I came across this post which indicates that, by default, Adobe does not follow AIA when building a path to a trusted root/anchor when signing or verifying a PDF.
How, then, does Acrobat build a path? In looking at the Trusted Certificate Settings, I don't see the cross-certificates that appear when I view the details on a digitally signed document. Are paths pre-built and send down as part of Acrobat updates?
I ask because I am the operator for a new bridge CA which is replacing an existing bridge CA. Both CAs are up and cross-certified by FBCA and the issuer CAs today. Before setting bFollowURIsFromAIA to 1, Acrobat was not showing a path through the new bridge.
The operators of the current bridge CA plan to revoke all cross-certificates to issuing CAs this week and I want to ensure that the many thousands of users with certificates issued by those issuing CAs will continue to be able to use Acrobat to sign and verify documents. Neither this registry setting nor manually importing the cross-certificate scales to thousands of users. How can we get the path to build through the new bridge?
Operational Authority - SAFE BioPharma Bridge CA