FAQs Adobe CDS
PDF Signing for Adobe Certified Document Services (CDS) enable more secure, reliable document PDF exchange
You are here:
PDF Signing Frequently Asked Questions (FAQ)
General Information
1. What is Certified Document Services (CDS)?
Certified Document Services (CDS) is a validation service for electronic documents specifically to attest to the authenticity and integrity of data through industry standard highly ubiquitous software (>800Million installations). Created by the Adobe® Root Certificate authority, CDS enables document authors to sign Portable Document Format (PDF) files, using digital certificates, which then automatically validate when recipients use the freely available Adobe® Acrobat® Reader software. No additional client software or configuration is required and the solution is multi-lingual through the wide variety of languages supported. http://www.adobe.com/products/reader/productinfo/languages/
CDS was designed to enable organizations and individuals who publish high-value documents to large and disparate recipient groups to increase the assurance level that the document's integrity and authenticity are preserved. By adding Certifying Signatures and Approver Signature(s) to PDF files document authors can increase this assurance level while at the same time reduce the burden of the recipient regarding how to determine if the document can be trusted.
Click here to learn more about CDS http://www.adobe.com/security/digsig/certifieddocs.html.
GlobalSign offers digital certificates compliant to the CDS program under the PDF Signing for Adobe CDS brand. PDF Signing Digital IDs are issued to individuals and departments affiliated with verifiable organizations and allow authors to add Certifying Signatures and Approver Signatures to PDFs.
PDF Signing Digital IDs are “chained” to the inherently trusted Adobe root certificate found in Adobe Reader 6.0+ and Acrobat 6.0+. Recipients who open certified documents signed with CDS digital IDs receive one of three easy to understand trust messages.
|
Certification VALID |
Validity of author |
Certification INVALID |
Approval Signature |
Version 6 through 8
Version 9 onwards |
|
|
|
|
3. Where can I review the Certification Practice Statement for PDF Digital IDs?
Certification Practice Statement for PDF Signing
4. Why does my private key associated with my PDF Signing Digital ID need to be stored on cryptographic hardware?
The Adobe CDS Certificate Policy highlights the need to ensure the security of the CDS program by ensuring all digital IDs are created on FIPS compliant Cryptographic FIPS 140-2 level 2 hardware (such as the SafeNet iKey range). This maintains the 'singularity' of the Digital ID such that it cannot be duplicated, and therefore preserves non repudiation capabilities of the solution. The only exception to this are ‘Test Certificates’ which have a separate Test OID and therefore can be created outside of a hardware module.
5. How does a PDF Signing Digital ID differ from any other x.509v3 certificate?
A CDS Digital ID is an X.509 V3 certificate created on FIPS 140-2 level 2 cryptographic hardware. However, it has a number of unique features built into the profile of the certificate..
Firstly the certificate itself is directly chained to the Adobe Root CA meaning that any documents certified or signed with it will be automatically trusted from any version of Adobe reader version 7.0 onwards. Secondly, automatic configuration of the Adobe writer product is completed on first use (Acrobat on the desktop or servers such as The Adobe® LiveCycle® Digital Signatures ES2) with entries for the location of the Time stamping service and CRL's being taken from the certificate. This allows users to create SHA256 Long Term Validation signatures, compliant for example to ETSI TS 102 778
6. What are the differences between Certified and Approval signatures?
Most digital signatures are referred to as approval signatures. Signatures that certify a PDF are called certifying signatures. Only the first person to sign a PDF (most often, the author) can add a certifying signature. A certifying signature attests to the contents of the document and allows the signer to specify the types of changes allowed for the document to remain certified. Changes to the document are detected in the Signatures panel.
Approval signatures are performed when someone signs a document to show consent, approval, or acceptance. A certified document is one that has a certification signature applied by the originator when the document is ready for use. The originator specifies what changes are allowed; choosing one of three levels of modification permitted:
No changes
Form fill-in only
Form fill-in and commenting
Valid approval signatures produce a "green check mark" and certified signatures produce a "blue ribbon". Both types of digital signatures provide embedded SHa256 CRL and SHA256 RFC 3161 compliant time stamping services resulting in valid signatures well past the life (Approximately until the year 2030 according to current cryptography strength predictions) of the PDF Signing Digital ID that signed them.
