1 Reply Latest reply on Apr 30, 2013 12:34 AM by Steven.Madwin

    No password for signature or decryption?


      We are just starting to implement electronic signatures.  My co-worker has Adobe Acrobat 8.  When she developed her own digital certificate, it did not prompt her to create a password.  She is able to sign documents and decrypt documents without a password!  This isn't adequate security.  How can I fix this?

        • 1. Re: No password for signature or decryption?
          Steven.Madwin Adobe Employee

          Hi Shadya10,


          When you create a self-signed digital ID you you have the option to save it in one of two places; either to a file, or to the Windows Certificate Store. When select the file option then you are prompted for a password. In essence it's the file that is password protected not the private key itself that resides inside the file. The password opens the door to the PFX file and allows an application access to its contents, and in this case we are talking about the private key used to create a digital signature.


          The other option was to save the file to the Windows Certificate Store. Here, Windows manages access to the private key. By default when you import a digital ID into the Windows Certificate Store (by the way, this is the Windows default, not Acrobat or Reader) it is imported with Medium Security Settings. What that means is Windows make the assumption that if you can log onto Windows and thus get access to all of your personal data then it gives you access to the private key without prompting for an password. However, Windows does allow you to use what it calls High Security Settings which will force the user to provide their password every time the private key is accessed.


          The question at hand is which path do you want to go down. Whichever answer you select things start out the same, with you exporting the digital ID from Windows into a password protected file. At this point you could just go with the file, or, you could remove the digital ID from Windows (PLEASE make sure you have successfully export the digital ID to a file before you remove it from Windows) and then re-import the file using the High Security Settings. To export the file you need to be in Internet Explorer. Once you have IE open select the Tools menu (or Tools toolbar icon) and then select Internet Options. After the Internet Options dialog is displayed select the Content tab and then click the Certificates button. In the Certificates dialog select (highlight) the digital ID you want to make more secure and then click the Export button. Click the Next button and when you see it, select the Yes, export the private key radio button. On the next panel select all three checkboxes. Note the middle checkbox will remove the digital ID from Windows if the export is successful. On the next panel you are going to be asked to provide a password that will protect the file you are about to create and this is the heart of what you are looking for. Save the file to a location you can remember and finish the export process.


          Now you could either attache the password protected file you just created to Acrobat of import the file back into Windows using the High Security Settings. To do that click the Import button, locate the file you just exported (you will need to change the file type on the Browse dialog from .cer to .pfx), provide the password, and when you get to the panel with the checkboxes be sure to select Enable strong private key protection. Eventually you are going to get to a dialog that allows you to set the security level. You will need to click the Set Security Level button and then select the High radio button. Finally, you will see a dialog that asks you to create a password to access the private key. Finish up and you'll be where you wanted to be.