Highlighted

Requirements on using a certificate for signing

New Here ,
Aug 02, 2020

Copy link to clipboard

Copied

Hi , I have given an ecdsa cert and its corresponding root ca paths full trust in adobe reader dc . However under usage options , i am still unable to select the cert for signing. 

What requirements of a cert is required for it to be able to be selected for signing ? or is ecdsa certs not supported ? 
The key usage for the cert has digital signature enabled and the cert is in a smart card. 

Thank you. 

TOPICS
Create PDFs, General troubleshooting, How to, Security digital signatures and esignatures

Views

107

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Requirements on using a certificate for signing

New Here ,
Aug 02, 2020

Copy link to clipboard

Copied

Hi , I have given an ecdsa cert and its corresponding root ca paths full trust in adobe reader dc . However under usage options , i am still unable to select the cert for signing. 

What requirements of a cert is required for it to be able to be selected for signing ? or is ecdsa certs not supported ? 
The key usage for the cert has digital signature enabled and the cert is in a smart card. 

Thank you. 

TOPICS
Create PDFs, General troubleshooting, How to, Security digital signatures and esignatures

Views

108

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Aug 02, 2020 0
Adobe Community Professional ,
Aug 02, 2020

Copy link to clipboard

Copied

Is this is just for you or are you trying to isuue out such certificate to many users?

 

Also, are using a governement form?

 

 

It is supported according to this document: 

https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSigDC/standards.html

 

But if you run into configuration issues you may need to do further reading on how to implement them with the Windows Server: https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-generate-ECDSA-EC-certs/ta-p/18...

 

And do further research on the supported encryption algorithms and digest creation compatibility found in the first link that I posted above.

 

In any case, first you need to verify and test that your smart card reader works and actually has all drivers and middleware updated for your OS version.

 

Then you need to install your root and intermediate certficates in the appropriate certificate store path for your operating system.  Here is a good thorough article: https://www.thesslstore.com/blog/root-certificates-intermediate/

 

Then you need to  register in Acrobat the Identities and Trusted certificates.

 

To do so got to Edit --> Preferences--> Signatures. Click on the "More" button found in the " Identities & Trusted Certificates" section.

 

See more about erquirements in this topic: https://community.adobe.com/t5/acrobat/requirements-on-certificates-for-certification/td-p/9037280?p...

 

 

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 02, 2020 0
New Here ,
Aug 02, 2020

Copy link to clipboard

Copied

Hi Thank you for the reply . I have done the steps as listed above. 
The root path and intermediate certs are also installed in the respective cert stores. 

The user cert shows up in the "Windows Digital Id" section after i click on edit->preferences->Identities & Trusted Certificates->more but under "Usage Options" i am unable to select this cert for signing . 
There is no option to use it for signing whereas the other certs are able to be selected. 

It also shows that the cert is trusted . So i am not sure what other steps am I missing .  

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 02, 2020 0
Adobe Community Professional ,
Aug 03, 2020

Copy link to clipboard

Copied

Are all of the other certificates that you can use for signing ECDSA or just the one that you're having issues with?

 

I would say , that just to rule out other trusted certificate issues, go to Edit --->> Preferences--->> "Trust Manager" and update both the "Automatic Adobe Approved Trust Lists(AATL) and the EUTL below that.

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 03, 2020 0
New Here ,
Aug 03, 2020

Copy link to clipboard

Copied

The other certs are non ECDSA, I have done your suggested steps and it is still showing me the same results . I am starting to think that it could be an issue with the cert itself. 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 03, 2020 0
Adobe Community Professional ,
Aug 03, 2020

Copy link to clipboard

Copied

Could be. Maybe the hashing algorythm is the issue. As SHA1 is basically deprecated I am not sure if Adobe  Acrobat actually fully support SHA2 hashing yet. 

 

I would say to check if you can change the length of a the keys for   DSA / RSA. Sometimes that hasve worked me in other scenarios.

 

But I am not an expert in this subject, so please take what I just said as a careless assumption. The only thing I can think of is to check if the digest algorythm of this ECSDA certificate needs to be used with PKCS#11-compatible devices and  RSA digest methods.