Ordering CDS
7. How do I get a PDF Signing Digital ID?
Step 1: |
Choose the certificate type that best suits your needs (Signing as a ‘natural person’ i.e. PersonalSign or as a ‘role’ ie. DepartmentSign) |
Step 2: |
Register for the service through the ‘buy now’ link. GlobalSign then verifies the organization |
Step 3: |
GlobalSign performs additional phone verification checks to ensure the subscriber is authorized to enroll for a digital ID by the Organizational Representative who signs and agrees to the terms and service. See the Certification Practice Statement for details |
Step 4: |
Once validation checks are completed GlobalSign will provide a link to install the digital ID to the subscriber on a GlobalSign furnished cryptographic device (typically an iKey USB token from SafeNet, or a Luna PCI/Luna SA Hardware Security Module). |
8. How do I enroll for a PDF Signing Digital ID?
Low volume PDF Signing Digital ID’s are provided on USB iKey 2032/4000/5100 cryptographic tokens which are protected by the customer via a customer assigned passphrase. Higher volume DepartmentSign Digital ID’s are may be provided on tokens too however it is more likely that a HSM (Hardware Security Module) will initially be delivered to the organization and a CSR (Certificate Signing Request) would be generated for input into a GlobalSign Certificate Center Account for signing and subsequent certificate signing by GlobalSign.
9. How are subscribers vetted?
An organisation’s identity is verified by GlobalSign’s vetting team in accordance with the steps described in the PDF Signing for Adobe CDS Certification Practice Statement. Enterprise (ePKI) subscribers are vetted and authorized to enroll for a digital ID in their name or in the case of DepartmentSign, a role by an authorized Local Registration Authority that has been appointed by the Organization Representative
10. How is my organisation vetted?
After the on-line enrollment is completed by a representative authorized to bind the organization to the terms of the GlobalSign agreement and by reference the PDF Signing Digital ID for Adobe PDF Certificate Practice Statement, GlobalSign shall verify the Organisation is legitimate using third party verification services such as Qualified Government Information Source.
11. Where can I get the Adobe Root and GlobalSign for Adobe CA subordinate CA and what is the root hierarchy?
Adobe Root Instalation (Video)
Get the GlobalSign SHA2566 Primary CA for Adobe subordinate CA (DER format)
Get the GlobalSign SHA2566 Primary CA for Adobe subordinate CA (Cer format)
Get the GlobalSign SHA256 CA for Adobe subordinate CA (DER format)
Get the GlobalSign SHA256 CA for Adobe subordinate CA (CER format)
Pre November 2011 issuing CA - Legacy customers
Get the Adobe CA subordinate CA (CER format
Get the Adobe CA subordinate CA (DER format)
From November 2011 the Adobe root hierarchy is a high security PKI implementation as follows:
System Requirements
12. What technical requirements do I need to use a PDF Signing Digital ID?
Windows XP, Vista, Windows 7 or MAC OS (Snow Leopard or Lion)
Software requirements for Adobe Acrobat Reader
Software requirements for the Adobe Acrobat Family
13. How do I know what type of PDF Signing Digital ID is right for me?
PersonalSign Pro Digital ID for Adobe PDF - Low Volume A client based desktop solution designed for organizations with low volume requirements (up to 500 annual signings) needing named individuals (e.g. John Smith) to add Certifying or Approval Signatures to PDFs. Authors digitally sign using the Adobe Acrobat software and a PersonalSign Pro Digital ID securely stored on a SafeNet FIPS 140-2 level 2 cryptographic USB token.
PersonalSign Pro Digital ID for Adobe PDF - Medium Volume A client based desktop solution designed for organizations with low volume requirements (up to 1,500 annual signings) needing named individuals (e.g. John Smith) to add Certifying or Approval Signatures to PDFs. Authors digitally sign using the Adobe Acrobat software and a PersonalSign Pro Digital ID securely stored on a SafeNet FIPS 140-2 level 2 cryptographic USB token.
