Sunday, September 22, 2013

Digitally signing Adobe Acrobat PDF documents with Microsoft Certificate Authority Certificates

I’ve recently been asked by a client whether there was a way to digitally sign documents with digital signatures that cannot be modified and therefore proves that a signed document is signed by an individual.  In addition to this, they would also like to allow more signatures to be added to it because the document is essentially an invoice that requires 2 signatures of approval and a signature from a person in accounting to verify that it has been entered into the account system.

The client already uses Adobe Acrobat Professional for creating PDF documents and they noticed signature features from within the GUI but wasn’t sure how to use it so they asked me to look into it.  I’m in no way an Adobe Acrobat expert (definitely not my forte) as I don’t use it so I did a bit of research on the internet but while it looks like it can be done, there isn’t a clear document from Adobe that demonstrates how to do it. Furthermore, Adobe appears to promote the EchoSign service which the client didn’t want to use as they didn’t want any additional cost.

Knowing that Adobe Acrobat allows certificate signing, I took a bit of time sitting down at a workstation with Adobe Acrobat Professional to play around with the settings and figured out a way to do it with Microsoft Certificate Authority issued certificates.  My guess is that a lot of others would probably need a quick and cheap solution as this so I thought I’d blog the process.

Step #1 – Create a new Certificate Template for Digital Signatures

Begin by launching the Active Directory Certificate Services console and opening up the templates section, right click on the Code Signing template and select Duplicate Template:


In the General tab, give the Template display name and Template name a meaningful name (I called it Adobe Signature), adjust the Validity period to more than 1 year if desired and check the Publish certificate in Active Directory checkbox:


Navigate to the Request Handling tab and change the Purpose field to Signature and encryption, check the Allow private key to be exported checkbox:


Navigate to the Subject Name tab and if desired, you can change the option to Supply in the request if you want to allow the enroller (the user requesting a certificate signature) to fill out the fields for the certificate or leave it as the default Build from this Active Directory information with Subject name format as Fully distinguished name and User principal name (UPN) checkbox checked.  I actually prefer to leave the setting as the default Build from this Active Directory information because the issued certificates will always be consistent with what fields are filled out and it’s also easier for the enroller to request the certificate:


Navigate to the Security tab, select Authenticated Users and check the Allow – Enroll checkbox:


Step #2 – Publish the new Certificate Template

With the new certificate created, navigate to the Certificate Template node in the Certificate Authority console, right click, select New and click on Certificate Template to Issue:


Notice that the new Adobe Signature template is listed:


Step #3 – Request a new certificate for the user

With the new certificate template created and published, go to the workstation of a user who needs a digital certificate for signing Adobe Acrobat PDFs, open the MMC and add the Current User store for Certificates.  From within the Certificates – Current User console, navigate to Personal –> Certificates, right click in the right empty window, select All Tasks –> Request New Certificate..:


Proceed through the wizard:


Select Adobe Signature as the certificate:


Complete the enrollment:


You should now have a signature issued by the Active Directory integrated Microsoft Certificate Authority:


Step #4 – Import Microsoft Certificate Authority Root Certificate into Adobe Acrobat Professional Trusted CAs

What I noticed with Adobe Acrobat Professional is that it does not appear to use the local workstation’s trusted store for Certificate Authorities. This means that even if a certificate is issued by a Microsoft Active Directory integrated Root CA and it is listed in the Trusted Root Certification Authorities, Adobe would not automatically trust it.  So prior to starting to use the certificate enrolled via step 3, we will need to go to every desktop that will be involved with this signing process to manually import the CA. I wished there was an easier way to do this and maybe there is but a brief Google did not reveal a GPO adm available for me to import CAs into Adobe Acrobat Professional (I will update this post if I figure out a way).

Navigate to the Trusted Root Certification Authorities folder in the MMC and right click on the root CA certificate in the store then choose All Tasks –> Export…:


Proceed through the wizard to export the root CA’s certificate:






Open Adobe Acrobat Professional:


Click on the Edit tab and select Preferences…:


Navigate to the Signatures category and click on the More button beside Identities & Trusted Certificates:


Select Trusted Certificates on the left windows and click on Import:


Click on the Browse button:


Select the exported root CA certificate:


Click on the Import button:


A confirmation window will be displayed indicating the certificate has been imported:


Notice that the certificate is now imported.  Before you proceed, select the certificate and click on Certificate Details:


Check the Use this certificate as a trusted root checkbox.  Make sure this step is completed or even though the certificate is imported, Adobe will not trusted it and will display the signatures as signed by an unknown source:


Step #5 – Signing PDFs with certificate signatures

From there, there are 2 options to allow users to sign PDF documents:

  1. Have them select a certificate already in their local desktop’s Certificate store
  2. Have them sign it with a PFX file (an exported certificate in a flat file)

#1 is convenient in the sense that they just select the certificate during signing and a password is not required.  This would be good for users who don’t roam around desktops.

#2 is good for users who may be signing documents from different workstations and the flat file PFX would be easy for them to move around or access via a network share.  Note that the PFX is password protected.