 

See here: https://www.adobe.com/devnet-docs/etk_deprecated/tools/QuickKeys/Acrobat_DocumentSecurityAlgoAll.pdf

 

And more about the usage here: https://www.adobe.com/devnet-docs/etk_deprecated/tools/QuickKeys/Acrobat_DigSig_AlgorithmsAll.pdf

 

You can also refer to the RFC 5758  here:  https://tools.ietf.org/html/rfc5758

 

 

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 03, 2020 0
Adobe Community Professional ,
Aug 03, 2020

Copy link to clipboard

Copied

I forgot to mention to change the default signing format : See slide:

 

ECSDA CERTS.png

 

If this doesn't work, have you checked if you can use the certificate from other programs, like a webmail service that requires email certificate to sign in?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 03, 2020 0
Adobe Community Professional ,
Aug 03, 2020

Copy link to clipboard

Copied

Please ignore my previous reply; it has nothing to do with troubleshooting the certificate usage.

 

Please refer to this Adobe Helpx guidance: https://helpx.adobe.com/acrobat/using/digital-ids.html#digital_ids

 

Delete an create a new trusted Identity with the ECSDA certificate following the steps of the link above.

 

In the slide below, see what I marked; change the Key Algorithm to something smaller and also assign the usage for both Digital Signatures and Data Encryption:

 

ecsdacerts.png

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 03, 2020 0
New Here ,
Aug 03, 2020

Copy link to clipboard

Copied

Hi , thanks for the suggestions but I am only able to select 1024 or 2048 bit RSA for the key algorithm. 

Also I can use the cert to sign office documents fine but unable to use it in Adobe Reader DC and Outlook SMIME. 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 03, 2020 0
Engaged ,
Aug 03, 2020

Copy link to clipboard

Copied

ECDSA certs acceptable to Acrobat must be based on one of a few named curves. What curve is your certificate using?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 03, 2020 0
Adobe Community Professional ,
Aug 03, 2020

Copy link to clipboard

Copied

Here's the Acrobat Digital Signatures Guide to help you answer margueritek's question: https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSigDC/standards.html

 

I would say that, if you're able to see more options from the drop down menu for the "Key Algorithm",  to select ECDSA elliptic curve P256 with digest algorithm SHA256 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 03, 2020 0
New Here ,
Aug 03, 2020

Copy link to clipboard

Copied

P384 with digest algo SHA 384. 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 03, 2020 0
Adobe Community Professional ,
Aug 03, 2020

Copy link to clipboard

Copied

Did it worked?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 03, 2020 0
New Here ,
Aug 03, 2020

Copy link to clipboard

Copied

Unfortunately , nothing seems to work.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 03, 2020 0
Adobe Community Professional ,
Aug 03, 2020

Copy link to clipboard

Copied

Would you mind sharing where did you downloaded  the root certificates from ? or are you are you creating self-signing certificates by hand via command line (or another software tool)?

 

I would like to check what documentation is available from the actual issuer. 

 

At least is being recognized in Acrobat so you must be doing something right on your end; we just have to find out which step was missed.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 03, 2020 0
New Here ,
Aug 04, 2020

Copy link to clipboard

Copied

Hi , The signature algo shows that it is Sha384 ECDSA but does it matter if my public key parameter shows ECDH_P384 instead of ECDSA_P384 ? 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 04, 2020 0
Adobe Community Professional ,
Aug 04, 2020

Copy link to clipboard

Copied

That is why I was suggesting to delete and recreate this certificate.

 

The issue seems related to how you installed the intermediate root certificate.

 

I've been trying to reproduce your issue on my end using the root CA's provided by my operating system. But my problem is different. I am not even able to access or see the certificate stores. Both on Ms Windows and Acrobat.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 04, 2020 0
ls_rbls LATEST
Adobe Community Professional ,
Aug 04, 2020

Copy link to clipboard

Copied

The question that I've been trying to answer first, is why you're not able to select the certificate usage.

 

You may notice, however, that since  ECDSA certificates is still kind of new to the Web when compared to RSA  based hashing, , the usage may be limited to just tosigning and maybe one more option in Acrobat and Windows.

 

I was able to read more about issuing authorities, like BigIP, GeoTrust, Comodo, etc  and they all have different guidance, specuially implementin the SSL handshake part.

 

If you can please tell me where you downloaded and  get the root  certificates from I can research exactly what steps the issuing authority recommends.

 

You may have to configure other things at the operatung system level, not just the Adobe Reader part.

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 04, 2020 0