I was using Adobe Acrobat Professional version 7 to digitally sign documents using an Entrust PKI Key. This required a plug-in from Entrust to enable the signature to be affixed to the document. Entrust announced that they were no longer supporting the plug-in because Adobe 8 had digital signature capabilities built in. I've purchased Adobe 8 Professional and cannot for the life of me figure out how to make Adobe find my PKI Key. My PKI Key has a ".epf" extension, and the only options Adobe allows me to select are extensions ".p12", ".pfx", or "apf". Is there a solution to my problem. I've written to both Entrust and Adobe, but no response yet.
Thanks
Using Entrust PKI Keys with Adobe
2007-04-04 06:54:59
My Product Information:
Acrobat Pro 8, Windows
Acrobat Pro 8, Windows
2008-06-04 07:29:23
#2
Hello,
I am using Entrust certificate with the format .p12.
I have set my LDAP entry under "Directory Servers" to check my Entrust Directory and set it to default. I have imported my signature into Adobe.
However, I still cant force Adobe to verify the signature in Entrust LDAP. can u tell me please how to process of validation functions? in other words, does is go to LDAP first or it checks if I have an Entrust root certificate defined in Adobe first?
Please note that I used to sign with Adobe 7 and Plug-in Entrust and it worked like charm.
thanks
I am using Entrust certificate with the format .p12.
I have set my LDAP entry under "Directory Servers" to check my Entrust Directory and set it to default. I have imported my signature into Adobe.
However, I still cant force Adobe to verify the signature in Entrust LDAP. can u tell me please how to process of validation functions? in other words, does is go to LDAP first or it checks if I have an Entrust root certificate defined in Adobe first?
Please note that I used to sign with Adobe 7 and Plug-in Entrust and it worked like charm.
thanks
2008-06-12 08:19:42
#3
The actually signature verification is built into Acrobat - using the default Adobe Handler or a plug in that may be available from some other partners (i.e., Entrust). Entrust did have a plug in in Acrobat 6 and/or 7 but have since stopped supporting it. If you're using Acrobat 8, this may be the problem.
There is no validation of signatures that happens on LDAP.
LDAP servers can be used as a central repository for certificates. After you locate a certificate, you can add it to your list of trusted identities so that you don’t have to look it up again.
There is no validation of signatures that happens on LDAP.
LDAP servers can be used as a central repository for certificates. After you locate a certificate, you can add it to your list of trusted identities so that you don’t have to look it up again.
2008-08-13 10:56:19
#4
Hi again,
I succeeded in forcing Adobe to check in the Windows certificate repository and validate the signature as follows:
-add my Entrust CA root certificate in the windows repository
-add the following values in my windows registry for Adobe Acrobat:
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Security\cASPKI\cSPIs]
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Security\cASPKI\cSPIs\cRevocationChecker]
"t0"="MSCAPI_RevocationChecker"
-add the following values in my windows registry for Adobe Reader:
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\Security\cASPKI\cSPIs]
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\Security\cASPKI\cSPIs\cRevocationChecker]
"t0"="MSCAPI_RevocationChecker"
I still have one problem, is that I cant force Adobe to verify the Entrust Revocation checklist. is there a way to define the URL server in the registry?
thanks.
I succeeded in forcing Adobe to check in the Windows certificate repository and validate the signature as follows:
-add my Entrust CA root certificate in the windows repository
-add the following values in my windows registry for Adobe Acrobat:
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Security\cASPKI\cSPIs]
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Security\cASPKI\cSPIs\cRevocationChecker]
"t0"="MSCAPI_RevocationChecker"
-add the following values in my windows registry for Adobe Reader:
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\Security\cASPKI\cSPIs]
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\Security\cASPKI\cSPIs\cRevocationChecker]
"t0"="MSCAPI_RevocationChecker"
I still have one problem, is that I cant force Adobe to verify the Entrust Revocation checklist. is there a way to define the URL server in the registry?
thanks.
2008-08-18 11:02:27
#5
Hello again,
I found the answers, I was able to force an LDAP checking using the key value sLDAP. I found the details in the admin guide of Adobe 8. thank u anyway for your help.
Rania
I found the answers, I was able to force an LDAP checking using the key value sLDAP. I found the details in the admin guide of Adobe 8. thank u anyway for your help.
Rania
2009-06-15 11:49:51
#6
If you install Entrust Security Provider (ESP) this will augment CAPI with additional revocation capabilities. CAPI only has limited capability. The combination of ESP and the Adobe registry values work very well. I hope Adobe will implement these has a HKLM soon.
Acrobat 8 imports .pfx (win), .p12 (mac), and .apf (legacy Adobe format) files that contain digital IDs (both public and private keys). These files may be in the Acrobat store or the Windows store.
Acrobat 7 can export .pfx (win) or .p12 (mac). Have you tried to export one of these formats from version 7?
Hope this helps,
Lori
Lori Kassuba is an AUC Expert and Community Manager for AcrobatUsers.com.