DepartmentSign Digital ID for Adobe PDF - Low Volume A client based desktop solution designed for organizations with low volume requirements (up to 2,000 annual signings) needing their departments e.g. Marketing Department or Legal Department to add Certifying or Approval Signatures to PDFs. Departments digitally sign using the Adobe Acrobat software and a PersonalSign Pro Digital ID securely stored on a SafeNet FIPS 140-2 level 2 cryptographic USB token.
DepartmentSign Digital ID for Adobe PDF - Medium Volume An automated solution to add Certifying and Approval Signatures to important PDFs and designed for organizations with medium volume requirements (up to 5,000 annual signings). A role-based PDF Signing Digital ID e.g. Marketing Department or Legal Department is issued and securely protected on a SafeNet FIPS 140-2 level 2 cryptographic device such as a Luna® PCI card.
Enterprise PKI for Adobe PDF
Includes two options for the Enterprise to manage the full life-cycle of PDF Signing Digital IDs issued under their organization name. For example:
Distributed implementations of PersonalSign and DepartmentSign Digital IDs on USB tokens issued to individuals and departments supporting a medium signing transaction level based on an average across all users (1,500 annual for individuals and 5,000 for departments).
Distributed implementations of PersonalSign and Department involve providing organization administrators (acting as the organization's Registration Authority) a bulk quantity of PersonalSign Pro or DepartmentSign Digital IDs for medium desk top volume Certifying and Approval Signature requirements and the associated Safenet USB tokens used to protect the Digital IDs.
Centralised implementations (maintained on the organization's server) PDF Signing Digital IDs for either departments or individuals
Centralized, server-based implementations work with SafeNet hardware security modules (optionally sold) that are highly integrated with Adobe's LiveCycle Enterprise Server suite. The net result is a highly automated solution with robust signing functionality for Certifying and Approval Signature to PDFs. Low (up to 25,000 annually),Medium (up to 100,000 annually), and High (up to 500,000 annually volume signings are available. Custom quotes are available for higher volumes. Contact your GlobalSign sales representative for details.
14. What information does the PDF Signing Digital ID contain?
PersonalSign Pro Digital IDs for Adobe PDF typically contain the following information:
Organisation: e.g.ABC Company Organisation Unit (Optional): e.g. 123 Business Unit Common Name:e.g. john.doe@yahoo.com Email (optional): e.g. john.doe@yahoo.com Country Code: e.g. Massachusetts Locality: e.g. Boston
15. What Adobe applications work with CDS?
Acrobat CDS Authoring Products:
Acrobat Professional v6.x through 10.x
Acrobat Standard v6.x through 10.x
Adobe LiveCycle Document Security Server v8.x and LiveCycle ES Digital Signatures
Acrobat CDS Validation Products:
Acrobat Elements v6.x through 10.x
Adobe Reader v6.x through 10.x
Adobe LiveCycle Document Security Server v.8.x and LiveCycle ES Digital Signatures
Using CDS
Quick Start Guide for Windows XP, Windows Vista and Windows 7 Users
iKey 2032 users please remember to select "SafeNet RSA CSP" as your Cryptographic Service Provider during the certificate install process as the iKey 2032 is an older token type and needs to use the legacy drivers to find the token.
iKey 4000 & iKey 5100 users may select "eToken Base Cryptographic Provider" which is the default option.
17. How do I certify a document?
Please view the following demo, which highlights how to certify a document and verify the signature.
Watch a Demo - Certifying a Document
18. How do I set my CDS digital certificate as a default option for certifying my documents?
Watch a Demo - Configuring the Default Signature Choice
19. How does time-stamping work?
PDF Signing Digital IDs contain a special extension that supported Adobe products will use to gain access to a highly available and highly trusted RFC 3161 trusted clock. This assures relying parties of the exact date and time of the signature.
