These forums are now Read Only. If you have an Acrobat question, ask questions and get help from one of our experts.

Signing with a certificate

Forum Index > Security > Signing with a certificate
2009-08-07 07:44:47
judsond
Registered: Aug 7 2009
Posts: 6
Answered

This seems harder than it should be, maybe I am missing something basic. Anyway, would appreciate any help. :)

This is Acrobat 8, I am trying to sign a document using a certificate from cacert.

I have imported the root certificate. Advanced>Manage Trusted Identities>Certificates then add contact, and import the root.crt file. That seems to work. There are now 2 certificates, Adobe Root and CA Cert Signing Authority. If I click the CA Cert and "show certificate" and trust, it is trusted to sign documents, and certify documents.

Now, when I sign something I am offered the option to browse for a digital ID. I have exported my personal certificate from firefox, as a p12 file. Acrobat recognizes this, asks for my password correctly, and says "the following will be used for signing or encryption" and lists my certificate. When I click Finish it says "you do not have any digital IDs suitable for signing this document.

If I go to Advanced>Security Settings I can find the file, I have marked it for "Use for signing". When I look at the certificate though it is only trusted to "Certify Documents" not sign them, even though the issuer seems correct, and the root is trusted to sign.

I have also tried inporting a p7b file into the manage trusted identities window, which seems to work successfully, but the certificate still isn't trusted for signing...

Sorry for the long explanation!
:(

My Product Information:
Acrobat Standard 8.0, Windows
Top
2009-08-10 11:55:04
#1
1andrea
Registered: Aug 10 2009
Posts: 1
I am having the same problem, help.
Top
2009-08-22 15:25:38
#2
plevy
Expert
Registered: Jul 8 2008
Posts: 80
Those are good questions and you are indeed missing a couple of basic ideas which make this all seem very confusing.

First, to sign a document, you need to have a digital identity (ie, a certificate) for YOU that was issued by someone else (your "certificate authority") or one that you create yourself (a "self sign" certificate). Nothing needs to be in the address book or trusted identities to sign. If you have the file with your certificate you can add it during the signing process (select the "identity from a file" option), or you can install the certificate into acrobat from Advanced : Security Settings (click the Add ID) button. Either way, this should be enough to sign. If you don't have the digital id file, you need to contact your CA issuer.


The trusted id comes in when you validate a signature when you open a signed file. To be valid, three conditions must hold:
1) the document must not have been modified in ways that are not allowed
2) there needs to be some evidence that the signer's certificate is not revoked
3) there must be a trust relationship between you (the validator) and the signer.

Item 3 is where adding the issuer to trusted identities comes in. This establishes a trust relationship between you and identities issued by that organization.

Another item that is often confusing is the meaning of "trust" in this context. What is meant by a trust relationship is "I trust that you are who you say you are". It does not grant privileges or anything else, although there is an option to grant additional privileges as part of trust. Those provileges are not related to signature validity, however.

For more information, see the Digital Signatures User Guide at www.adobe.com/go/acrobat_security

Hope this helps.
Top
2009-08-22 15:44:45
#3
judsond
Registered: Aug 7 2009
Posts: 6
Apparently the client certificates don't include extensions, adobe requires the extension keyUsage=digitalSignature

I think a lot of the confusion came b/c the initial obvious solution didn't work, and acrobat doesn't tell you why the digital id is not valid at all.

I asked on cacert's mailing list for a workaround, but no response yet

http://forums.adobe.com/message/2163184
Top
2009-08-22 15:51:33
#4
plevy
Expert
Registered: Jul 8 2008
Posts: 80
Key Usage is an industry standard field that is common to all uses of digital certificates. There are international standards defining the meaning of the field and Adobe product comply with that standard. I don't think you will find a "workaround". You need to let your certificate issuer know that you need a digital identity suitable for signing and they can issue you a certificate with the appropriate key usage values.

I'll send a note to the development team about issuing a better error message.
Top
2009-08-22 15:56:16
#5
judsond
Registered: Aug 7 2009
Posts: 6
Yeah, workaround might be being nice ;) I want them to include the extension, hehe It looks like in a draft they had planned to but then didn't for some reason. I don't know why, they are a pretty open non-profit certificate system.

Oh well, going self-signed for now. :)
Top