VeryPDF PDF Security and Signature (Shell & COM & SDK)
|GENERAL QUESTIONS ABOUT DIGITAL SIGNATURES|
Adobe Reader or Acrobat displays a "At least one signature has problems" message when signed PDF is opened
After signing a PDF file and then opening it in Adobe Reader or Adobe Acrobat the following message may be shown just below the toolbar:
At least one signature has problems
This message does not indicate that the digital signature is invalid or corrupt. Instead it's a poorly worded message from Adobe that causes unnecessary alarm. If you click on the Signatures panel on the left hand side of Adobe Reader or Adobe Acrobat you will see additional information about this message. Expand the "Signature validity is unknown" field and you'll see a far more descriptive explanation of the issue.
Signer's identity is unknown
Digital signatures that were added using what's called a "self-signed certificate" — usually a certificate that you have generated yourself using a third party application — cannot be automatically validated by Adobe because the certificate is not in the list of Trusted Identities that Adobe uses to validate signatures.
It's important to note that this message is not saying that your digital signature is invalid and it's not saying that the PDF has been modified since it was signed (see the text in the screenshot above: "Document has not been modified since this signature was applied"), it's just saying that Adobe wasn't automatically able to validate the certificate. You also won't be able to manually validate the signature until the certificate is trusted by Adobe.
To resolve this issue you need to make Adobe trust the certificate that was used to sign the PDF. Warning: only do this if YOU trust the certificate. Don't do it for any random certificate as this can be a security issue and is not actually required if you just want to view the PDF.
You can add the certificate that was used to apply the digital signature into Adobe's list of Trusted Identities by following these steps:
- Click on "Signature Panel" button on the left hand side of Adobe Reader / Acrobat
- Right click on the listed signature
- Click on "Show Signature Properties"
- Click "Show Certificate button" (under the summary tab)
- Click "Trust" tab
- Click "Add to Trusted Identities"
- Adobe Security window opens, click "OK"
- Click OK, and again until you exit from the all the dialogue boxes
- Further information about Adobe Approved Trust List – User FAQ
- If you create your certificate using Adobe Acrobat then this certificate will be automatically trusted by Adobe.
- It is not necessary to trust a certificate in order to be able to view the PDF.
"-The signer's identity is unknown because it has not been included in your list of trusted identities and none or its parent certificates are trusted identities" indicates your co-worker needs to add something to his copy of Acrobat/Reader. What he is missing a certificate and only you can provide him with a copy of the certificate you created to sign the PDF. After you send him or make available a copy of the certificate, then your coworker will need to import that certificate into his copy of Acrobat.
Title: Digital ID/PDF Signing with MS Certificate Authority
I'm trying to utilize our CA issued certificates for use with signing PDF documents. I have a root CA and an intermediate CA. The cert I am trying to use is issued by the intermediary CA.
I can sign the pdf fine using the cert but when another user opens the document I get the error "At least one signature has problems". In the Signature Panel I see "Signer's identity is unknown because it has not been included in your list of trusted identities and none of its parent certificates are trusted identities".
It appears to me I need to add either the root or intermediary CA as a trusted identity. However, when I try to add it, neither certificate appears in the list from which to choose. I'm unsure where the certs in this list are being pulled from as they don't seem to match what I see in an of the stores. I've found some info around the net on this issue but I haven't been able to pull it all together.
Am I on the right track?
This gets a bit complicated as there are two parts to the story. First is signature creation (a one time event) and the second part is signature validation (a many time event). When you create the signature Acrobat (or Reader) will at a minimum always add the certificate that corresponds to the digital ID used to create that signature. It will also add all of the certificates in the signing chain if it can find them. The next question is where does it find the certificates. It will look in a lot of places including the digital ID used to sign, in the Acrobat Manage Trusted Identities list, in the Windows Certificate Store or the Mac Keychain, in the Acrobat CertCache folder, other signatures, other digital IDs, known hardware devices and possibly online. The first thing it does is look to see if it can find the certificate that issued the signer's digital ID, and then recursively looks for the next issuing cert until it either finds a self-signed certificate or just can't find it.
Trust is not something the signer can imbue the signature with, but rather it is something granted by the person that is validating the signature. However, as part of the signature creation process, if you want to embed the revocation information so as to provide for long term validation you should have your system configure so that Acrobat can build the chain up to a trust anchor because without trust being established Acrobat will not do revocation checking, and without revocation checking being done as part of the signature creation process there will be nothing available to embed. So, before you sign make sure you can see the signature chain in the certificate viewer. To do this:
- Select the Advanced > Security Settings (Acrobat) or Document > Security Settings (Reader) menu item
- From the Security Settings dialog select your digital ID and click the Certificate Details button
- Make sure you see all of the certificates in the signing chain listed in the tree view of the Certificate Viewer dialog
- Select the Trust tab and check that your certificate is at the least trusted for Sign Documents
Now when you sign all of the available certificates and revocation information will be included in the signature.
At this point you have to trust (no pun intended) that whoever receives the signed PDF knows how to add at least one the certificates in the signing chain to the their list of Trusted Identities.