Adobe Acrobat Certificates?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Adobe Acrobat Certificates?

iaw4
Dear openssl experts---is anyone using openSSL certificates for adobe
acrobat?  if so, can this person please tell me the magic invokation
to create a pkcs#12 certificate that expires in x days (linux), and
perhaps how to get it working under Acrobat Pro (windows)?  I am not
an IT person, and my encryption knowledge is rudimentary.  sorry to
take everyone's time with this.  sincerely,  /iaw
----
Ivo Welch ([hidden email], [hidden email])
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Adobe Acrobat Certificates?

steve.roylance (Bugzilla)
Ivo,

GlobalSign offers Adobe CDS based certificates to the market so we are very
familiar with Adobe Acrobat.   If you want to create a simple PKCS#12 self
signed certificate and you have Acrobat Pro, then go into the 'Advanced'
settings menu 'Security Settings' and simply click on 'Add ID' and a wizard
will guide you through the process to end up with a PKCS#12 or an exportable
certificate in your Windows PC cert store.  It's very easy.

If you ever then need a real CDS (Recognizable by PDF reader worldwide)
certificate GlobalSign would be pleased to help get one for you.

Good Luck

Kind Regards,

Steve Roylance
Business Development Director

GlobalSign
www.globalsign.com| www.globalsign.eu

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of ivo welch
Sent: 16 August 2010 01:21
To: [hidden email]
Subject: Adobe Acrobat Certificates?

Dear openssl experts---is anyone using openSSL certificates for adobe
acrobat?  if so, can this person please tell me the magic invokation
to create a pkcs#12 certificate that expires in x days (linux), and
perhaps how to get it working under Acrobat Pro (windows)?  I am not
an IT person, and my encryption knowledge is rudimentary.  sorry to
take everyone's time with this.  sincerely,  /iaw
----
Ivo Welch ([hidden email], [hidden email])
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Adobe Acrobat Certificates?

iaw4

thank you, Steve.  I already have a trial certificate from you guys.  I need to check your pricing when it expires (90 days) to determine whether I will buy one.

Alas, I want to learn what the capabilities of certificate encryption are, and what happens when they expire.  (In particular, I want to create a document that expires in, say, 3 years.)

So, I want to be able to create some test certificates that expire in tomorrow, the day after, etc., and then see whether the document becomes unusable.   Unfortunately, Acrobat Pro seems to create 5-year certificates only.  so, I need some sample certificates, and I figure openSSL can do this...somehow.

/iaw



On Mon, Aug 16, 2010 at 5:51 AM, Steve Roylance <[hidden email]> wrote:
Ivo,

GlobalSign offers Adobe CDS based certificates to the market so we are very
familiar with Adobe Acrobat.   If you want to create a simple PKCS#12 self
signed certificate and you have Acrobat Pro, then go into the 'Advanced'
settings menu 'Security Settings' and simply click on 'Add ID' and a wizard
will guide you through the process to end up with a PKCS#12 or an exportable
certificate in your Windows PC cert store.  It's very easy.

If you ever then need a real CDS (Recognizable by PDF reader worldwide)
certificate GlobalSign would be pleased to help get one for you.

Good Luck

Kind Regards,

Steve Roylance
Business Development Director

GlobalSign
www.globalsign.com| www.globalsign.eu

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of ivo welch
Sent: 16 August 2010 01:21
To: [hidden email]
Subject: Adobe Acrobat Certificates?

Dear openssl experts---is anyone using openSSL certificates for adobe
acrobat?  if so, can this person please tell me the magic invokation
to create a pkcs#12 certificate that expires in x days (linux), and
perhaps how to get it working under Acrobat Pro (windows)?  I am not
an IT person, and my encryption knowledge is rudimentary.  sorry to
take everyone's time with this.  sincerely,  /iaw
----
Ivo Welch ([hidden email], [hidden email])
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Adobe Acrobat Certificates?

