2 Replies Latest reply on Dec 13, 2013 3:18 AM by AdeelAhmad

    LTV not enabled

    AdeelAhmad Level 1

      Hello everyone,


      We are trying to sign document with the Certificate stored on HSM. everything works great but signature is not LTV enabled.

      When you check signature details, it says OCSP is embedded in the document. you can download document here :




      Thanks in advance.




        • 1. Re: LTV not enabled
          Steven.Madwin Adobe Employee

          Hi Adeel,


          Yes, the OCSP response that covers the end-entity (and issued by GlobalSign) is embedded, but the CRL that covers the GlobalSign Primary SHA256 CA for Adobe (and issued by Adobe) is not embedded. Without all of the revocation information embedded into the document it won't be considered LTV enabled.


          Here's the part that's going to sound like an excuse, but I assure it's true. Acrobat didn't create the signature. I'm not sure which tool was used to create the signature, but it is something installed on the HSM because the signing operation must take place on the HSM (since the private key that is used to create the signature must not leave the HSM the singing has to take place on the HSM). I can take a guess that the HSM isn't configured with all of the certificates in the signing chain, and thus doesn't procure the revocation information (in this case the one CRL), but without having the HSM documentation that's just an educated guess.


          One piece of good news is beginning with version 11 (Acrobat XI), if it comes across a digital signature that is not LTV enabled it will automatically add the missing information provided that 1) the signing certificate has not yet expired, 2) the file size won't grow too larger (10% + 10K is the limit), and 3) you do a Save or Save As. Also, you can right mouse click on the signature and select Add Verification Information from the pop-up menu.



          • 2. Re: LTV not enabled
            AdeelAhmad Level 1

            Hello Steven,


            That totally make sense. i was not adding CRL for whole chain, i was just embeding CRL for GlobalSign. Thank you for your answer. i am going to clean my code and post it to github so that it can help people.