Sunday, September 22, 2013

Digitally signing Adobe Acrobat PDF documents with Microsoft Certificate Authority Certificates

I’ve recently been asked by a client whether there was a way to digitally sign documents with digital signatures that cannot be modified and therefore proves that a signed document is signed by an individual.  In addition to this, they would also like to allow more signatures to be added to it because the document is essentially an invoice that requires 2 signatures of approval and a signature from a person in accounting to verify that it has been entered into the account system.

The client already uses Adobe Acrobat Professional for creating PDF documents and they noticed signature features from within the GUI but wasn’t sure how to use it so they asked me to look into it.  I’m in no way an Adobe Acrobat expert (definitely not my forte) as I don’t use it so I did a bit of research on the internet but while it looks like it can be done, there isn’t a clear document from Adobe that demonstrates how to do it. Furthermore, Adobe appears to promote the EchoSign service which the client didn’t want to use as they didn’t want any additional cost.

Knowing that Adobe Acrobat allows certificate signing, I took a bit of time sitting down at a workstation with Adobe Acrobat Professional to play around with the settings and figured out a way to do it with Microsoft Certificate Authority issued certificates.  My guess is that a lot of others would probably need a quick and cheap solution as this so I thought I’d blog the process.

Step #1 – Create a new Certificate Template for Digital Signatures

Begin by launching the Active Directory Certificate Services console and opening up the templates section, right click on the Code Signing template and select Duplicate Template:

image

In the General tab, give the Template display name and Template name a meaningful name (I called it Adobe Signature), adjust the Validity period to more than 1 year if desired and check the Publish certificate in Active Directory checkbox:

clip_image001

Navigate to the Request Handling tab and change the Purpose field to Signature and encryption, check the Allow private key to be exported checkbox:

clip_image001[4]

Navigate to the Subject Name tab and if desired, you can change the option to Supply in the request if you want to allow the enroller (the user requesting a certificate signature) to fill out the fields for the certificate or leave it as the default Build from this Active Directory information with Subject name format as Fully distinguished name and User principal name (UPN) checkbox checked.  I actually prefer to leave the setting as the default Build from this Active Directory information because the issued certificates will always be consistent with what fields are filled out and it’s also easier for the enroller to request the certificate:

clip_image001[6]

Navigate to the Security tab, select Authenticated Users and check the Allow – Enroll checkbox:

image

Step #2 – Publish the new Certificate Template

With the new certificate created, navigate to the Certificate Template node in the Certificate Authority console, right click, select New and click on Certificate Template to Issue:

image 

Notice that the new Adobe Signature template is listed:

image

Step #3 – Request a new certificate for the user

With the new certificate template created and published, go to the workstation of a user who needs a digital certificate for signing Adobe Acrobat PDFs, open the MMC and add the Current User store for Certificates.  From within the Certificates – Current User console, navigate to Personal –> Certificates, right click in the right empty window, select All Tasks –> Request New Certificate..:

clip_image001[8]

Proceed through the wizard:

clip_image001[10]clip_image001[12]

Select Adobe Signature as the certificate:

clip_image001[14]

Complete the enrollment:

clip_image001[16]

You should now have a signature issued by the Active Directory integrated Microsoft Certificate Authority:

image

Step #4 – Import Microsoft Certificate Authority Root Certificate into Adobe Acrobat Professional Trusted CAs

What I noticed with Adobe Acrobat Professional is that it does not appear to use the local workstation’s trusted store for Certificate Authorities. This means that even if a certificate is issued by a Microsoft Active Directory integrated Root CA and it is listed in the Trusted Root Certification Authorities, Adobe would not automatically trust it.  So prior to starting to use the certificate enrolled via step 3, we will need to go to every desktop that will be involved with this signing process to manually import the CA. I wished there was an easier way to do this and maybe there is but a brief Google did not reveal a GPO adm available for me to import CAs into Adobe Acrobat Professional (I will update this post if I figure out a way).

Navigate to the Trusted Root Certification Authorities folder in the MMC and right click on the root CA certificate in the store then choose All Tasks –> Export…:

image

Proceed through the wizard to export the root CA’s certificate:

clip_image001[18]

clip_image001[20]

clip_image001[22]

clip_image001[24]

clip_image001[26]

Open Adobe Acrobat Professional:

clip_image001[28]

Click on the Edit tab and select Preferences…:

clip_image001[30]

Navigate to the Signatures category and click on the More button beside Identities & Trusted Certificates:

clip_image001[32]

Select Trusted Certificates on the left windows and click on Import:

clip_image001[34]

Click on the Browse button:

clip_image001[36]

Select the exported root CA certificate:

clip_image001[38]

Click on the Import button:

image

A confirmation window will be displayed indicating the certificate has been imported:

clip_image001[40]

Notice that the certificate is now imported.  Before you proceed, select the certificate and click on Certificate Details:

image

Check the Use this certificate as a trusted root checkbox.  Make sure this step is completed or even though the certificate is imported, Adobe will not trusted it and will display the signatures as signed by an unknown source:

image 

Step #5 – Signing PDFs with certificate signatures

From there, there are 2 options to allow users to sign PDF documents:

  1. Have them select a certificate already in their local desktop’s Certificate store
  2. Have them sign it with a PFX file (an exported certificate in a flat file)

#1 is convenient in the sense that they just select the certificate during signing and a password is not required.  This would be good for users who don’t roam around desktops.

