Adobe Reader or Acrobat displays a "At least one signature has problems" message when signed PDF is opened. Signature validity is UNKNOWN. Signer's identity is unknown.

VeryPDF PDF Security and Signature (Shell & COM & SDK)

http://www.verypdf.com/app/pdf-security-and-signature/try-and-buy.html

GENERAL QUESTIONS ABOUT DIGITAL SIGNATURES
What is a Digital ID?
When traveling internationally, a passport adds a layer of security by providing a means of positively identifying a person's identity. Similarly, a digital certificate or Digital ID issued by a third party, Certification Authority (CA), such as VeriSign and GeoTrust, serves the same purpose.
How does a Digital ID add more security?
A password is required to access a digital id's private key to apply a digital signature to a document.  Only the owner of the Digital ID should know this password.  Secondly, if a digitally signed document has been altered in anyway, a warning will be clearly visible.
clip_image001
When opening the file a banner at the top says "At least one signature has problems" and/or does the signature properties field say "Signature validity is unknown" ?
For security purposes, by default, Adobe automatically does not trust anyone.  Upon closer inspection of the signature details, you will see a message saying "Signer's identity is unknown because it has not been included in your list of trusted identities and none of its parent certificates are trusted identities." clip_image002clip_image003
How do I fix the banner saying "At least one signature has problems." and/or get the signature properties field to say "Signature is valid"?
There are two options available.  The first option is the preferred because it will only be needed to be done once.
1.   The parent certificate can be added to the list of trusted identities.  By default your Internet browser (Internet Explorer or Firefox) have certificates issued by many reputable authorities including Microsoft, VeriSign, GeoTrust, etc., which are automatically deemed as "trusted".  If one of these companies (parent) issues a certificate to a person or company (child) they may also be trusted.
2.   The receiver can use the document to load the signer's certificate can be added individually to the list of trusted identities.  This option would have to be duplicated for each signer and on every computer the user may use.
How do I add a parent certificate as a trusted identity?
1. Open your Adobe software and select Edit on the tool bar and then select Preferences.
clip_image004
2.   Select Security from the left menu and then select Advanced Preferences.
clip_image005
3.   Select the Windows Integration tab and check the box for Validating Signature.
If you agree to trust all root certificates in the Windows Certification Store, select OK.
clip_image006
How do I add a signer's identity to my list of trusted identities?
1. Click on the full size file, select the signature icon, select the signature line and then right click to bring up the short-cut menu.  Select Show Signature Properties.
clip_image007
2.   Select Show Certificate.
clip_image008
3.   Click on the Trust tab and then select Add to Trusted Identities.
clip_image009
4.   If you trust the identity of the signer of the document, select OK.
clip_image010
5. Again, if you trust the identity of the signer of the document, select OK.
clip_image011
If my clients do either of the solutions described in Answers #5 or #6 what will they see when opening my digitally signed transcripts?
clip_image012

Adobe Reader or Acrobat displays a "At least one signature has problems" message when signed PDF is opened

After signing a PDF file and then opening it in Adobe Reader or Adobe Acrobat the following message may be shown just below the toolbar:

clip_image014

At least one signature has problems

This message does not indicate that the digital signature is invalid or corrupt. Instead it's a poorly worded message from Adobe that causes unnecessary alarm. If you click on the Signatures panel on the left hand side of Adobe Reader or Adobe Acrobat you will see additional information about this message. Expand the "Signature validity is unknown" field and you'll see a far more descriptive explanation of the issue.

clip_image016

Signer's identity is unknown

Digital signatures that were added using what's called a "self-signed certificate" — usually a certificate that you have generated yourself using a third party application — cannot be automatically validated by Adobe because the certificate is not in the list of Trusted Identities that Adobe uses to validate signatures.

It's important to note that this message is not saying that your digital signature is invalid and it's not saying that the PDF has been modified since it was signed (see the text in the screenshot above: "Document has not been modified since this signature was applied"), it's just saying that Adobe wasn't automatically able to validate the certificate. You also won't be able to manually validate the signature until the certificate is trusted by Adobe.

To resolve this issue you need to make Adobe trust the certificate that was used to sign the PDF. Warning: only do this if YOU trust the certificate. Don't do it for any random certificate as this can be a security issue and is not actually required if you just want to view the PDF.

