Creating Acrobat Digital Signatures with a Root CA for Validation

Recently I was looking into using Adobe PDF Signing. This feature requires that each user have a digital certificate for each user. The problem is that creating the default signatures in Acrobat then every certificate to be imported on every other computer. That is to set up 10 users to all properly authenticate signatures you would have to import 10 signatures onto 10 computers witch becomes prohibitively complex.

There is another option. If the users certificates are all signed with a single CA(Certificate Authority) then only the CA needs to get imported to get all the certificate validation working. This is the approach I used but it is not internally supported by Acrobat and requires a Linux box to create the certificates. This guide will show you how to create a CA and signed digital certificates for your users. Then you simply import the single CA into each computer along with the actual users certificate.

Requirements:

• OpenSSL is required to do most of the work.
• Acrobat Reader is all that is required on the user computers.
• One copy of Acrobat Standard is needed to enable digital Digital Rights management on PDF files.

Creating the Certificate Authority:
Run the following command to generate new CA under the current directory. You need to make sure this is in a secure path.

/usr/share/ssl/misc/CA.pl -newca

The password prompt is the CA password and is needed by the administrator when signing new certificates. The rest of the prompts create the CA identification and signature and can not be changed once set. Once finished the demoCA directory can be moved and renamed as necessary.

Once done you need to edit the /etc/ssl/openssl.cnf configuration file and update the CA_default.dir variable.

[ CA_default ]
dir    = /root/keys/CompanyCA

Create an acrobat.cnf configuration for creating user certificates.

echo keyUsage=digitalSignature, dataEncipherment > acrobat.cnf
echo 1.2.840.113583.1.1.10=DER:05:00 >> acrobat.cnf

Next you probably want to extend the CA expiration date beyond one year. The following command will extend it to ten years.

openssl x509 -in cacert.pem -days 3650 -signkey ./private/cakey.pem -out cacert.pem

Finally the cacert.pem to a shared location and rename it to end with a .cer file extension so that the clients can import it. This is the public CA certificate used for validating certificates.


Create a Users Digital Certificate:
Create the new users certificate. You will be prompted to enter the end users password that they will type to sign documents.

/usr/share/ssl/misc/CA.pl -newcert

Now run the next command to sign the generated certificate with the CA. You will be prompted for the CA password.

openssl x509 -in newcert.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -out newcert.pem -days 3650 -clrext -extfile acrobat.cnf

Finally run the following command to export this certificate as a PKCS12 package witch Acrobat can import.

cat newkey.pem newcert.pem  | openssl pkcs12 -export > username.pfx

You can now copy this file out to the same shared location at the CA. It is password protected and the certificates can be extracted from it in the future so a backup of the generated new*.pem files is not needed.

To extract the certificate and keys you can run the flowing commands.

openssl pkcs12 -in username.pfx -nokeys -out newcert.pem
openssl pkcs12 -in username.pfx -nocert -out newkey.pem

Import the Certificate Authority and Users Digital Certificate:
On any computers that need to be able to validate signatures all you need to do is import the CA file. To do so simply open up Acrobat and go to Document->Manage Trust Identities. Then browse for the *.cer CA file and import it. After importing you need to select the certificate, select Trust, and check the Use this Certificate as a Trusted Root option.

To enable a user to sign documents on a computers you need to do the following steps. Open up Acrobat and go to Document->Security Settings. Then click Add ID and browse for the proper users *.pfx file. You will need to enter the users password once to install the certificate but users will still need to enter the password when signing documents. These certificates are still password protected so multiple signatures can be loaded onto the same computer without issue.