enabling these features.

 

The whole point on adding certificates to the Windows Certificate Store is to make them trusted to the OS. Root CA certificates work this way and certificate updates are provided (windows update for Windows, a dedicated package for Ubuntu, etc.) through OS updates to confirm emitted certificates.

Digicert Root CA is already in the Windows Certificate Store. I have however addedDigicert rootCA and intermediate certs;  Why should I need to configure  Acrobat Pro DC  to " Trust all root certificates in the Windows Certificate Store for: Validating Signatures" just to have it properly follow the certificate validation chain?

On a side note, a PDF signed with a self signed certificate created within Adobe Acrobat Pro  does not yeld signature validation errors and does not need the option above  enabled to be recognized as a valid signature on the signer computer (yes, any receiving end will need to add the signer certificate to his own OS certificate store to properly validate the PDF signature)

 

So my questions are:

- Is there an explanation on the above behaviour? Am I missing something?

- What kind of certificate should I request to commercial certificate providers to implement a reliable digital signature?

My aim is to produce signed PDF conforming to eIDAS regulation.

Thank you!

 

 

 

 

TOPICS
Security digital signatures and esignatures

Views

48

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Digital certificate specs to digitally sign PDFs

New Here ,
Sep 04, 2020

Copy link to clipboard

Copied

I am trying to produce a suitable digital certificate to digitally sign PDF documents

I already configured a Digicert certificate within Adobe Acrobat DC Pro.

To prepare the test PDF to be signed, I choose Prepare Form, then insert the 'Add a Digital Signature' field, then close the form tool. I then proceed to sign the document with the Digicert certificate. The certificate is a Terena Personal CA 3.

 

Looking at the certificate via Adobe Acrobat:

Summary Tab

Intended Purposes: Digital Signature, Encrypt Keys, Client Authentication, Email Protection

Details Tab

Key Usage: Digital Signature, Encrypt Keys.

Revocation Tab

'There were errors encountered while building the certificate chain to a certificate designated as a trusted anchor. Revocation checks were therefore not performed on this certificate. See the message at the bottom of this dialog for an explanation.'

Note: no further info on that tab, and 'Signer details...' and 'Problems encountered...' buttons are greyed out.

Trust Tab:

This certificate is trusted to:

Sign Documents or data

Certify documents

 

After signing and reopening the document, I get a certificate validation error 'Signer's certificate invalid'

Error details are no more that what is shown in the certificate details.

 

Now, this error goes away when the option to trust root certificate in Windows certificate Store as follows:

Preferences/Signatures/Signature Verification Preferences the

Windows Integration/ Trust all root certificates in the Windows Certificate Store for:

- Validating Signatures (off by default- ENABLE )

- Validating Certified Documents

Selecting either of these options may result in arbitrary material being treated as trusted content. Take care before enabling these features.

 

The whole point on adding certificates to the Windows Certificate Store is to make them trusted to the OS. Root CA certificates work this way and certificate updates are provided (windows update for Windows, a dedicated package for Ubuntu, etc.) through OS updates to confirm emitted certificates.

Digicert Root CA is already in the Windows Certificate Store. I have however addedDigicert rootCA and intermediate certs;  Why should I need to configure  Acrobat Pro DC  to " Trust all root certificates in the Windows Certificate Store for: Validating Signatures" just to have it properly follow the certificate validation chain?

On a side note, a PDF signed with a self signed certificate created within Adobe Acrobat Pro  does not yeld signature validation errors and does not need the option above  enabled to be recognized as a valid signature on the signer computer (yes, any receiving end will need to add the signer certificate to his own OS certificate store to properly validate the PDF signature)

 

So my questions are:

- Is there an explanation on the above behaviour? Am I missing something?

- What kind of certificate should I request to commercial certificate providers to implement a reliable digital signature?

My aim is to produce signed PDF conforming to eIDAS regulation.

Thank you!

 

 

 

 

TOPICS
Security digital signatures and esignatures

Views

49

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Sep 04, 2020 0
ls_rbls LATEST
Adobe Community Professional ,
Sep 04, 2020

Copy link to clipboard

Copied

  • Why should I need to configure Acrobat Pro DC to " Trust all root certificates in the Windows Certificate Store for: Validating Signatures" just to have it properly follow the certificate validation chain?

 

You shouldn't. Adobe doesn't recommends that.  

 

Because Adobe Acrobat does not produce digital certificates (meaning that it is not a certificate issuing authority) ,  you need to update both the "Automatic Adobe Trust List(AATL) and the "Automatic Eurpean Union Trusted Lists (EUTL)  in EDIT--->>> PREFERENCES. 

 

If you've missded this step Acrobat may not work with third-party trust service providers.

 

Are you saying that you still get this error even if you update the Adobe Approved trusted lists?

 

  • My aim is to produce signed PDF conforming to eIDAS regulation.

 

Are you asking about multi-factor authentication?

 

You may need to employ Adobe Sign with your current Acrobat forms workflow.  Some features are exclusive  to business and enterprise plan subscriptions..

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 04, 2020 1