You can add the certificate that was used to apply the digital signature into Adobe's list of Trusted Identities by following these steps:

  1. Click on "Signature Panel" button on the left hand side of Adobe Reader / Acrobat
  2. Right click on the listed signature
  3. Click on "Show Signature Properties"
  4. Click "Show Certificate button" (under the summary tab)
  5. Click "Trust" tab
  6. Click "Add to Trusted Identities"
  7. Adobe Security window opens, click "OK"
  8. Click OK, and again until you exit from the all the dialogue boxes

Notes:

  • Further information about Adobe Approved Trust List – User FAQ
  • If you create your certificate using Adobe Acrobat then this certificate will be automatically trusted by Adobe.
  • It is not necessary to trust a certificate in order to be able to view the PDF.

More Information:

------------------------------------------

"-The signer's identity is unknown because it has not been included in your list of trusted identities and none or its parent certificates are trusted identities" indicates your co-worker needs to add something to his copy of Acrobat/Reader. What he is missing a certificate and only you can provide him with a copy of the certificate you created to sign the PDF. After you send him or make available a copy of the certificate, then your coworker will need to import that certificate into his copy of Acrobat.

------------------------------------------

Title: Digital ID/PDF Signing with MS Certificate Authority

I'm trying to utilize our CA issued certificates for use with signing PDF documents.  I have a root CA and an intermediate CA.  The cert I am trying to use is issued by the intermediary CA.

I can sign the pdf fine using the cert but when another user opens the document I get the error "At least one signature has problems".  In the Signature Panel I see "Signer's identity is unknown because it has not been included in your list of trusted identities and none of its parent certificates are trusted identities".

It appears to me I need to add either the root or intermediary CA as a trusted identity.  However, when I try to add it, neither certificate appears in the list from which to choose.  I'm unsure where the certs in this list are being pulled from as they don't seem to match what I see in an of the stores.  I've found some info around the net on this issue but I haven't been able to pull it all together.

Am I on the right track?
Customer
------------------------------------------

Hi,

This gets a bit complicated as there are two parts to the story. First is signature creation (a one time event) and the second part is signature validation (a many time event). When you create the signature Acrobat (or Reader) will at a minimum always add the certificate that corresponds to the digital ID used to create that signature. It will also add all of the certificates in the signing chain if it can find them. The next question is where does it find the certificates. It will look in a lot of places including the digital ID used to sign, in the Acrobat Manage Trusted Identities list, in the Windows Certificate Store or the Mac Keychain, in the Acrobat CertCache folder, other signatures, other digital IDs, known hardware devices and possibly online. The first thing it does is look to see if it can find the certificate that issued the signer's digital ID, and then recursively looks for the next issuing cert until it either finds a self-signed certificate or just can't find it.

Trust is not something the signer can imbue the signature with, but rather it is something granted by the person that is validating the signature. However, as part of the signature creation process, if you want to embed the revocation information so as to provide for long term validation you should have your system configure so that Acrobat can build the chain up to a trust anchor because without trust being established Acrobat will not do revocation checking, and without revocation checking being done as part of the signature creation process there will be nothing available to embed. So, before you sign make sure you can see the signature chain in the certificate viewer. To do this:

  • Select the Advanced > Security Settings (Acrobat) or Document > Security Settings (Reader) menu  item
  • From the Security Settings dialog select your digital ID and click the Certificate Details button
  • Make sure you see all of the certificates in the signing chain listed in the tree view of the Certificate Viewer dialog
  • Select the Trust tab and check that your certificate is at the least trusted for Sign Documents

Now when you sign all of the available certificates and revocation information will be included in the signature.

At this point you have to trust (no pun intended) that whoever receives the signed PDF knows how to add at least one the certificates in the signing chain to the their list of Trusted Identities.

VeryPDF

VN:F [1.9.20_1166]
Rating: 8.0/10 (1 vote cast)
VN:F [1.9.20_1166]
Rating: 0 (from 0 votes)
Adobe Reader or Acrobat displays a "At least one signature has problems" message when signed PDF is opened. Signature validity is UNKNOWN. Signer's identity is unknown., 8.0 out of 10 based on 1 rating

Related Posts

This entry was posted in PDF Security and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


Verify Code   If you cannot see the CheckCode image,please refresh the page again!