Requirements for certificates to sign PDFs in Adobe Reader?

by

I’m trying to set up PDF digital signatures using certificates generated by openssl. I have generated a CA certificate, and used that to sign end user certificates, which I archive in PKCS#12 format. I have imported and trusted the CA certificate in Adobe Reader, and it shows that the end-user certificates as being trusted to “sign documents or data”. I have also set up a CRL server, and Adobe Reader successfully confirms that the end-user certificate has not been revoked. However, when I select edit>preferences>signatures>Digital ID and Trusted Certificate Settings, select the digital identity of the end user, and select “Usage Options” from the top banner, all the options including “Use for Signing” are greyed out.

I have tried a variety of KeyUsage and ExtendedKeyUsage extensions on the end user certficate. For example,

keyUsage = critical, digitalSignature, nonRepudiation
extendedKeyUsage = 1.3.6.1.4.1.311.10.3.12, 1.2.840.113583.1.1.5 
# (Microsoft Document Signing and Adobe Authentic Documents)

These appear to meet the requirements stated in https://www.adobe.com/devnet-docs/etk_deprecated/tools/DigSig/changes.html#everything-after-11-0-10 under version 11.0.09 for KU and EKU extensions. I have also tried with no extensions, as that documents indicates that should also be accepted. I have tried both importing the end-user certificate directly into Reader, and importing it into the Windows credentials store, which also makes it visible in Reader. However the “Use for signing” option remains stubbornly greyed out!

The same certificates can be used to sign PDFs with SignServer, and Reader then shows that the document has been properly signed by a trusted certificate.

Thanks in advance for your assistance.

Answer

I installed Acrobat DC Pro thinking that perhaps it would give some indication of what the problem with the certificate is. However, it allowed me to select “Use for signing” with exactly the same certificates – I didn’t even have to re-import them since Acrobat and Reader share a certificate store. I then went back to Reader and it the certificate was marked “approved for signing”, and I was able to toggle this setting, so it wasn’t simply that Acrobat DC had enabled it, the behavior of Reader had also changed. So the certificate properties are correct. It’s possible that installing Acrobat DC Pro updated a shared library that resolved the issue in Reader.

Attribution
Source : Link , Question Author : Andrew Roos , Answer Author : Andrew Roos

Leave a Comment