There is another option. If the users certificates are all signed with a single CA(Certificate Authority) then only the CA needs to get imported to get all the certificate validation working. This is the approach I used but it is not internally supported by Acrobat and requires a Linux box to create the certificates. This guide will show you how to create a CA and signed digital certificates for your users. Then you simply import the single CA into each computer along with the actual users certificate.
- OpenSSL is required to do most of the work.
- Acrobat Reader is all that is required on the user computers.
- One copy of Acrobat Standard is needed to enable digital Digital Rights management on PDF files.
Creating the Certificate Authority:
Run the following command to generate new CA under the current directory. You need to make sure this is in a secure path.
/usr/share/ssl/misc/CA.pl -newcaThe password prompt is the CA password and is needed by the administrator when signing new certificates. The rest of the prompts create the CA identification and signature and can not be changed once set. Once finished the demoCA directory can be moved and renamed as necessary.
Once done you need to edit the /etc/ssl/openssl.cnf configuration file and update the CA_default.dir variable.
[ CA_default ]
dir = /root/keys/CompanyCA
Create an acrobat.cnf configuration for creating user certificates.
echo keyUsage=digitalSignature, dataEncipherment > acrobat.cnf
echo 1.2.840.1135126.96.36.199=DER:05:00 >> acrobat.cnf
Next you probably want to extend the CA expiration date beyond one year. The following command will extend it to ten years.
openssl x509 -in cacert.pem -days 3650 -signkey ./private/cakey.pem -out cacert.pem
Finally the cacert.pem to a shared location and rename it to end with a .cer file extension so that the clients can import it. This is the public CA certificate used for validating certificates.
Create a Users Digital Certificate:
Create the new users certificate. You will be prompted to enter the end users password that they will type to sign documents.
Now run the next command to sign the generated certificate with the CA. You will be prompted for the CA password.
openssl x509 -in newcert.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -out newcert.pem -days 3650 -clrext -extfile acrobat.cnf
Finally run the following command to export this certificate as a PKCS12 package witch Acrobat can import.
cat newkey.pem newcert.pem | openssl pkcs12 -export > username.pfx
You can now copy this file out to the same shared location at the CA. It is password protected and the certificates can be extracted from it in the future so a backup of the generated new*.pem files is not needed.
To extract the certificate and keys you can run the flowing commands.
openssl pkcs12 -in username.pfx -nokeys -out newcert.pem
openssl pkcs12 -in username.pfx -nocert -out newkey.pem
Import the Certificate Authority and Users Digital Certificate:
On any computers that need to be able to validate signatures all you need to do is import the CA file. To do so simply open up Acrobat and go to Document->Manage Trust Identities. Then browse for the *.cer CA file and import it. After importing you need to select the certificate, select Trust, and check the Use this Certificate as a Trusted Root option.
To enable a user to sign documents on a computers you need to do the following steps. Open up Acrobat and go to Document->Security Settings. Then click Add ID and browse for the proper users *.pfx file. You will need to enter the users password once to install the certificate but users will still need to enter the password when signing documents. These certificates are still password protected so multiple signatures can be loaded onto the same computer without issue.