Copy link to clipboard
Copied
I'm attempting to use Acrobat 11 Standard to digitally sign a PDF document with a 2048 bit certificate from our internal certificate authority, and I'm receiving the following error:
Error encountered while signing:
The Windows Cryptographic Service Provider reported an error:
The requested operation is not supported.
Error Code: 2148073513
The operating system is Windows 7 Enterprise x64. When I remove Acrobat 11 Standard and install Acrobat 9 Standard on the same Windows 7 system, I am able to successfully sign the document using the same certificate that was giving the error with 11. Also we have been using Acrobat 9 on Windows XP with these same certificates for a long time and never encountered issues with digitally signing.
Any ideas of what might be causing this issue?
Thanks in advance
Josh
Copy link to clipboard
Copied
Hi all,
We have released a patch today that fixes the Digital Certificates issue that was recently introduced. If you are not already updated to the latest patch, simply open Acrobat and visit Help > Check for updates to apply this patch.
More details about this release and bug fixes is available here: https://helpx.adobe.com/acrobat/release-note/acrobat-dc-june-02-2016.html
Please give it a try and let us know.
Thanks,
-ashu
Copy link to clipboard
Copied
Hi Josh,
Just out of curiosity, is there any other software involved here besides Acrobat 11 and Windows 7? That is, is there a smart card in use or some kind of third party signature handler, or is it just Acrobat using a digital ID in either a file or maybe loaded into Windows?
Thanks,
Steve
Copy link to clipboard
Copied
Hi Steve,
The only other software involved is Entrust Security Provider 9.2 http://www.entrust.com/entelligence/security_provider/ which allows us to sync the certificates from the certificate authority to the local Windows store. Once the certificate is in the Windows store, it can be used by Acrobat just like any other digital ID. Again I have no issue with this exact configuration using the same certificate if I install Acrobat 9 instead of 11.
I came across a similar thread from December that did not appear to be resolved: http://forums.adobe.com/message/4876252#4876252
Thanks
Josh
Copy link to clipboard
Copied
I have this same issue, same operating system and software setup. Really frustrated. I bought the Acorbat XI PRO upgrade on 2/15/13.
Copy link to clipboard
Copied
Hi Josh,
Just to make sure that the Entrust software isn't involved in the signing operation:
- Select the Edit > Preferences menu item
- Select Signatures from the Categories list box
- Click the top More button in the Creation and Appearance group box
What I'm curious about is what it selected for the Default Signing Method, that is, does it look like this:
Thanks,
Steve
Copy link to clipboard
Copied
Hi Steve,
Acrobat 11 is configured for Adobe Default Security exactly as shown in your screen capture.
Thanks
Josh
Copy link to clipboard
Copied
Hi Josh,
The error message comes from Windows (not Acrobat), but Acrobat 11 is probably asking Windows to do something that it can't. What it is I don't know because the error message is too vague. One thing we can do is to take Windows out of the picture and see if you can sign when Acrobat accesses the digital ID itself as opposed to asking Windows to do the work. This is a two step process, first, export the digital ID from Windows into a file, and then import the file into Acrobat (it's not really an import, but I'll leave it at that for now).
Step 1 - Export the Digital ID
- Launch Acrobat
- Select the Edit > Preferences menu item
- Select Internet from the Categories list box
- Click the Internet Settings button
- Select the Content tab on the Internet Properties dialog
- Click the Certificates button
- Highlight your digital ID and then click the Export button
- Click the Next button on the Welcome panel of the Certificate Export Wizard
- Select the Yes, export the private key radio button, and then click the Next button. If this radio button is disabled you can stop here and let me know that the private key is not exportable
- Select the Include all certificates in the certification path if possible checkbox & the Export all extended properties checkbox and then click the Next button. Only select the top and bottom checkboxes, DO NOT delete the private key!
- Create passwords for the file and then click the Next button. You will need this password to sign with so make sure it is something you can remember.
- Pick a file name and location. Browse for a location you can remember as you will need to know where you put the file in order to use it to sign with. Click the Next button.