GlobalSign provides a time stamping service through a highly respected and well known time source Seiko. Each time stamp request to Seiko's servers is digitally signed.
20. How long will my signiture remain valid?
If digitally signed on-line, with a valid timestamp and revocation check using Acrobat default settings, your signature shall remain valid well after the certificate has expired or even if it was revoked after the fact. However, note both Adobe Acrobat and LiveCycle Server are highly configurable. Depending on configuration settings on particular versions, signature validation may rely on different methods. Consult your Adobe product specific documentation for more details.
21. How do I know if my document is signed correctly?
Watch a demo - Checking the signature and ensure all the necessary points for long term validation such as time stamping and CRL embedding have been correctly completed.
Please note:
The location of the Timestamp server is: http://adobe-timestamp.globalsign.com/tsa/aohfewat2389535fnasgnlg5m23
The location of the CRL for the Primary SHA256 issuing CA is: http://crl.adobe.com/cds.crl
The location of the CRL for certificates issued by the Primary SHA256 issuing CA (post November 2011) is: http://crl.globalsign.com/gs/gsprmsha2adobe.crl
The location of the OCSP responder for certificates issued by the Primary SHA256 Issuing CA (Post November 2011) is: http://ocsp2.globalsign.com/gsprmsha2adobe
The location of the CRL for certificates issued by the SHA256 Issuing CA (Post November 2011) is: http://crl.globalsign.com/gs/gssha2adobe.crl
The location of the CRL for your certificate (Pre November 2011) is: http://crl.globalsign.net/GlobalSignCAAdobe.crl
Drivers and Utilities
22. Where can I find the USB Token Drivers for Windows Vista / Windows 7 systems?
23. Where can I find the USB Token Drivers and Utilities for Windows XP systems?
24. Where can I find USB Token and Utilities for Mac systems?
Step 1- Borderless Security Installation
(1) Download the zip file- Document Drivers for MAC
(2) Open the bundles folder inside the zip folder
(3) Move the sfntPKCS.bundle to the desktop for use in step 3
(4) Double click on the 'Start Here.html' and follow the SafeNet Borderless Security PK for Macintosh 1.0.32 installation instructions.
STEP 2- Insert your USB Token and ensure the green light is on.
STEP 3- Configure Adobe Professional (Version 8 and 9) Part 1
(1) Click on the Document Menu and select Security Settings
(2) Expand the 'Digital IDs' menu item and Click on the PKCS#11 Modules option.
(3) Click on the 'Attach Module' and drag the sfntPKCS.bundle from the desktop into the location
STEP 4- Configure Adobe Professional Part 2
(1) Once installed, click on the 'PKCS#11 Modules' menu which now has the 'SafeNet PKCS#11 Module'
(2) If the Token is not detected then click on 'Refresh'
(3) Then click on 'Login' and enter the appropriate PassPhrase
STEP 5 & 6- This only needs to be done once prior to you first PDF signing - Install the Intermediate issuing CA.
(1) Download the intermediate root CA from the GlobalSign web site- https://secure.globalsign.net/cacert/GlobalSignCDS.crt
(2) Ideally place the .crt file onto the desktop for future use.
(1) Click on the Document Menu and select Manage Trusted Identities
(2) Click on the default' Display' and select 'Certificates' rather than 'Contacts'.
(3) Click on the 'Add Contact' Button
(4) Browse to the desktop and select the GlobalSignCDS.crt file. Once identified click on the Import Button.
You are now ready to sign Adobe PDF documents. Additional helpful information is also located in the zip file.
25. How do I install Adobe CDS Certificates using GlobalSign's ePKI on Windows XP systems?
PDF Signing for Adobe CDS ePKI Installation Guide for Microsoft XP
Troubleshooting
26. I'm having difficulty enrolling with Vista and Internet Explorer 7/8. Are there any special security settings I should be aware of?
Yes, because of the unique nature of the Adobe Root that is not inherently trusted in Windows, and the Active X controls required to install the digital ID on the required Cryptographic Service Provider, there are several security settings that require modification. Subsequent to successful certificate enrollment, GlobalSign strongly recommends that default settings be re-established.