Jakob Bohm-7
In reply to this post by steve.roylance (Bugzilla)
On 16-08-2010 11:51, Steve Roylance wrote:
> Ivo,
>
> GlobalSign offers Adobe CDS based certificates to the market so we are very
> familiar with Adobe Acrobat.   If you want to create a simple PKCS#12 self
> signed certificate and you have Acrobat Pro, then go into the 'Advanced'
> settings menu 'Security Settings' and simply click on 'Add ID' and a wizard
> will guide you through the process to end up with a PKCS#12 or an exportable
> certificate in your Windows PC cert store.  It's very easy.
>
Nice feature for test signatures, but I don't think that's what the
OP wanted (see below).

> If you ever then need a real CDS (Recognizable by PDF reader worldwide)
> certificate GlobalSign would be pleased to help get one for you.

Nice plug, but I guess the OP wanted to issue locally trusted
certificates signed by an in-house enterprise CA that runs on a Linux
machine and is based on OpenSSL (such as tinyCA, or Red Hat CA).

So maybe you (based on your experience) can tell the rest of us
exactly what makes an Adobe PDF Cert different from a generic X.509
cert?

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Adobe Acrobat Certificates?

Jan-2
In reply to this post by iaw4
Ivo,
 
You cannot set an expiry flag to a PDF file, encrypted with PDFs standard encryption technique. At the end it is the certificate that is going to expire and not the encrypted document.
 
The Adobe LiveCycle Policy Server seems to offer such things... but until now I've never seen such a file in the wild.
 
Cheers!
Jan

--
 
----- Original Message -----
Sent: Monday, August 16, 2010 4:49 PM
Subject: Re: Adobe Acrobat Certificates?


thank you, Steve.  I already have a trial certificate from you guys.  I need to check your pricing when it expires (90 days) to determine whether I will buy one.

Alas, I want to learn what the capabilities of certificate encryption are, and what happens when they expire.  (In particular, I want to create a document that expires in, say, 3 years.)

So, I want to be able to create some test certificates that expire in tomorrow, the day after, etc., and then see whether the document becomes unusable.   Unfortunately, Acrobat Pro seems to create 5-year certificates only.  so, I need some sample certificates, and I figure openSSL can do this...somehow.

/iaw



On Mon, Aug 16, 2010 at 5:51 AM, Steve Roylance <[hidden email]> wrote:
Ivo,

GlobalSign offers Adobe CDS based certificates to the market so we are very
familiar with Adobe Acrobat.   If you want to create a simple PKCS#12 self
signed certificate and you have Acrobat Pro, then go into the 'Advanced'
settings menu 'Security Settings' and simply click on 'Add ID' and a wizard
will guide you through the process to end up with a PKCS#12 or an exportable
certificate in your Windows PC cert store.  It's very easy.

If you ever then need a real CDS (Recognizable by PDF reader worldwide)
certificate GlobalSign would be pleased to help get one for you.

Good Luck

Kind Regards,

Steve Roylance
Business Development Director

GlobalSign
www.globalsign.com| www.globalsign.eu

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of ivo welch
Sent: 16 August 2010 01:21
To: [hidden email]
Subject: Adobe Acrobat Certificates?

Dear openssl experts---is anyone using openSSL certificates for adobe
acrobat?  if so, can this person please tell me the magic invokation
to create a pkcs#12 certificate that expires in x days (linux), and
perhaps how to get it working under Acrobat Pro (windows)?  I am not
an IT person, and my encryption knowledge is rudimentary.  sorry to
take everyone's time with this.  sincerely,  /iaw
----
Ivo Welch ([hidden email], [hidden email])
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Adobe Acrobat Certificates?

Scott Gifford
In reply to this post by iaw4
On Mon, Aug 16, 2010 at 10:49 AM, ivo welch <[hidden email]> wrote:
[ ... ] 
So, I want to be able to create some test certificates that expire in tomorrow, the day after, etc., and then see whether the document becomes unusable.   Unfortunately, Acrobat Pro seems to create 5-year certificates only.  so, I need some sample certificates, and I figure openSSL can do this...somehow.

