There are really two separate issues. First, is Adobe pushing updates to the Acrobat Address Book (i.e. adding certificates as trust anchors) and the second issue is how you can push your own update to disable the creation of self-signed digital IDs. Although the two issues share an underlying mechanism, they are separate and you cannot leverage one for the other.
First issue first. Adobe has entered into partnership with certain Certificate Authorities and has created a mechanism to add their certificates to the Acrobat Address Book (aka Manage Trusted Identities) using http to send a copy of the Security Settings file that contains only digital IDs. There are two ways to trigger the download process. One is to go into the Preferences, select Trust Manager, and click the Update Now button in the Automatic Updates group box. The other method is to load the DigSig plug-in (beginning with Acrobat 9, plug-ins no longer load a launch in order to speed up the launch process). As I'm sure you have deduced, opening a file with a signature field cause the DigSig plug-in to load which in turn triggers the automatic download. The reason we have limited the automatic download to DigSig being loaded is because the vast majority of people viewing PDFs are not using the digital signature functionality (much to my personal chagrin because the more people use digital signatures, the better my job security ) and we didn't want to bother them with an update they would never need. People already complain that there are too many updates, and we are trying to limit the irritability factor. To close the loop on this function, once the download process has been triggered the Acrobat check two more things before it does the update, 1) has it been a month since I checked and, 2) if it has been a month is there a new file to download. This way we are not pestering people with unneeded updates, or if they do need the update, at least not too often. And finally, Address Book management has to be on a per user basis. A certificate that you may elect to trust could be a certificate that the next person want to specifically keep untrusted. The Windows Certificate Store, Mac Keychain and Firefox Certificate Manager all work on a per user basis.
That brings us to what you would like to do. The good news is you can use the Export Security Settings featrue to create a distributable file that will set the preference. The real question is how will you distribute the file, but before we get to that, here is how to create the file.
With Acrobat closed, set the registry setting you noted in the message above
- Select the Advanced > Security > Export Security Settings menu item
- Click the Deselect All button on the Export Security Settings dialog
- Select the Signing Preferences Settings checkbox
- Click the OK button on the Export Security Settings dialog
- Select Signature Creation Settings and note "Allow creation of self-signed Digital IDs" is set to No
- Click the Export button on the toolbar
- Follow the on screen dialogs. You don't have to encrypt the file, but you must sign it with a certifying signature
At this point you have the file available for distribution. You could e-mail it to your intended recipients with import instructions, or you could post if for download, or you could set the Preference the to automatically push the file from a server. To check this feature out select the Edit > Preferences menu item and then select Security from the Categories list box. You would need to select the Load security settings from a server checkbox and then set up the URL. As an aside, you can also export these settings by selecting the Automatic Update Settings checkbox on the Export Security Settings dialog noted in the bullet points above. You have a chicken and egg problem in that you have to get the users to first manually import the file in order to set up the automatic import. That I can't help you with, you're just going to have to decide what works best for you.
Thanks for replying to my post. I will utilize the idea of importing the security settings on a per user basis. But, is there anyway to apply the security settings to the local machine registry hive, and not just the current user? my only issue is that I could have fifty different users on one PC, and getting all of them to setup the security settings may be quite the undertaking.
Thanks again for your help,
The short answer is no. All of the certificate management is user based. Even the address book file lives in the user's space. It's a bit different between Win XP and Vista/Win 7, but in the end it's all based on the current user.
I am looking for a similar solution to my problem. I have 35 machines that run Adobe Reader 9 and 3 that run Adobe Acrobat 9 Pro. I have 30 employees who travel between machines and I need to make a setting default on every machine for every user. We have a form that pulls data from a server and every user has to 'add host to privileged locations' which appears in a yellow warning bar on every computer. This is unacceptable as we are a fast paced business and need it to instant access. I have looked into various ways to acomplish this task and can find nothing that will work for me. Is there any way to add a registry setting or modify a default user profile security file or anything else to make this host always to the privileged locations?
Ingore this post