- Click the Finish button
- Click the OK button on the confirmation dialog
- Click the Close button on the Certificates dialog
- Click the OK button on the Internet Properties dialog
Step 2 - Add the file to Acrobat
- Select Signatures from the Categories list box
- Click the More button in the Identities & Trusted Certificates group box
- Click the Add ID toolbar button
- Click the Next button
- Click the Browse button
- Navigate to and select the file you exported above and then click the Open button
- Enter the password you used above and then click the Next button
- Click the Finish button
- You will see two items in the list box with the same name. Highlight the one whose Storage Mechanism is "Digital ID File"
- Click the Usage Options toolbar button and then select Use for Signing
- Close the Digital ID and Trusted Certificate Settings
- Click the OK button on the Preferences dialog
The next test is to see if you can sign a file. Please let me know if it works or not.
Thanks,
Steve
Copy link to clipboard
Copied
Steve,
Unfortunately the private key is not exportable. The option is grayed out. Let me know if there is something else we can try.
You had said that "Acrobat 11 is probably asking Windows to do something that it can't." So I assume that Acrobat 9 does not operate in the same fashion otherwise this same certificate and signing operation should fail in both 9 and 11 correct?
Thanks
Josh
Copy link to clipboard
Copied
Steve,
Any update on this issue? Is there any way we can get formal support on this? We're a Federal gov't organization and signature capability is very important to our workflow here.
Thanks
Josh
Copy link to clipboard
Copied
Hi Josh,
For years Microsoft used a system called CAPI (cryptographic application program interface) to handle all of their cryptographic operations. CAPI complient applications such as Acrobat were able to leverage the work Microsoft did and only needed to make an opertaion reques to CAPI and CAPI will do the cryptographic work amd return the encrypted data. The private key that is loaded into the Windows Certificate Store (which is really the UI front to CAPI) is only accessible to CAPI. If Acrobat want to use the key to sign the file it asks CAPI to do the work and thus Acrobat never gets it's hands on the actual private key.
Begining with Windows 7 Microsoft introduced a new feature called CNG (crytographic next generation) that sits on top of (metophorically speaking) CAPI. In an abstract way you could think of this as how DOS lived underneath Windows 95. The reason that CAPI is still there in Windows 7 is because older applications (of which you could lump Acrobat versions 7 through 10) were never built to take advantage of CNG so Microsoft left CAPI in place for backwards compatibility. Acrobat 11 however does make CNG calls and whatever it is requesting Microsoft CNG to do is being rejected by CNG, but it used to work with CAPI. It's not so much that older versions of Acrobat were capable of doing an operation that Acrobat 11 fails at, but rather Microsoft CAPI was capable of doing an operation that CNG balks at.
That said (and believe me when I say I realize no customer wants to hear that it's not Acrobat's fault when all they did was upgrade to a new version of Acrobat), what we need to figure out is what is it about the Entrust generated certificate that CNG doesn't like. Just like in the other forum post you linked to that had a similar problem, the issue only occurs when the signer's certificate comes from a particular source, in your case the Entrust Security Provider. My guess is there is something about this certificate that has been black listed by CNG.
What I'd like to do is get a look at the Entrust generated certificate. One thing would be if you have a file that was signed using CAPI that you could share I could look at that. If all your files are propriatary another thing to do is to export the public key. In the steps I wrote out above, where you get to the spot where the export private key option was greyed out if you continued on exporting just the public key could you send that to me?
Steve
Copy link to clipboard
Copied
Steve,
Thanks for your reply. Do you have an email address I can send you a sample doc?
Thanks
Josh
Copy link to clipboard
Copied
Hi Josh,
Thanks for sending me the file. The problem is the CRL (Certificate Revocation List) expired on Tuesday, ‎February ‎12, ‎2013 12:43:14 PM. Without valid revocation information there is no way for Acrobat to validate the signature, and if it can't validate the signature at signing time then it won't create it.
One thing to try is to turn off require revocation checking:
- Select the Edit > Preferences menu item
- Select Signatures from the Categories list box
- Click the More button in the Verification group box (second from the top)
- Deselect the Require revocation checking to succeed whenever possible checkbox
- Click the OK button on the Signature Verification Preferences dialog
- Click the OK button on the Preferences dialog
Try to sign and see what happens. Please let me know.
Steve
Copy link to clipboard
Copied
Steve,
I tried disabling Require revocation checking to succeed whenever possible in Acrobat 11 but I still got the same 2148073513 error message when attempting to sign.
