You can use Acrobat's Export/Import Security Settings feature. In Acrobat X it is in Tools->Sign&Certify->More Sign & Certify... In Acrobat XI it is in Edit->Preferences->Security. Import all certificates you need to Trusted Identities on one machine that has Acrobat Pro. Export Security Settings selecting only Trusted Identities to export (you do not want to propagate other settings to other machines in this case, unless you actually need them). You will get *.acrobatsecuritysettings file. Then distribute this file to all people that need this trust list and ask them to import this security settings file. They can import it in Reader. Export is Acrobat only feature but Import is both Acrobat and Reader feature. You can encrypt acrobatsecuritysettings file if you need to restrict access to it.
ok, this will be useful. But..... How do I initially build this list? Do I have to add each 600 certificates one-by-one or is there a way to copy/paste files inside an adobe folder? What information do I need to retreive from the usb Key? The fact is I need to ask the IT department to create this list of employees based on their usb key but I don't know what to ask them to do. And they will definitly not add them one by one, lol. I can't imagine this cannot be automated. So basically, if we need this key to login on our computer station, i'm guessing such a list is already available on our servers and I need reader to point to this list or at least, import this list to reader. What do these list files look like (names, extensions) and where are they normally stored? I need to speak in words the IT will understand
Maybe this will help. THe product we use is from SafeNet-inc and is called eToken.
I do not understand why do you need to add to Trusted Identities all 600 certificates? Is each of these certificates issued by a separate CA? You need to place in Trusted Identities only CAs that issued all these certificates and assign trust to these CAs. Then the chain building mechanism will automatically build a chain from the signing credential to the proper CA and verify the signature. You definitely do not want to send to other people certificates with someone else's private key. You include in the Trusted Identities certificates with only public keys. If all your tokens are produced by SafeNet-inc, then I presume the only certificate you need to add to Trusted Identities is the SafeNet-inc's root CA. If this CA is in turn issued by some reputable organization, like Semantic or Entrust (which is now part of Semantic) then you need their proper root CA (they have many) in your Trusted Identities.
When you sign a PDF with one of your tokens, do the following. Right-click on the signature and select "Show Signature Properties...". In the dialog that comes up click on "Show Certificate'. This brings up the "Certificate Viewer" dialog. In its left pane you will see the chain from the signing certiticate tot he root CA. It is only the root CA that you need in your Trusted Identities. I bet that if you do the same with different SafeNet-inc tokens you will see the same root CA for each signature.
Thanks isakten. I'm not familiar with security and certificates. Also, my version of Acrobat is in french so I'm not exactly sure of what you are refering to when using english terms like CA. I added my signature manually from my token but when I review a document signed by another token, it is not automatically trusted. I also have to add it manually once. That's why I thought I had to add them all 600 manually. But if there is some other way, I'd be glad to hear it. Doing what you told me, we all share the same root certificate as you said. It says "svmsubca" as the name and then my name is under it in the chain. What do I do now?
Is it possible to push a custom acrobatsecuritysettings file during a blind installation of Acrobat Pro XI?
Well, you need to educate yourself a little bit if you want to manage trust. Start with this:
1. Open any signed PDF in Acrobat (or Reader).
2. Right-click on a signature and select "Show Signature Properties..." "Signature Properties" dialog comes up.
3. In the "Signature Properties" dialog click on "Show Signer's Certificate" (Acrobat 11) or "Show Certificate" (Acrobat 10 and earlier). "Certificate Viewer" dialog comes up.
4. In the "Certificate Viewer" dialog look at the left pane. It shows the certificate chain.
At the bottom is the signing certificate. Above it is the certificate of the "Certificate Authority" (CA) that issued the signing certificate. The chain may contain more that 2 certificates. If there is a certificate above the second one, it is the the certificate of the "Certificate Authority" that issued the second (from the bottom up) certificate.There might be more certificates in the chain. Each certificate in the chain above the bottom one (the signing certificate) is the certificate of the "Certificate Authority" that issued the certificate below it. "Certificate Authority"which is not at the top of teh chain is also called "Intermediate Certificate Authority" (ICA). So a chain starts at the top with a CA, followed down with 0 or more ICAs and ending with the signing certificate.
You can assign trust to any certificate in the chain for a signature to be valid. Usually people assign trust to the top certificate in the chain, although some assign trust to intermediate certificates. In the case of corporations or large organizations the certificate chain reflects the structure of the organization. Consider a corporation that has business units which have departments, which in turn have large groups. Certificate chain may look like this: CorpCA->BusinessUnitICA->DepartmentICA->signingCert. In this arrangement each department issues signing certificates for its employees. Each Business Unit issues certificates for Departments and the Corporation issues certificates to Business Units.
In your case look how the chain for your signature and other employees signatures shows in the Certificate Viewer. If you see some CA or ICA that are the same in all chains, you need to add only this CA/ICA to the Trusted Identities on all employees machines in order to have all their signatures validated. You may have a case when there are groups that chain up to the same CA/ICA but different groups chain up to different CAs. In this case you need to add to Trusted Identities only CAs for each group. In most cases you never trust individual signing certificates.
Thank you - I had already identified the CA in the certification path that we need to set up as a trusted certificate within Acrobat, and that CA does appear in client machines within the Windows Certificate Store - but within Acrobat 11, the CA doesn't appear in the Trusted Certificates (Preferences > Signatures > Digital ID and Trusted Certificate Settings).
I set up the trust within one workstation, and it properly verifies and validates id's. The challenge was that we want to have this trust set up in a couple hundred workstations that Acrobat will be installed onto. I exported the security settings to an *.adobesecuritysettings file. (Preferences > Security > Export, selecting only Trust Settings and only included the one CA)
Using the Acrobat Customization tool, we were able to point to this adobesecuritysettings file, and create a custom installer.
After installation, we opened a PDF containing a signature from a staff member - which brings up a Trusted Certificates Updated box. Users then need to click Yes to two dialogues, and then OK after the actual update was completed. After this, the message about regarding problems with one or more signatures was still present, but after closing Acrobat, relaunching it, and then opening the PDF again, the signatures were finally reported as valid.
It would have been preferable to get the trust established completely at install time, so that end users aren't prompted with any Trusted Certificate dialogues, but this will probably have to do.
Calling Adobe support about this issue had me going in circles - after being transferred to a number of 'specialists', and listening to what sounded like heavily scripted responses, I got nowhere, and gave up. The support here in this forum on the other hand, has been excellent!. Thanks again!
You can mark this question as "Answered" then. This will help other users.