5 Replies Latest reply on Sep 29, 2016 9:17 AM by tarekahf

    Error when try to renew certificate created by Adobe Reader

    tarekahf Level 1

      A digital signature (Windows based Certificate) was ceated, and now expired. It was used successfully for several years.


      The user can no longer use this signature to sign Digital Signature Fields on Adobe PDF Documents.


      This is the first time we try to renew such certificate. Before, we used to create a new certificate.


      When try to renew the certificate using MMC Certificate snap-in (Certificate Manager), we get the following error:


      "the request contains no certificate template information"





      Any help to to enable use to Renew the Digital Signature Certificate will be greatly appreciated?



        • 2. Re: Error when try to renew certificate created by Adobe Reader
          Steven.Madwin Adobe Employee

          Hi Tarek,


          There are a couple of things at play here. First up, let's square away some terminology. What you are asking about is not a digital signature, but rather a digital ID. Think of this as akin to the paper world where the digital ID is equivalent to a pen and is used to create the digital signature just as the pen is used to create the wet ink signature.


          What you are looking to do is known as key roll over, where you resign the public key to extend it's life. The big question is how do you resign the public key and the answer is you need the original certificate signing request (CSR in geek speak). Of course you don't have the CSR because you don't get one when you use Acrobat/Reader to generate a self-signed digital ID. That probably begs the question, what is a self-signed digital ID? When a you start the process of generating and constructing a digital ID you initially generate the private key along with the corresponding public key. However, there is a bit of textual information that is also packaged along with the public key such as your name and address (either mailing or e-mail). The public key and the textual information are packaged into the CSR, so you've got the private key and the CSR sitting there separately. The next step is to send the CSR to the issuer and have them sign it with their private key. At this point the issuer name, the validity period, the serial number and other bits of information are package up in the public-key certificate file, which by the way also contains the signature itself. Now you've got a signed public-key certificate along with the corresponding private key sitting on your computer. If you take those two pieces and combine them into one file you end up with a digital ID.


          The thing is, when Acrobat/Reader generates a digital ID it uses the private key to sign the CSR, thus the ensuing digital ID is known as "self-signed" in that the public-key certificate portion of the file was signed by its own corresponding private key as opposed to being signed by some issuing certificate authority. The CSR is disposed of during this operation and all you end-up with is a self-signed digital ID with a 5 year life span. The whole process is made as simple as possible for the end-user which is why there is no CSR left over for them to deal with.


          All that said, your only option is to use Acrobat or Reader to create a new self-signed digital ID and start using that in lieu of the expired one. You are trying to use Microsoft CAPI (Cryptographic Application Program Interface) to send the CSR off to a Certificate Authority to have them sign the CSR and return a signed public-key certificate file, but, as I'm sure you have now surmised, you don't have the CSR to send, thus MS-CAPI returns the error message you posted in the red font. It may not quite say that, but that's what it means.


          I hope this helps,


          • 3. Re: Error when try to renew certificate created by Adobe Reader
            tarekahf Level 1

            Thank you Steve for the detailed reply, and sorry for giving my feedback late.


            However, I passed this feedback to the end-users after your reply, and it seems that the vast majority of them already realized this fact, and they are issuing a new self-signed digital signature without coming back to IT Support.


            Since more than 7 years ago, It is amazing how such large umber of non-technical users could deal with this constraint without coming back to IT for support. I only get some complaints from a few user, and most of such complaints are from users with strong technical background.


            I am honestly surprised


            It is clear to me now, that we need to deploy an Enterprise MPKI solution to deal with such constraint, and I was hoping that there is a much better and easier solution. I know the MPKI solution are complex and very expensive. I am not sure if our organization is ready to accept such solution, though I believe that it is important, but due to its complexity and high cost, its value may not be justified.


            I hope we will be able to find easier and alternative solutions.



            • 4. Re: Error when try to renew certificate created by Adobe Reader
              tarekahf Level 1

              Hi Steven.Madwin,


              Related to this thread, I am now unable to export the private key as I used to be able to do so in the past. Something was changed in the way Adobe Acrobat/Reader is generating Self Signed Digital IDs/Certificates.


              Cannot Export Private Key.jpg


              I developed the following screencasts for our end-user, and now this procedure no longer works:


              - http://www.screenr.com/DJ9s

              - http://www.screenr.com/YJ9s

              - http://www.screenr.com/qoN8


              Any feedback on this? I searched everywhere by Google to find a solution, but there is no luck


              Note: But I think there is a trick or workaround ... simply create a Digital ID File, then import this file (add file) as Windows Based Certificate.


              Now, I have to change the screencasts to ask the users to first Generate a Digital ID File, and then import it as Windows Digital File.




              I recorded this screencast to explain how to generate a file so that it is exportable:




              • 5. Re: Error when try to renew certificate created by Adobe Reader
                tarekahf Level 1

                As I gained more experience working with Digital Certificates (as we are now moving to 3rd party/open source based solutions for certifying/signing PDF documents from HTML5 web based applications) I thought to provide more details about Adobe Self Signed certificates.


                To be able to reuse your self signed certificate, you have first to create a PKCS#12 Digital ID (not Windows Certificate Store). Then make sure to remember the password and keep the file in a safe place. You can use MMC -> Certificates Snap-in to have maximum control of your certificates if you want to import/export from/to Windows Certificate Store.


                When you import your Digital ID into Windows Certificate Store, make sure to mark the key as exportable. Later you can export this key if you lost the backup copy. However, you cannot renew it from this place.


                In order to have all features, you must get the certificate from a official certificate provide. See link below for example:


                Learn about Certified Document Services


                Also, you need to have the proper infrastructure to manage your certificate store (key files). Using self signed certificate is OK if you have few users and the level of security required is acceptable.


                Also, mind you that you can use free software to sign your PDF documents (full source code available in Java):


                About JSignPdf | JSignPdf - Free digital signatures for PDF


                JSignPdf download | SourceForge.net


                Which works well with the created self signed digital ID. This tool has full source code in Java and works well using Eclipse.


                I hope this will be of value to others.