I have that same option enabled in Acrobat 9 and it did not prevent me from signing the document using the same certificate.
Thanks
Josh
Copy link to clipboard
Copied
Hi Josh,
Although I don't yet have the complete picture, I do see the anomaly. I opened the file you sent in version 10 and it validated, but it won't validate in 11. Whatever is causing that problem is related to the signature creation issue. Being able to reproduce a problem is usually our biggest obstacle to coming up with an answer, and now that I can recreate the validation issue we can move forward.
As an aside, even if I put you in touch with tech support, or the SE that works with the government contracts, this issue would still get escalated to me.
I'll let you know what we find.
Steve
Copy link to clipboard
Copied
Thanks Steve. Let me know if there is anything else I can do to facilitate the troubleshooting process on your end.
Thanks
Josh
Copy link to clipboard
Copied
I have been following this thread closely, albeit from a distance. Thanks for the time and effort you have both put into this. Hopefully we'll get a resolution soon.
Thanks,
Justin Bray
Copy link to clipboard
Copied
Hi Josh,
I was able to get the signature to validate after I assigned trust to the correct trust anchor, so my initial assessment was not correct. Of course I can’t test signing because I don’t have your signature creation environment setup, but what we can do is try to start afresh.
My plan is to have you export a set of registry keys as a backup and the remove them. Here are the steps:
- Make sure Acrobat is closed
- Click the Start button, type regedit into the Search field, and then press Enter
- Expand the tree view so you see HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\11.0
- Click on (highlight) Security under Acrobat\11.0\
- Right mouse click on Security and then select Export from the pop-up menu
- Select Desktop (or anywhere you are comfortable with and can remember) as the Save in location
- Type Security11 into the File name edit field, and then click the Save button
- Double check that the file is on your Desktop (or selected Save In location)
- Right mouse click on Security (again) and select Delete from the pop-up menu
- Click the Yes button on the Conformation dialog
- Launch Acrobat
Try to sign and let me know what happens.
Steve
Copy link to clipboard
Copied
Steve:
When I try this, my tree (step 3 above) stops at Acrobat 9.0. I'm sure that I have the Acobrat 11 program, thoughts/suggestions? I can get to Adobe 11 in: HKEY_LOCAL_MACHINE\Software\Adobe\Adobe Acrobat\11.0; however, there is no Security option.
Thanks,
Justin
Copy link to clipboard
Copied
Hi Justin,
You're looking under HKEY_LOCAL_MACHINE and you need to start at HKEY_CURRENT_USER
Steve
Copy link to clipboard
Copied
I'm sorry Steve, I didn't clearly state that I don't seem to have an 11.0 file as you directed in HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\11.0. See attached screen shot. For what its worth, I was able to successful sign a Word document using Entrust.
Copy link to clipboard
Copied
Are you using Acrobat or Adobe Reader?
Copy link to clipboard
Copied
I'm using Acrobat 11 Pro. I just (last week) upgraded from Acrobat 10 pro. I never had any issues with 10.
Copy link to clipboard
Copied
Ok, got it. You need to slide down four more keys to "Adobe Acrobat". It's in there that you'll find the 11.0 key.
Steve
Copy link to clipboard
Copied
I was able to export/delete/launch the security file as you direct Josh, however, I recieved the same error (pic1). I clicked "ok" then closed out my document. When it asked if I wanted to save changes I clicked "no". Acrobat closed down. I saw the file that I was use to test with appeared to be saved so I opened it and my signature was on the document. When I attempted to validate the signature I received a "BER decoding error..." (pic 2).
Pic 1:
Pic 2:
Copy link to clipboard
Copied
Hi Justin,
It didn't work for Josh either. Until we can replicate this in-house I'm out of ideas. Just out of curiosity, are you using any other software for managing your PKI environment?
As an aside, what you see on the page is not the signature proper, but rather a pictorial representation of the actual signature. The signature itself is a blob of hex encoded data written into the PDF file, and unless you were to open the file in a text editor it's not something you would normally see. The signature appearance that you see on the page is created before the actual signature so that the real signature will cover the appearance, and if someone were to try and tamper with the appearance it would invalidate the cryptographic signature.
Steve