13 Replies Latest reply on May 22, 2013 5:11 AM by flsurveyor

    Digital Signature Invalid

    flsurveyor

      I have a third party Certificate (IdenTrust). When I sign a pdf it goes in as it should, save it with a new file name, the signature goes into the pdf and i get a message that the signature was successfully inserted then when I hit okay it gets the red checkmark and says signature invalid. When I go to the Certificate Viewer Dialog Box it says "The selected certificate path has errors: Invalid signature".

       

      Can anyone help?

      Please

        • 1. Re: Digital Signature Invalid
          Steven.Madwin Adobe Employee

          The IdenTrust consortium uses two digital IDs as part of the signature creation/validation processes; an Identity digital ID and a Utility digital ID. You use the Identity digital ID to create the signature and the Utility digital ID to sign the request for a revocation response. IdenTrust requires that every time you do signature validation that you get a fresh revocation response so every time you validate a signature you need the Utility cert handy. Are both digital IDs available to Acrobat?

           

          Steve

          • 2. Re: Digital Signature Invalid
            flsurveyor Level 1

            Thank you for replying

            In my list of certificates I have:

            Adobe Root CA

            DST ACES CA X6

            Gary W. Smith

            IdenTrust Aces CA 1

            • 3. Re: Digital Signature Invalid
              flsurveyor Level 1

              I am not sure, I think it is but? I believe that I exported it from IdenTrust and put it in a folder in my documents but I am not sure Adobe sees it.

              • 4. Re: Digital Signature Invalid
                Steven.Madwin Adobe Employee

                Hi Gary,

                 

                You're looking at certificates and I'm asking about digital IDs.

                 

                Forget for a moment that IdenTrust uses two digital IDs, I want to go over the difference between a certificate and a digital ID and this concept also uses the number two.

                 

                When a Certificate Authority (CA) creates a digital ID for you to sign with it first generates a key pair. That means there are two different, symbiotically corresponding keys. One of these keys is designated as the private key and the other is the public key. If you were to look at these keys they are just two big blobs of numbers whose size corresponds to the key size (probably 1024 or 2048 bits). 

                 

                The public key is bound with the certificate information (e.g. name, serial number, validity dates, etc.) and it becomes the Public Key Certificate (PKC) file and that's what you are looking at. When you add the private-key to the PKC it becomes a password (or PIN) protected digital ID file. It is these two digital ID files that you need to look for. If you tell me the version of Acrobat or Reader that you are using (and on what platform), I'll give you the steps to get to when you need to look.

                 

                Steve

                • 5. Re: Digital Signature Invalid
                  flsurveyor Level 1

                  I am using Adobe Acrobat Pro Ver. 7 on Window Xp

                  When I look at the trusted identities I see:

                  Adobe Root CA

                  DST ACES CA X6

                  Gary W. Smith

                  IdenTrust ACES CA 1

                  • 6. Re: Digital Signature Invalid
                    Steven.Madwin Adobe Employee

                    Hi,

                     

                    First thing you need to do is make sure the token that contains your IdenTrust digital IDs is plugged into the computer.

                    From Acrobat:

                    • Select the Advanced > Security Settings menu item
                    • Select Digital IDs from the tree view in the Security Settings dialog

                     

                    This is where you should see both the identity and the utility digital IDs listed.

                     

                    Steve

                    • 7. Re: Digital Signature Invalid
                      flsurveyor Level 1

                      Nothing is there

                      • 8. Re: Digital Signature Invalid
                        Steven.Madwin Adobe Employee

                        You will need to talk to Identrust about replacing your token. Let them know that this one is not being read.

                         

                        Steve

                        • 9. Re: Digital Signature Invalid
                          flsurveyor Level 1

                          Just finished getting a new certificate which still gives me the same

                          answer. Identrust rep said to let you know it is a browser based

                          certificate.

                          Gary

                          • 10. Re: Digital Signature Invalid
                            Steven.Madwin Adobe Employee

                            Hi Gary,

                             

                            Please sent the signed PDF to me at Steven.Madwin@adobe.com and I'll take a look.

                             

                            Can you confirm if Identrust gave you a complete set of digital IDs, that is both an identity and a utility digital ID?

                             

                            Thanks,

                            Steve

                            • 11. Re: Digital Signature Invalid
                              flsurveyor Level 1

                              Just got off the phone with IdenTrust. They said both certificates

                              (personal & root) were re-downloaded and checked yesterday.

                              Gary

                              • 12. Re: Digital Signature Invalid
                                Steven.Madwin Adobe Employee

                                Hi Gary,

                                 

                                Your version of Acrobat is too old to support the signature algorithm over the public key certificate. I know I'm probably going to get too geeky here, so you'll just have to take the following on faith.

                                 

                                Just like you can sign anything in the physical world you can sign any blob of data in the electronic world. When a public key certificate is created it is digitally signed by the issuer. The public key certificate issued to you by "IdenTrust ACES CA 1" was signed by them using their private key, just like you use your private key to sign a PDF file. When something is digitally signed you don't sign all of the data, but rather a representation of the data known as a "hash". When you hash data you use a digest algorithm to produce the hash and there are several different digest algorithms in wide spread use around the world. Eventually you encrypt this "hash" using your private key and that's how a digital signature is created.

                                 

                                Many years ago (computer years are like dog years, so were only talking about 25 years ago, but that's a millennium in computer time) the first digest algorithm that was widely adopted was MD5 (it was the fifth incarnation of a "Message Digest" algorithm, hence the MD5 name). It spit out a 16 byte hash, but after a while with advancements in computer power MD5 fell out of favor and was replaced for general use by SHA-1 (Secure Hash Algorithm) which spit out a more secure 20 byte hash (bigger is more secure in this case). The world lived on SHA-1 for quite awhile, but it too fell out of favor for SHA-256 which spits out a 32 byte hash. The digest algorithm used to sign your digital ID is SHA-256 which is the currently accepted standard.

                                 

                                When Acrobat 7 was created it only knew how to read and create an MD5 and a SHA-1 hash, it does not understand SHA-256. Because it doesn't understand SHA-256 it doesn't know how to validate the signature over your digital ID, and thus the "Invalid Signature" message you are seeing. It's not the signature over the PDF file, but rather the signature over your public-key certificate.

                                 

                                If you want to be able to sign PDFs using your current digital ID you are going to have to update your version of Acrobat.

                                 

                                I tried to walk the fine line between informational and not too complex, but if you still have questions let me know.

                                Steve

                                 


                                • 13. Re: Digital Signature Invalid
                                  flsurveyor Level 1

                                  Thanks Steve for all of your help. I kind of figured it may be because

                                  of the version that I am using. Sounds like it time for an upgrade.

                                  Gary