4 Replies Latest reply on Nov 18, 2014 4:31 PM by Steven.Madwin

    How do I control the certificate chain construction performed by Acrobat Reader during digital signature validation?

    John555 Level 1

      Chain15.jpgI work in the federal government where there are many certificate authorities and cross certified certificate authorities. Acrobat Reader is building hundreds of certificate chains in attempting to find a trusted root for the signers certificate. It is taking 4 minutes to validate the signature!

       

      The image is the 15th screen shot showing three chains per screen shot. The window elevator has barely moved!

        • 1. Re: How do I control the certificate chain construction performed by Acrobat Reader during digital signature validation?
          Steven.Madwin Adobe Employee

          Hi John,

           

          I'm not sure why the Show all certification paths found checkbox is disable, but I'm looking into it. You should be able to deselect the checkbox, in which case the Certificate Viewer will (should) display just the first valid path found.

           

          Also, could you please let me know what version of Reader you are currently using? This shouldn't be happening in version 11 (and if you're using something earlier you may want to consider updating Reader) as we re-worked the chain building algorithm for this exact reason.

           

          One thing you can look for in the mean time is to see if there is a registry setting that is telling Reader to download the extra certs in the signature chain. Run regedit and then look in

          HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\<version>\Security\cASPKI\cAdobe_ChainBuilder and look to see if bFollowURIsFromAIA is listed in the right-hand panel. If it is, make sure it's set to 0 (zero).

           

          Where it says <version> in the string above you'll substitute the major version number, such as 10.0 or 11.0 Once you follow the registry path you'll see the number.

           

          Thanks,

          Steve

          • 2. Re: How do I control the certificate chain construction performed by Acrobat Reader during digital signature validation?
            John555 Level 1

            AcrobatStandardReaderRegistry20141114.jpgAcrobatStandardRegistry20141114.jpgAcrobatStandardVersion20141114.jpgHi Steve,

             

            Thank you for your quick response! The computer I am using to validate the signature is running Acrobat Standard 11.

            In the Acrobat Reader path, it does not have the registry key you described. The Acrobat Standard path is closer but it also does not have the registry key you described.

             

            I will check a computer with Acrobat Reader installed next.

            • 3. Re: How do I control the certificate chain construction performed by Acrobat Reader during digital signature validation?
              John555 Level 1

              I am now using Adobe Acrobat Reader 11. Signature validation is much better! Perhaps 10 seconds. The only issue I see that the detail pages have misleading messages. The Signature Properties window has no complaints about the signature but the Show Signer's Certificate page still complains about not valid trust anchor.AdobeReaderVersion20141114.jpg

              AdobeReaderRegistry20141114.jpgAdobeReader9SigProperties20141114.jpg

              AdobeReader11CertificateChain20141114.jpg

              AdobeReader11TrustStatus20141114.jpg

              • 4. Re: How do I control the certificate chain construction performed by Acrobat Reader during digital signature validation?
                Steven.Madwin Adobe Employee

                Hi John,

                 

                Yes, the text on the Certificate Viewer is misleading and will need to be updated. Thanks for bringing that to our attention.

                 

                I mentioned up-thread that "I'm not sure why the Show all certification paths found checkbox is disable", but I do have the reason now. It has to do with Acrobat finding bad chains (where you see the yellow triangle icon). When Acrobat does it's chain building, if it gets to the designated trust anchor (in your case, the "u.s. government" cert) and has found a problem along the way it will continue to build every possible chain in the search for one good chain. Since it built every possible chain it could find, it will display every chain it build so you can see where the problem lies. Since it (Acrobat) wants to display every chain it has to turn on the checkbox, and then disables it so you are forced to see the problem(s). If there is more than one chain, but all of the chains are problem-free, then the checkbox is enabled (you can cycle it on and off) and it is off by default.

                 

                Things get extra confusing because some of the certs you see in the chains have the same name ("u.s. government"), but they are actually separate certs.

                 

                Steve