validating digital signatures in a do be

7/24/2019 Validating Digital Signatures in a Do Be

1/27

Validating Digital Signatures in Adobe

Table of Contents

Validating Digital Signatures in Adobe......................................................................................................11. Validate the Signature using Windows Integration...........................................................................32. Add the Root Certificate on Adobe Trusted Identities......................................................................3. !"#ort$I%#ort the &D& 'Acrobat &or%s Data &or%at(...................................................................12). Validate Adobe Ti%esta%#s............................................................................................................1*+. ,ther Validation Settings.................................................................................................................23

-suall/ the digital certificates are issued b a Root CA 'Certification Authorit(.

If the Root CA that issued the signing certificate is not included in Adobe Trusted Identities/ the digitalsignature is considered 0not trusted0 'but ,T inalid( when the docu%ent is o#ened in Adobe Reader

'see e"a%#le below(.

This behavior has nothing to do with the signing engine (e.g. PDF Signer, Adobe Reader) but withthe Adobe certificate validation procedure.

The user can alidate the signature if the Root CA is alread installed on icrosoft Certificate Store'see the section Validate the Signature using Windows Integration(.

As an alternatie/ the reci#ient %ust %anuall add the Root Certificate of the signing certificate onAdobe Trusted Identities because onl a few Root CA4s are considered trusted b default b the Adobecertificate alidation engine 'See this article5htt#5$$www.adobe.co%$securit$#artners6cds.ht%l (.

Page 1 - Validating Digital Signatures in Adobe

The digital signature in not trusted
http://www.adobe.com/security/partners_cds.htmlhttp://www.adobe.com/security/partners_cds.htmlhttp://www.adobe.com/security/partners_cds.html


2/27


The digital signature is not trusted


3/27

1. Validate the Signature using Windows Integration

7ou can use this %ethod if our digital certificate is issued b a Root CA alread installed on icrosoftCertificate Store. icrosoft and Adobe use different Certificate Stores and different certificatealidation #rocedures.

To see if our Root CA is installed on icrosoft Certificate Store/ go to Start 8 Run 8 cert%gr.%sc



4/27

7ou can also i%#ort our Root Certificate here.



5/27

After ou chec9 that our Roor Certificate is installed/ in Adobe Reader go toEdit menu Preferencesoption Security tab click on Adanced Preferences button Windows Integration taband chec9 allchec9bo"es.



6/27

When the docu%ent is re:o#ened/ the digital signature is considered alid.


Valid Signature


7/27

2. Add the Root Certificate on Adobe Trusted Identities

So%e of the Root CA4s are included b default in Windows Certificate Store 'Trusted RootCertification Authorities( and onl a few are included in Adobe Trusted Identities.

;ecause the Root CA of the signing certificate is not included on Adobe Trusted Identities/ the

signature is considered


8/27

To %anuall add the Root Certificate on the Adobe Trusted Identities/ o#en the signature #ro#erties andclic9 Show !ertificate and select Trust tab.

;e sure that ou hae selected the to#%ost Root Certificate.


Trust a !A certificate


9/27

>ressAdd to Trusted Identities taband be sure ou hae chec9ed all chec9bo"es/ as below.


Trust a !A certificate


10/27

After all dialog bo"es are closed and the docu%ent is re:o#ened/ the signature is considered Valid.


Valid digital signature


11/27

The Root Certificate is now Trusted and all signatures generated with this Root Certificate will be alsoTrusted.


Trusted "oot !ertificate


12/27

3. !"ort#I$"ort the %D% &Acrobat %or$s Data %or$at'

In order to aoid to %anuall add the Root Certificate on eer client %achine/ the Root Certificate can

be e"#orted as Adobe &D& file. ,nce the file is e"#orted/ it can be installed on eer %achine where

the digital signatures %ust be erifed.

The &D& file can be e"#orted fro% the D igital signature properties !ertificate section. ;e sure the

Root Certificate is selected and not the signing certificate.



13/27

,n the ne"t window select Acrobat &D& data !"change/ as below5



14/27

Sae the &D& file.



15/27

The signature before i%#orting the &D& file is considered


16/27

I%#ort the &D& file.



17/27

After the &D& file is i%#orted/ the signature is considered Trusted.



18/27

(. Validate Adobe Ti$esta$"s

An Adobe Ti%esta%# is in fact a subse?uent signature added to the >D& signature so to alidate anAdobe Ti%esta%# si%#l follow the instructions fro% the section aboe.


Timestamp in not trusted


19/27

@o to Date$Ti%e Tab and dis#la the Ti%esta%# Authorit certificate.



20/27

>ress Add to Trusted Identities button



21/27

;e sure ou hae chec9ed all chec9bo"es/ as below.



22/27

After all dialog bo"es are closed and the docu%ent is re:o#ened/ the ti%esta%# is considered Valid.



23/27

). *ther Validation Settings

In so%e cases/ the digital signature cannot be correctl alidated because of so%e reasons li9e5: Internet Conenction is not aailabe: >ro" Settings cannot be set on Adobe: CR$,CS> reocation infor%ation cannot be downloaded or are not aailable.

,n this case/ een if the digital signature is trusted and alid/ Adobe will consider this signature


24/27

CR reocation list is not aailable.



25/27

The digital signature is considered not trusted een if the signature is not altered.



26/27

To aoid this behaior/ Adobe %ust be configured to b#ass this additional reocation chec9ing.

@o to Edit menu Preferences option Security tab click on Adanced Preferences button Verification tab and set the interface as below5



27/27

After this settings was saed/ the docu%ent is considered alid b Adobe.

P 27 V lid ti Di it l Si t i Ad b

validating digital signatures in a do be

Documents