4 Replies Latest reply on Oct 19, 2015 3:43 PM by IsakTen

    Can't sign form with SHA-256 signature

    King Wardrop

      I've been troubleshooting an issue in our organisation where users can't sign documents using their Root CA issued certificate. By "can't sign", I mean the sign button in the "Sign Document" dialog does nothing. This only occurs in Acrobat Pro X. Adobe Reader DC is fine.

       

      The problem applies to any SHA-256 certificate stored in the Windows Certificate Store. The same certificate exported from the certificate store and imported into Acrobat Pro directly, works. Has anyone seen this issue and know how to work around it?

       

      Cheers

        • 1. Re: Can't sign form with SHA-256 signature
          IsakTen Level 4

          Do you have the latest Acrobat Pro X update? There were problems with communication with Windows OS (CNG) but I think they were fixed. Which Windows OS version do you have and which Acrobat X version (including minor)? When you say "the sign button in the "Sign Document" dialog does nothing", what really happens: You click on the "Sign" button and the dialog stays up, or the dialog goes away but you do not get "Save As" dialog and signature is not created, or you get "Save As" dialog but signature is not created? If this Acrobat X problem, it may not be fixed as it is close to its EOL.

          • 2. Re: Can't sign form with SHA-256 signature
            King Wardrop Level 1

            I'm running Acrobat X Pro 10.1.15, which I believe is the latest patch. When I say the sign button does nothing, it does literally nothing. You click the button, and nothing happens. The sign dialog stays up, and you can repeatedly click "Sign" but nothing still happens. I've since looked into a bit deeper, and it seems that Adobe is having problems checking the revocation status. This has lead me to other suffering the same problem:

             

            Can't find CRL, when the CRL location points to LDAP (ldap:///)

            Re: Certificate Authority not working when signing documents (Active Directory)

             

            People report it still happens with Adobe Acrobat 11, so I'm going to try DC and see if it works like Adobe Reader DC does.

            • 3. Re: Can't sign form with SHA-256 signature
              King Wardrop Level 1

              Just installed Acrobat Pro DC, and signing now works. On the revocation tab of the certificate details, it no longer performs a revocation check. It says this instead:

              The selected certificate does not chain up to a certificate designated as a trusted anchor (see the Trust Tab for details). The result is that revocation checks were not performed on this certificate.

              • 4. Re: Can't sign form with SHA-256 signature
                IsakTen Level 4

                Acrobat has separate installation directories for different versions. What your last post tells me that you changed some settings in Acrobat XI installation and in Acrobat DC installation you may have gotten the default values. That's why signing "works" in DC but not XI. For instance, there is a preference (Security\cASPKI\cASPKI\cSign\iReqRevCheck) that controls revocation checking of the signing certificate. If it does not chain up to a trusted root then Acrobat will not use this certificate for signing. If your signing certificate does not chain up to the trusted root, as your latest post implies, then this could be the cause.