As far as testing to make sure expirations work, I have found that messing with my system's clock is a good way to do that: create a certificate that expires in 5 years, then set your clock forward 5 years and 1 day to test.  You may even find that it will trick Adobe's software: if you want a certificate that expires tomorrow, maybe you can set your clock to 5 years minus 1 day and create the certificate.

Just a thought, I don't have answers to the rest of your question.  :)

----Scott.

Reply | Threaded
Open this post in threaded view
|

RE: Adobe Acrobat Certificates?

steve.roylance (Bugzilla)
In reply to this post by Jakob Bohm-7
Hi Jacob,

The best way to view what CDS is, is via the Adobe Website.  It's a medium
assurance hardware based identity credential that we, and others, supply.
It's ultimately rooted through to the Adobe Root CA...ie. A root in all
Adobe reader versions from Version 6 onwards.
http://www.adobe.com/security/partners_cds.html

We, along with other well known names in the CA industry, offer CDS
certificates to the market.  If anyone is interested then please mail me
separately and I'd be happy to provide more details away from the list, but
an example is the best way to quickly show you the differences.  

This one is certified with a CDS certificate
http://www.globalsign.co.uk/resources/documentsign-creating-trusted-document
s.pdf and this one is self signed to allow you to compare the difference in
the GUI on whatever version of Adobe Acrobat you are using
http://www.globalsign.co.uk/document-security-compliance/adobe-cds/ 

You can use the certificate viewer built into Adobe Acrobat or Reader to
examine the profile of the certificates.

Thanks.

Steve


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Jakob Bohm
Sent: 16 August 2010 15:52
To: [hidden email]
Subject: Re: Adobe Acrobat Certificates?

On 16-08-2010 11:51, Steve Roylance wrote:
> Ivo,
>
> GlobalSign offers Adobe CDS based certificates to the market so we are
very
> familiar with Adobe Acrobat.   If you want to create a simple PKCS#12 self
> signed certificate and you have Acrobat Pro, then go into the 'Advanced'
> settings menu 'Security Settings' and simply click on 'Add ID' and a
wizard
> will guide you through the process to end up with a PKCS#12 or an
exportable
> certificate in your Windows PC cert store.  It's very easy.
>
Nice feature for test signatures, but I don't think that's what the
OP wanted (see below).

> If you ever then need a real CDS (Recognizable by PDF reader worldwide)
> certificate GlobalSign would be pleased to help get one for you.

Nice plug, but I guess the OP wanted to issue locally trusted
certificates signed by an in-house enterprise CA that runs on a Linux
machine and is based on OpenSSL (such as tinyCA, or Red Hat CA).

So maybe you (based on your experience) can tell the rest of us
exactly what makes an Adobe PDF Cert different from a generic X.509
cert?

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Adobe Acrobat Certificates?

Crypto Sal
In reply to this post by Jakob Bohm-7
  On 08/16/2010 10:52 AM, Jakob Bohm wrote:

> On 16-08-2010 11:51, Steve Roylance wrote:
>> Ivo,
>>
>> GlobalSign offers Adobe CDS based certificates to the market so we
>> are very
>> familiar with Adobe Acrobat.   If you want to create a simple PKCS#12
>> self
>> signed certificate and you have Acrobat Pro, then go into the 'Advanced'
>> settings menu 'Security Settings' and simply click on 'Add ID' and a
>> wizard
>> will guide you through the process to end up with a PKCS#12 or an
>> exportable
>> certificate in your Windows PC cert store.  It's very easy.
>>
> Nice feature for test signatures, but I don't think that's what the
> OP wanted (see below).
>
>> If you ever then need a real CDS (Recognizable by PDF reader worldwide)
>> certificate GlobalSign would be pleased to help get one for you.
>
> Nice plug, but I guess the OP wanted to issue locally trusted
> certificates signed by an in-house enterprise CA that runs on a Linux
> machine and is based on OpenSSL (such as tinyCA, or Red Hat CA).
>
> So maybe you (based on your experience) can tell the rest of us
> exactly what makes an Adobe PDF Cert different from a generic X.509
> cert?
>

Jakob,

 From my experiences: NOTHING. (So long as it has digital signing enabled)

 From what I have seen and know, Adobe CDS partners [
http://www.adobe.com/security/partners_cds.html ], get an intermediate
certificate from Adobe, which they then use to issue digital signing
certificates to Organizations or Individuals. (Entity/their customers).
The only real benefit is much like having a publicly trusted SSL
certificate from a CA (Verisign/GeoTrust, Comodo, Entrust, GlobalSign,
GoDaddy, etc.) vs. that of a self-signed certificate in a browser. (It
helps get rid of the browser nag, because what end-user wants to
actually THINK before they do something?)

