Check the "CRL Option Spec" properties of your "Verify PDF Signature" operation.  There is a parameter called "Consult Local URI First"

I belive this tells Digital Signatures ES to check the (local) CRL stored in the Trust Store.

From the Workbench help...

#CRL Options Spec

Optional) A CRLOptionSpec value that  represents the certificate revocation list (CRL) preferences if revocation  checking using CRLs is to be done. If you provide a literal value, specify the  following options.

Consult Local URI First: A boolean value that  specifies whether the CRL location provided as the local URI should be given  preference over any specified locations within a certificate for the purpose of  revocation checking. The default is False.

Local URI for CRL Lookup: A string value that  represents the URL for the local CRL store. This value is used only if the  Consult Local URI First setting is True.

For your other question...

I also want to know, how is the basic verification of digital signature carreid out. To be specific, when is Trust Store checked for CA and what happens if a particular CA's certificate is not available in our trust store?

Anytime a "Verify PDF Signature" operation is used, the Trust Store will be checked for the relevant certificates.  If the certificate is not in the Trust Store then the "signerStatus" attribute of the PDFSignatureVerificationResult opject (returned by Verify PDF Signature) will be "UNKNOWN".  Assuming the document has not changed since the signature was applies, the "signatureStatus" would be "VALIDANDUNMODIFIED"

Regards

Steve

As far as I know, the "Local URI for CRL lookup" is referring to the location of the locally stored CRL on the server.  The CRL is stored in the Trust Store.

There is a local cache for CRLs on the client system as well, but this is only used when signatures are being validaed on the client (by Acrobat or Reader).

FYI, the location on the client is C:\Documents and Settings\userprofile\Application Data\Adobe\Acrobat\9.0\Security\CRLCache

Regards

Steve

Hi Ambika,

If the CRLdp in the certificate is something like ldap://xyz.com/xyz.crl

Import the above CRL in truststore with alias as the CRLdp i.e. provide the alias as "ldap://xyz.com/xyz.crl"

HTH

Santosh

Hi Ambika,

Yes CRLdp means CRL distribution point

If Local CRLs are not used , LC Digital Signature service directly fetches the CRL from online by contacting http or ldap server from the url http://<path to CRL> or ldap://<path to CRL> as mentioned in the certificate but if Local CRLs are used LC Digital Signatures does not parse each and every CRL in database to identify the correct file (for performance reasons)

If CRL is imported with an alias equal to the CRLdp string, LC digital signatures compares the string in the certificate and to the alias and starts further processing to check whether it has been issued by a trusted issuer

--Santosh