5 Replies Latest reply on Jan 30, 2014 10:54 AM by Steven.Madwin

    Certificate Authority Server




      i sent request to our enterprise certificate autority (windows 2003, called "CA1") and received certificate (private and public keys, called "Marina") on my PC. Private key was installed in windows certificate store "Personal". In properties i see following data: Issued by "CA1", issued to "Marina", valid from 24/01/2014 to 24/01/2015. In certification path (chain "CA1" - "Marina") for CA1 issued by CA1, Issued to CA1, Valid from 07/07/2008 ti 04/07/2018 (early it was valid from 07/07/2008 to 07/07/2013 and then it was renew to 04/07/2018).

      In certificate store (windows) Trusted root certificate authority i see CA1 certificate valid from 07/07/2008 to 04/07/2018.


      I used private key "Marina" from authority server to sign pdf document in adobe acrobat x pro. But  after validation this signature appered error At least one signature has problems. When i open the form "Show signature properties" / bookmark Summary / button Show certificate i see chain  CA1 - Marina but  CA1 valid only from 07/07/2008 to 07/07/2013.

      In form Show signature properties / bookmark Signer/ Show certificate i see two chains 1) CA1 - Marina where CA1 valid from 07/07/2008 to 04/07/2018 and 2) CA1 - MArina where CA1 valid from 07/07/2008 to 07/07/2013.


      I've added both CA1 public key to trusted identities in Acrobat (with all rights).

      why in acrobat i see 2 CA1 certificates with different dates? How i can valid certificate from enterprise certification authority in PDF documents



      Thanks in advance


        • 1. Re: Certificate Authority Server
          IsakTen Level 4

          The most likely scenario is that you had an older CA1 certificate in the Acrobat's Trusted Identities and it is used in the validation process.

          Check the following.

          1. Check that "Windows Integration's" "Validating Signatures" preference is set. If it is not then you may have an old CA1 certificate in the Acrobat's Trusted Identities and the newer CA1 in the Windows Trusted Root Identities store, but since Windows Integration preference is not set Acrobat does not look at the Windows Trusted Root Identities store and the old one in the Acrobat's Trusted Identities is not valid anymore.

          I understand that you imported both CA1 certificates into Acrobat's Trusted Identities.

          2. Bring up the "Marina" certificate in the Certificate Viewer. If it is in the Windows "Personal" store, select and double click on it. Open "Details". Record Authority Key Identifier. Then open (one by one) each CA1 certificate, open "Details" and record Subject Key Identifier for each of them. Then compare Subject Key Identifier for each of them with the Authority Key Identifier for the "Marina" certificate. If all three are the same, you need to delete the expired one (export it to a file first so that you do not loose it if you need it later).

          If Subject Key Identifier for the newer CA1 is not the same as the Authority Key Identifier for "Marina" certificate, then you have a problem with your certificate authority. I do not think that this is the case. It could be that if you have two CA1 certificates Acrobat may choose one over the other for different reasons. Either "Windows Integration's" "Validating Signatures" preference is not set, or even if it set, Acrobat always looks first at its own Trusted Identities and if it finds an applicable certificate (the old CA1) it uses it without even looking at the Windows store. If you have both CA1 certificates in the Acrobat's Trusted Identities, Acrobat still may choose the older one first and stop looking at this point.


          Try to delete the expired CA1 from the Trusted Identities (export it to a file first so that you do not loose it if you need it later). You can also edit trust on this certificate to mark it as not trusted if for some reason you want to keep it. Will Acrobat then successfully validate your signature?

          Since the start date on both CA1 certificates is the same you generally do not need the old one.

          • 2. Re: Certificate Authority Server
            Steven.Madwin Adobe Employee

            Hi Marina,


            First, trust...

            Acrobat (and when I say Acrobat I mean both Acrobat and Reader) doesn't automatically inherit trust from the Windows Certificate Store. Since you are using the Windows Certificate Store I'd recommend you let Acrobat use the trust you set there instead of duplicating the work by adding the CA1 certificates via the Acrobat Manage Trusted Identities dialog. There are two checkboxes you can select to enable Acrobat to accept the Windows trust. In Acrobat X (this will be different in differnt versions):

            • Select the Edit > Preferences menu item
            • Select Security from the Categories list box
            • Click the Advanced Preferences button on the Security panel
            • Select the Windows Integration tab on the Digital Signatures Advanced Preferences dialog
            • Select the Validating Signatures check box
            • Select the Validating Certified Documents check box
            • Click the OK button on the Digital Signatures Advanced Preferences dialog
            • Click the OK button on the Preferences dialog


            This will make the digital signatures you created with your enterprise certificate valid as soon as you sign.


            Second, chain building...

            There are two different CA1 public-key certificates which is why they can be installed in both the Windows Certificate Store and the Acrobat Manage Trusted Identites list twice. It's not the name ("CA1") that makes them unique. I think your question is, why does Acrobat show a chain from your end-entity certificate up to both CA1 certificates. My guess is this is a key rollover situation which is where the CA uses the same originial key pair, but resigned the the public-key certificate again, thus creating a new cert with a new validity period. Acrobat builds chains based on keys, and since it finds the same key twice (one in the cert that expired in 2013 and again in the cert that expires in 2018) it builds both chains.



            • 3. Re: Certificate Authority Server
              Marina_S Level 1



              I made all steps from your post (use new PC with two CA1 in Trusted root authority Windows) :

              1 Set preferences in Windows integration window

              2 In details window data for both certificates CA1 (subject Key Identifier) and for Marina certificate (authority key identifier) are the same

              3 i deleted old CA1 (valid from 07/07/2008 to 07/07/2013) from Trusted root certificate authority Windows and Trusted identities in Acrobat


              but the problem still the same for signature validation in document









              • 4. Re: Certificate Authority Server
                Marina_S Level 1

                in key rollover situation old certificate always will with status "Not valid time" in Acrobat? and the signature will invalid

                How i can solve this situation? maybe  i need do some changes for CA enterprise f.e create new private key for CA enterprise and use it only to create users certificates? but after 5 years the problem will be the same or i need to create for CA enterprise new private key every 5 years

                • 5. Re: Certificate Authority Server
                  Steven.Madwin Adobe Employee

                  привет Marina,


                  It is possible that the original CA cert (the one that expired last year) is part of your p12/pfx file and when you sign Acrobat finds it and puts it into the signatures PKCS7/CMS object. Acrobat 10.x and earlier is very diligent about finding all certificates that chain to the signer's cert and doing all of the chain building possible. Beginning with Acrobat 11 we changed the chain building routine to stop as soon as it finds a trust anchor (10 and earlier did all of the chain building first then went back and looked for a trust anchor, but in 11 we check for trust each step along the chain building routine).


                  There are other possible edge cases as  well. Let's say you opened a file with a digital signature that contained both chains. Acrobat loads all of the certs into memory as part of the signature validation process. Now you open up a second unsigned file and add a fresh digital signature. Acrobat will find the old CA loaded in memory and use it as part of the the chain building process (all of the chains are build in memory prior to the file being written to disk (the Save As dialog you always see) so that the when the bits are committed to disk all of the signing collateral is in place prior to the document being digested.


                  Another issue is when you deselect the "Show all certification paths found" checkbox why are you getting the chain to the expired CA cert as opposed to the chain to the current CA cert? The reason is when the checkbox is deselected Acrobat will display the first valid chain it comes across, but in this case neither chain is valid because revocation checking failed, so it just picks the first chain which is the one you see. If you got the revocation problem fixed you would see the other chain.


                  Finally, I've corresponded with a lot of forum users, and you by far have the best grasp of the terminology and understanding of PKI.