Hopefully, without being too geeky...
When you installed the software that came with your token you installed something called the CSP (Cryptographic Service Provider). A CSP is the interface between the hardware and the Windows Certificate Store (aka CAPI/CNG). What happens when the CSP initially reads the data on the token is it installs the public key certificate into the Windows Certificate Store and it installs a pointer back to the token in order to access the private key, The private key itself does not get installed in the Win Cert Store, but rather resides on the token, and only on the token. You might be able to reformat the token and obliterate the private key, but you can never copy the key off the token.
As an aside here, when you import a digital ID file into the Win Cert Store, in that case Windows does get its hands on the private key, but with tokens and smart cards it does not.
What happens when you sign is you create a cryptograph hash of the document (e.g. SHA-1 or SHA-256) and then encrypt the hash with the private key. If Windows has the private key in its possesion then it takes the hash and encrypts it itself. However, in the case of hardware devices where it doesn't have direct access to the private key it follows the direction in the pointer and sends the hash to the hardware device along with an instruction set (which would be something akin to 1) encrypt this hash, and 2) send it back to me). After Windows gets the encrypted hash back it returns it to Acrobat (or Reader) who in turn writes it into the PDF file.
In your case, Acrobat will hash the file and then send the hash to Windows to have it encrypted with the private key. Windows will see that it doesn't have the private key, but just a pointer to the private key and send the hash to the location in the pointer. Here is where things break down. The data doesn't get returned from the token for some reason. Windows realizes that it didn't get the encrypted hash back so instead of sending the encrypted hash back to Acrobat it sends the error message.
Either the token is not plugged in, or the cryptographic controls on the token are returning bad data to Windows. My question would be, were you ever able to sign using this token?
I'm having the same problem on Windows 8. The token works fine in Windows, signing mails, DoD web sites, and for token login. This is the only application that has this problem.
There are a lot of different reasons why Acrobat won't allow you to sign with this particular digital ID. It may be expired, the key usage doesn't contain the proper settings ("proper" meaning what Acrobat is expecting as the cert may contain valid key usage values, just not what Acrobat is looking for), the key was created with an algorithm Acrobat doesn't understand. It's a bit hard to say without seeing the cert. If you can send me the public-key certificate let me know and I'll send you an e-mail address. Also, what version of Acrobat are you using?
Hi Steve et al,
I think this may be related to the issue I posted under "Certificates no longer work for signing when moving to Acrobat XI". We've been rolling out certificates from a relatively large CA vendor and discovered that none of the users with Acrobat XI could sign PDFs with them, but our users with older Acrobat versions are able to sign without problems.
Users were by default set up with the certificate held by a software token, but we also tried the delivering the certificate directly to the Windows Certificate Store. In both cases users were unable to sign. On my test Win7 image, using the WinCertStore option gave the "keyset undefined" error mentioned in the OP's post.
One thing I found that did seem to work was to export* a certificate from an XP machine, manually edit the CSP, and import it to my Win7 machine. This would hint at a CSP issue, but I find it interesting that the problem is not seen with older versions of Acrobat (e.g. versions 7 and X).
*In order to export the certificate some tweaking was done to the certificate policies, so it's possible those also have a hand.
Was this issue ever resolved? I have regularly signed digitally. This morning I got a message that said Adobe could make something easier if I allowed Adobe to import some "keys", so I clicked yes and haven't been able to sign anything since. It still works on all my other machines, I just can't sign anything after allowing it to import whatever it was.
Can you walk me through the steps and what you see at each step. I need to know where in the signature creation process the failure occurs.
Also, what OS are you using, what version of Acrobat or Reader (and which one of those two apps are you using), and finally, what storage mechanism contains your digital ID (e.g. a file, a hardware device, the OS)?