I have been using digital certificates to sign pdf documents for approximately a year. The signatures can be checked against a CRL which is provided on the internet. So far Adobe Acrobat Reader has worked fine, retreiving CRLS and validating certificates.
Today I found out that since renewing expired certificates ( the default lifetime was set to 1 year) the signatures on old signed documents are unverified . The local time of the computer was stored in the signature not a timestamp.
I found that reader defaults to using the local time of the computer to validate an old signature when a timestamp is not used, this has been rectified in 9.1 so that it uses to date that the signature was generated (why on earth would it use anything else!). I now have the signatures validated by changing this setting providing the date range of the CRL in the reader encompases the end date of the certificate.
However, when the reader updates the CRL in the cache and the new CRL date range does not include that of the original signature the reader throws up an error stating that the CRL is invalid or expired.
How can I get it to agree pass the validation without turning off revocation checking? I have the CRLs that were in force at the time of the signing but there is no way I can provide them to the reader. How can I make the reader apply the current and valid CRL to the old documents. The expiry date of the old certificates are still in there?
I always thought that not having to keep a CRL history for expired certificates was a dumb idea when I read the documents, but I didn't imagine that old signatures would become invalid when the certificate expired (mine have become invalid less thant 5 days after the documents were signed. What were the developers thinking.
This is pushing toward creating certificates with lifetimes of 100's or thousands of years so that they can always be validated.
Anybody have a working solution.
I have found a solution.to this
Using a virtual machine I set the date on the system back to a point in time when the certificates were all valid. I then create a new crl with a lifetime which makes it valid for one month from the real date (today). I then set the date back and copy the crl to the distrubution point.
Hey presto, acrobat reader loads the crl and is quite happy to accept it even though it has events recorded in it that happened after the date on which it was created!.
Problem solved, but for how long?