cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Previously valid signing certificate shows invalid policy constraint in DC 2019

Peter Goodey
Community Beginner ,
Aug 14, 2019 Aug 14, 2019

We have previously been able to sign documents with certificates with the following intended usages: Digital Signature, Encrypt Keys, Email Protection, 1.3.6.1.4.1.6449.1.3.5.2

As per Steven.Madwin​'s response to Document signing requires code signing certificate this should be fine. However as of Acrobat Reader DC 2019 the signature is marked as invalid. The certificate path shows "Invalid policy constraint" for the issuing certificate paths and the signing certificate. The certificate we are using is issued by Sectigo and is AATL approved.

Has Acrobat become fussier about the types of certificates it will accept. If so what needs to be present in the certificate?

Annotation 2019-08-14 160734.png

TOPICS
Security digital signatures and esignatures
26.0K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
1 ACCEPTED SOLUTION
Steven_Madwin Adobe Employee
Adobe Employee ,
Aug 15, 2019 Aug 15, 2019
In Response To Peter Goodey

Hi pingu7931,

The Object Identifier (OID, the number in the Certificate Policies edit field) is a representation for a document that lays out all of the requirements of a the Sectigo AATL Policy. If the digital ID that Sectigo issued you met those requirements then they wound have include that specific OID in your Public-key Certificate (PKC), or more specifically, the Certificate Policy extension in your PKC.

The missing piece of this picture puzzle is what is listed in your PKC? If you highlight your cert in the tree view on the left of the Certificate Viewer dialog, then select the Details tab, you can scroll the list view and find the Certificate Policy extension. If you click on that entry you will see a Policy OID that is a short-hand for which set of requirements your certificate met when it was issued. If it had matched the OID displayed above then the signature would have been valid.

Steve

View solution in original post

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 11 Replies 11
latest latest Jump to latest reply
Steven_Madwin Adobe Employee
Adobe Employee ,
Aug 14, 2019 Aug 14, 2019

Hi pingu7931,

This is not a Key Usage/Extended Key Usage issue, but rather a Policy Restriction issue. Sectigo recently added the USERTrust RSA Certification Authority certificate to the Adobe Approved Trust List (AATL) program, and part of the requirements of being an AATL Member is we only trust signer's end-entity certificates if they comply with a specific set of policies. If you select the top most certificate in the tree view on the Certificate Viewer dialog, and then select the Policies tab, you will see the allowable set of policies. To see if your certificate meets one of the allowable policies select your cert from the tree view (the one you redacted), then select the Details tab, and finally, scroll to and select the Certificate Policies extension in the list view on the Details tab.

Granted, displaying this as an invalid signature is incorrect as it should show as Unknown because ultimately it is not valid because trust has not been established and the Acrobat should treat this the same as when trusted certificate is not found. Although I'm not sure when, there is a plan to align the two behaviors.

Thank you for sharing on the forum so others can benefit.

Steve

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Peter Goodey
Community Beginner ,
Aug 15, 2019 Aug 15, 2019
In Response To Steven_Madwin

Hi Steven Madwin

Thanks for getting back to me so quickly. Here's the policy details from the UserTrust/Sectigo CA Cert. Look reasonable? I could delve into the cert to dump lower level details?

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Steven_Madwin Adobe Employee
Adobe Employee ,
Aug 15, 2019 Aug 15, 2019
In Response To Peter Goodey

Hi pingu7931,

The Object Identifier (OID, the number in the Certificate Policies edit field) is a representation for a document that lays out all of the requirements of a the Sectigo AATL Policy. If the digital ID that Sectigo issued you met those requirements then they wound have include that specific OID in your Public-key Certificate (PKC), or more specifically, the Certificate Policy extension in your PKC.

The missing piece of this picture puzzle is what is listed in your PKC? If you highlight your cert in the tree view on the left of the Certificate Viewer dialog, then select the Details tab, you can scroll the list view and find the Certificate Policy extension. If you click on that entry you will see a Policy OID that is a short-hand for which set of requirements your certificate met when it was issued. If it had matched the OID displayed above then the signature would have been valid.