I do like the fact that Adobe gives end-users the ability to trust who
they want (much like the friendly browsers do these days), when they
want and they don't have to rely on Adobe to certify CAs especially
since Adobe hasn't decided not to partner with some of the more popular
global CAs such as Comodo, StartSSL, GoDaddy, etc. (Even though:
Mozilla, Opera and Microsoft DO)

Hope this sheds some more light on the issue.



However, we await Steve's response.

--Sal

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Adobe Acrobat Certificates?

steve.roylance (Bugzilla)
Sal, Jakob,

The CP for Adobe is here:- http://www.adobe.com/misc/pdfs/Adobe_CDS_CP.pdf
and section 7 highlights the specific profile of the certificate.  

Sal, you are correct it's an X509 certificate and there are no deviations
from that spec.  However, there are specific OID and specific rules that the
CP mandates and there are also specific services that are related to the
certificate which are indicated within the profile (Time stamping for
example).

FYI, I've hopefully addressed Ivo's concerns in a separate e-mail and made
suitable suggestions to him on ways to solve his particular issue.

Thanks

Steve


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Crypto Sal
Sent: 17 August 2010 05:30
To: [hidden email]
Subject: Re: Adobe Acrobat Certificates?

  On 08/16/2010 10:52 AM, Jakob Bohm wrote:

> On 16-08-2010 11:51, Steve Roylance wrote:
>> Ivo,
>>
>> GlobalSign offers Adobe CDS based certificates to the market so we
>> are very
>> familiar with Adobe Acrobat.   If you want to create a simple PKCS#12
>> self
>> signed certificate and you have Acrobat Pro, then go into the 'Advanced'
>> settings menu 'Security Settings' and simply click on 'Add ID' and a
>> wizard
>> will guide you through the process to end up with a PKCS#12 or an
>> exportable
>> certificate in your Windows PC cert store.  It's very easy.
>>
> Nice feature for test signatures, but I don't think that's what the
> OP wanted (see below).
>
>> If you ever then need a real CDS (Recognizable by PDF reader worldwide)
>> certificate GlobalSign would be pleased to help get one for you.
>
> Nice plug, but I guess the OP wanted to issue locally trusted
> certificates signed by an in-house enterprise CA that runs on a Linux
> machine and is based on OpenSSL (such as tinyCA, or Red Hat CA).
>
> So maybe you (based on your experience) can tell the rest of us
> exactly what makes an Adobe PDF Cert different from a generic X.509
> cert?
>

Jakob,

 From my experiences: NOTHING. (So long as it has digital signing enabled)

 From what I have seen and know, Adobe CDS partners [
http://www.adobe.com/security/partners_cds.html ], get an intermediate
certificate from Adobe, which they then use to issue digital signing
certificates to Organizations or Individuals. (Entity/their customers).
The only real benefit is much like having a publicly trusted SSL
certificate from a CA (Verisign/GeoTrust, Comodo, Entrust, GlobalSign,
GoDaddy, etc.) vs. that of a self-signed certificate in a browser. (It
helps get rid of the browser nag, because what end-user wants to
actually THINK before they do something?)

I do like the fact that Adobe gives end-users the ability to trust who
they want (much like the friendly browsers do these days), when they
want and they don't have to rely on Adobe to certify CAs especially
since Adobe hasn't decided not to partner with some of the more popular
global CAs such as Comodo, StartSSL, GoDaddy, etc. (Even though:
Mozilla, Opera and Microsoft DO)

Hope this sheds some more light on the issue.



However, we await Steve's response.

--Sal

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]