#2 is good for users who may be signing documents from different workstations and the flat file PFX would be easy for them to move around or access via a network share.  Note that the PFX is password protected.

I will demonstrate what both look like:

Have them select a certificate already in their local desktop’s Certificate store:

To have them sign a PDF with a certificate in their local desktop’s store requires no further action.  All they need to do is open up a document in Adobe Acrobat Pro:

clip_image001[42]

Click on the Sign button on the top right corner then select Place Signature:

clip_image001[44]

Click on the Drag New Signature Rectangle button:

clip_image001[46]

Use the lasso to lasso an area where the signature is supposed to be:

clip_image001[48]

Assuming there’s just 1 certificate available, the user’s certificate should already be selected in the Sign As field but if not, select it then click on the Sign button:

image

Save the document:

clip_image001[52]

Note the signature and the Signed and all signatures are valid. note at the top:

image

Clicking on the Signature Panel button will show the signatures applied to the document:

image

Right clicking on the signature will allow you to review the signature properties by clicking on Validate Signature:

image

Note that if Clear Signature is selected, the signature will be marked as cleared but the line item will not be deleted because this allows a full history of what’s been done with the signatures.

image

image

Have them sign it with a PFX file (an exported certificate in a flat file):

To sign with a PFX, we will need to export the issued certificate first similar to the way we did with the root CA certificate.  Navigate to the Personal –> Certificates folder in the MMC and right click on the issued certificate in the store then choose All Tasks –> Export…:

image

Proceed through the wizard to export the certificate:

clip_image001[54]

Ensure the Yes, export the private key is selected:

clip_image001[56]

clip_image001[58]

Enter a password:

clip_image001[60]

Select a path:

clip_image001[62]

clip_image001[64]

With the certificate exported as PFX, proceed by signing PDF documents by opening up a document in Adobe Acrobat Pro:

clip_image001[66]

Click on the Drag New Signature Rectangle button:

clip_image001[68]

Use the lasso to lasso an area where the signature is supposed to be:

clip_image001[70]

In the Sign As drop down menu, select New ID…:

image

Select My existing digital ID from: and A file:

clip_image001[72]

Browse to the exported PFX file, enter the password:

clip_image001[74]

Review the properties of the certificate and click Finish:

image

Proceed by clicking the Sign button:

image

Save the document:

clip_image001[76]

Note the signature and the Signed and all signatures are valid. note at the top:

image

Clicking on the Signature Panel button will show the signatures applied to the document:

image

From here, you can continue to apply other user’s signatures to it as shown here:

image

Note the second signature that’s listed as Rev. 2:

image

This may seem like a simple task to Adobe Acrobat Pro experts but for someone like me who don’t use the application, finding information on how signature works took a bit of time so I hope this helps anyone out there who may find themselves in the same situation as I did.

14 comments:

Jimmy Jarred said...

This post is extremely useful for me as it saved my lot of time. I have been struggling to learn about how we can digitally sign documents in Adobe. I got the complete solution to my problem in this article. Thanks.
digital signature Adobe Acrobat

share said...

hi friend its really a great thing, i took lot of time for me to understood those concept's u made it pretty simple .. thank you for your great help..!!!

Aeldra Robinson said...

Hi,
I am trying to split a PDF into multiple PDF. (ex)Each page to a separate PDF.
PDF signature

Aeldra Robinson said...

nice blog

digital signatures

Digital Signature Provider said...

Good Info!

Thanks for sharing a very nice instruction in favor of clients. It is really necessary for new or old customer.

Qa Tools said...


Nice article i was really impressed by seeing this article, it was very intresting and it is very useful for Microsoft Training Learners.. We are Providing best qa online training in worldwide.

Daniel Mason said...

It was really a nice article and I was really impressed by reading this article. We are also giving all software Course Online Training. The Microsoft Courses Online Training is one of the leading Online Training institute in the world.

Anonymous said...

Awesome post, very helpful. Note that for step#4 you can setup Acrobat to trust the windows certificate store - there's a setting in preferences. See:
http://blogs.adobe.com/security/2008/08/setting_signature_trust_in_ado_2.html

Ha Phan said...
This comment has been removed by the author.
Anonymous said...

What happens when a signed pdf is email to somebody not in my domain? Will they be able to verify the cert?

Digital Signature Certificate for DGFT said...

Great Writing View !! We all read your and like it. This is very informative and helpful information information. Keep up sharing...

Thanks

Raj Solanki said...

Thanks for sharing the amazing information on the digital signature.

DSC Application Form

AB said...

3 Years later and this article is still awesomely informative. I'm a new sysadmin and I've been tasked with just this problem. Thanks so much for the assistance.

The Kingpin said...

Well done sir. You saved me tons of time and effort. Great article.