Steve

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
rolando_rerf
New Here ,
Sep 15, 2019 Sep 15, 2019
In Response To Steven_Madwin
The same is happening to me .. is there any way that we can get signatures verified ?
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Peter Goodey
Community Beginner ,
Nov 22, 2019 Nov 22, 2019
In Response To rolando_rerf

@rolandor81994411 I have submitted a bug report to Adobe to suggest that Signature's validity is changed to unknown rather than invalid when this policy requirement has not been met. It is valid in the sense that it is proven that the signing certificate's private key signed the document; the signing certificate chains up to a trusted AATL root; and that the certificate has not been revoked.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Peter Goodey
Community Beginner ,
Nov 21, 2019 Nov 21, 2019
In Response To Steven_Madwin

I know it's been a while but just to complete this response for anyone else, here is the Certificate Policies extension for the signing certificate. As you can see it does not have the policy with Oid 1.3.6.1.4.1.6449.1.2.1.6.6 that appears in the root certificate. I do agree that it should not mark the signature as invalid - that is entirely misleading. The certificate has been used to created a valid signature. It is only the validity of the certificate that is in question!

Annotation 2019-11-21 135555.pngexpand image

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Peter Goodey
Community Beginner ,
Nov 22, 2019 Nov 22, 2019
In Response To Peter Goodey

One final note on this: We have previously signed documents that had long term validation information which had then been document timestamped - making the document PAdEs Baseline Long Term Archival which are now showing as invalid. This runs counter to the logic of PADES LTA reasonaing which should show if a  signature was valid at signing time, and information to support this is included the document, then the signature should be still valid for as long as the timestamp's certificate chain is valid. I would therefore suggest that this behaviour change breaks with PADES LTA.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Tomer5E8A
New Here ,
May 01, 2021 May 01, 2021
In Response To Steven_Madwin

Hi,

 

Although two years have passed I am having the same problem as in the DC21 version. Did Adobe align the two behaviors?

 

Thank you

Tomer

 

 

 

112.JPG
Preview
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Tomer5E8A
New Here ,
May 05, 2021 May 05, 2021
In Response To Tomer5E8A

@Peter Goodey 

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Peter Goodey
Community Beginner ,
May 05, 2021 May 05, 2021
In Response To Tomer5E8A

Hi Tomer

Basically the signing certificate has to have the AATL policy specified.

 

Most annoyingly it also makes PAdES LTA documents signed 4+ years ago using non-AATL certificates invalid which is definitely incorrect and goes against core the intention of the standard. It was reported 18 months ago as a bug but there has been no response from Adobe.

 

As a developer you have no option but to obtain an unnecessarily over-priced AATL certificate. Or alternatively ignore the inavlid-policy constraint error and perhaps use a different reader.

 

Regards

 

Peter 

 

 

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
learnEnglish100
New Here ,
Feb 16, 2022 Feb 16, 2022
LATEST

كيف يمكن كتابة كلمات لها علاقة بتعلم اللغة الانجليزية باستخدام أدوبي دي سي مثل جمل بالانجليزي

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
About Adobe Acrobat
Adobe Acrobat Learn & Support
Open in a new window
Adobe Inc
Whats new in Acrobat DC
Open in a new window
Adobe Inc
Plan and Pricing
Open in a new window
Adobe Inc
Adobe Acrobat features and tools
Open in a new window
Adobe Inc
Adobe Acrobat Feature & Workflow
Edit PDFs
Open in a new window
Edit Scanned PDFs
Open in a new window
PDF Forms
Open in a new window
Sign a PDF
Open in a new window
FAQs
How to Edit Scanned or Secured document
Open in a new window
Rotate | move | delete and renumber PDF pages
Open in a new window
Acrobat download and installation help
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices