I can guarantee that this isn't a bug in Acrobat that needs to be patched. The real question is why doesn't Acrobat think that you have a digital ID enabled for creating a digital signature. Just because the certificate is loaded into the Windows Certificate Store doesn't mean that it is a valid digital ID. Things to check for include; the validity period (make sure the certificate hasn't expired), that the key usage contains either digital signture or non-repudiation, and that the private key is available (e.g. the private key is on a token that isn't plugged in).
I don't quite understand what you are trying to get at here.
It allows me to sign in Acrobat XI but not Acrobat X. You are saying that this doesn't need to be patched in Acrobat X, so does this mean there's a bug inside of XI that allows me to sign?
Let me make sure I've got the work-flow...
Same unsigned file on the same computer:
- Using Acrobat X you open the Tools panel, expand Sign & Certify and in the Certify section you click on With Visible Signature and nothing happens.
- Using Acrobat XI you open the Sign panel, expand Work with Certificates and click on Certify (Visible) and you can sign
Is that the scenario?
That's correct, but just to clarify:
Using Acrobat X you open the Tools panel, expand Sign & Certify and in the Certify section you click on With Visible Signature and the Certify Document window pops up with my AD Certificate, but when I click Sign nothing happens.
OK getting closer...
I understand that in Acrobat X you get the Certify document dialog and when you click the Sign button nothing happens. Again, just to make sure I understand, in Acrobat XI you click on Certify (Visible), you get the Certify Document dialog, you select the same digital ID that you selected in Acrobat X, you click the Sign button and signing operation continues (i.e. you get the Save As dialog, and get a signed file with a valid digital signature)?
No problem, I'm going to have to re-install XI, but I'll send it over.
If you still have version X on the systems, I'd like ti try one thing.
- Close Acrobat
- Click the Start button and type regedit into the run edit field and press the enter key
- Expand the registry and select HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\10.0\Security
- Select the File > Export menu item
- Name the file SecurityX and save it to your Desktop
- Select the Edit > Delete menu item
- Click the Yes button on the confirmation dialog
- Restart Acrobat X and try the signing operation again
Let me know if it worked or you are still getting the Sign button that does nothing
Same problem, I deleted that registry key and had the same results. Acrobat XI is installing on another machine currently so I'll send over the Signed PDF here shortly.
I have numerous machines I can use to test with so feel free to shoot out other suggestions.
Email has been sent Steve.
I think I see the problem. Acrobat is not supposed to let the user certify the document if it cannot do revocation checking. The concept is a certifying signature is supposed to carry a higher sense of ceremony than a regular approval signature and thus it should be able to withstand what we refer to as long term validation. That is, all of the collateral components (certificates and revocation responses) have to be available to Acrobat at signing time in order to be embedded into the signature so the signature will retain its validity in perpetuity.
With the certificate that signed the test file, Acrobat (neither version 10 or 11) was able to download the CRLs from the LDAP addresses listed in the CRL distribution Point extension (there is one in the ks-KS-TCA-CA intermediate Certificate Authority certificate and one in the Wichita Test end-entity certificate). Since there was an error in downloading the CRLs it causes Acrobat 10 to disallow the signing operation. Granted the Sign button that does nothing is a usability bug and we should have popped a dialog that noted signing could not be accomplished due to lack of revocation
That said the real bug is that version 11 allowed the certifying signature to be created. Now you've got a certifying signature that cannot stand the test of time and in earlier versions of Acrobat will not be valid due to the lack of revocation information.