I will demonstrate what both look like:

Have them select a certificate already in their local desktop’s Certificate store:

To have them sign a PDF with a certificate in their local desktop’s store requires no further action.  All they need to do is open up a document in Adobe Acrobat Pro:


Click on the Sign button on the top right corner then select Place Signature:


Click on the Drag New Signature Rectangle button:


Use the lasso to lasso an area where the signature is supposed to be:


Assuming there’s just 1 certificate available, the user’s certificate should already be selected in the Sign As field but if not, select it then click on the Sign button:


Save the document:


Note the signature and the Signed and all signatures are valid. note at the top:


Clicking on the Signature Panel button will show the signatures applied to the document:


Right clicking on the signature will allow you to review the signature properties by clicking on Validate Signature:


Note that if Clear Signature is selected, the signature will be marked as cleared but the line item will not be deleted because this allows a full history of what’s been done with the signatures.



Have them sign it with a PFX file (an exported certificate in a flat file):

To sign with a PFX, we will need to export the issued certificate first similar to the way we did with the root CA certificate.  Navigate to the Personal –> Certificates folder in the MMC and right click on the issued certificate in the store then choose All Tasks –> Export…:


Proceed through the wizard to export the certificate:


Ensure the Yes, export the private key is selected:



Enter a password:


Select a path:



With the certificate exported as PFX, proceed by signing PDF documents by opening up a document in Adobe Acrobat Pro:


Click on the Drag New Signature Rectangle button:


Use the lasso to lasso an area where the signature is supposed to be:


In the Sign As drop down menu, select New ID…:


Select My existing digital ID from: and A file:


Browse to the exported PFX file, enter the password:


Review the properties of the certificate and click Finish:


Proceed by clicking the Sign button:


Save the document:


Note the signature and the Signed and all signatures are valid. note at the top:


Clicking on the Signature Panel button will show the signatures applied to the document:


From here, you can continue to apply other user’s signatures to it as shown here:


Note the second signature that’s listed as Rev. 2:


This may seem like a simple task to Adobe Acrobat Pro experts but for someone like me who don’t use the application, finding information on how signature works took a bit of time so I hope this helps anyone out there who may find themselves in the same situation as I did.


Jimmy Jarred said...

This post is extremely useful for me as it saved my lot of time. I have been struggling to learn about how we can digitally sign documents in Adobe. I got the complete solution to my problem in this article. Thanks.
digital signature Adobe Acrobat

share said...

hi friend its really a great thing, i took lot of time for me to understood those concept's u made it pretty simple .. thank you for your great help..!!!

Aeldra Robinson said...

nice blog

digital signatures

Digital Signature Provider said...

Good Info!

Thanks for sharing a very nice instruction in favor of clients. It is really necessary for new or old customer.

Anonymous said...

Awesome post, very helpful. Note that for step#4 you can setup Acrobat to trust the windows certificate store - there's a setting in preferences. See:

Ha Phan said...
This comment has been removed by the author.
Anonymous said...

What happens when a signed pdf is email to somebody not in my domain? Will they be able to verify the cert?

Digital Signature Certificate for DGFT said...

Great Writing View !! We all read your and like it. This is very informative and helpful information information. Keep up sharing...


Raj Solanki said...

Thanks for sharing the amazing information on the digital signature.

DSC Application Form

AB said...

3 Years later and this article is still awesomely informative. I'm a new sysadmin and I've been tasked with just this problem. Thanks so much for the assistance.

The Kingpin said...

Well done sir. You saved me tons of time and effort. Great article.

Krv. said...


Sanket Agarwal said...

The post is actually the freshest on this laudable subject. I harmonize with your conclusions and will thirstily look forward to see your approaching updates.Apply Digital signature Certificate Online

Sambath S said...

Thank you for sharing this wonderful information..... Great post!

Digital Signature Mart said...

Thanks for sharing the amazing information on the digital signature. Digital signature in Delhi

Shailendra Aggarwal said...

Digital signatures have really improved the security level .To make the documents secure digital signature and encryption is the best way. And temperament is really not easy. Digital Signature Certificate

Anonymous said...

How to apply digital signature certificate microsoft office documents like word,Excel..

Anonymous said...

It is a great way to make sure you're PDF can't be changed after they have been signed. Digitally signing Adobe Acrobat PDF documents with PDF signature library

Dsc Signer said...

Very impressive & Beautiful Blog. thanks for sharing such beautiful blog.
Software to digitally sign pdf documents
Bulk pdf signer software

Turbo EXIM said...

Your Blog Is Very Useful And Beautiful As Well

Sign Document Online

Bulk Pdf Signer Software

Rahul Malhotra said...

Hi, I am Rahul thank you for this informative post.Thank you so much and for you all the best. ( That is a great job. Wish you more success. Takes Down

Nutra Trials said...

Nutra Trials defines personal characteristics of different health products including skincare, weight loss, muscle and male enhancement. The study presented here is briefly described for reader convenience and to deliver them assurance with health standards. The best possible answers are given here regarding the selection of an ideal supplement or cream or serum that possibly remains to be safe for health and do not cause any side effects.

NutraT line said...

It is a great job, I like your posts and wish you all the best. and I hope you continue this job well.
NutraT line