Watch a Demo Installing a PDF Signing for Adobe CDS USB token Digital ID
You must set your ActiveX and 'Trusted Sites' settings back to their current setting once you have installed your CDS Certificate.
27. Why does my valid PDF Signing Digital ID produce a "quwstion mark" at document opening?
Potential issues could be as follows:
Port 80 is blocked, therefore supported Adobe products cannot reach the CRL and/ or Time-stamping servers needed for validation
The document of digital signature was performed "off-line"
Author or recipients are not signing or validating with Adobe Reader or Acrobat 6.0+
The Intermediate Certificate has not been installed onto the system or into the token. Please see question 11 to download the certificate and import the certificate onto the token using the import tools.
28. What happens if I "lock" myself out of my GlobalSign furnished USB token?
During the install process subscriber's are required to personalize their USB token 'passphrase' with a recommended 8+ mix character secret value. This additional level of security is required by the PDF Signing for Adobe CDS Certification Practice Statement. Subscribers are responsible for remembering the value and will be permanently locked out of their USB token after (10) failed attempts.
If the token is locked it must be initialized and a new certificate installed. You can do this through your GCC account. Simply browse to the history section, identify the correct certificate and select re-issue. The new certificate will have an end date set to the same date as the previous certificate and all data will be the same with the exception of the start date and serial number/signing key which are all unique. You may need to configure your default signing certificate within Adobe as the certificate is technically 'new'.
29. How do I configure the appearance of the visable signiture block for certifying signing?
Please view the following demo, which highlights how the appearance can be modified. Please note that the signature imported into the signature block is itself a PDF document to aid readability if the signature block is small.
Watch a Demo - Configuring the appearance of the visible signature block
30. Why isn't the iKey USB token drivers installing on my Vista operating system?
One reason may be your User Account Control (UAC) setting. You may need to disable the UAC by going to the Windows Vista Control Panel and select User Accounts:
Click on the option for Turn User Account Control On or Off:
Uncheck the Use User Account Control (UAC) to help protect your computer:
This must be done prior to installing the drivers and re-enable after successful driver installation. You may reinstate User Account Control after installation for security for your system.
31. I've upgraded my Acrobat and now Acrobat can't find my certificate on my token.
Although, Acrobat should be able to "discover" your digital ID on your USB token (after initial set-up that includes installation the USB drivers and token utilities and installing the certificate using the Microsoft IE browser), upgrades may disturb certain settings that required you to modify Acrobat security settings. In the remote case, you experience this problem, try adding the PKCS11 SafeNet DLL manually by following the following steps using Adobe Acrobat:
1. Click on "Advanced" located on the top menu bar
2. Select "Security Settings"
3. Select "Digital IDs"
4. PKCS#11 modules then browse for the dkck201.dll found in your Systems32 folder.
32. I'm using Adobe writer for the first time and there seems to be a lot of option boxes. How should I answer the questions?
Watch a Demo - Selecting the Right Choices the First Time you Sign a Document
33. What do I do if my PDF Signing Digital ID is lost or stolen?
PDF Signing Digital ID holders should immediately report their lost or stolen certificate to their company administrator that issued their CDS certificate. Tokens secured with strong passwords do not necessarily constitute a compromise, since over 9 failed authentication attempts will cause a permanent token lock-out. A request for revocation form is located in the GlobalSign Repository
34. Are there any special Windows 7 considerations that I should be aware of when installing the SafeNet iKey token drivers?
Yes, aside from enabling all Active X settings, Vista W7 users should modify security “Download” settings to “enable” all downloads as depicted in the screen shot below.
High Volume Users
35. How can I learn more about server-based CDS implementations?
Contact GlobalSign Adobe Sales on Tel US 603-570-7060 or +44 1622 766766 sales@globalsign.com to learn more about highly automated CDS solutions.
Time Stamping
36. Why is the timestamp response too big?
I n order to support ALL possible issuing CA"s it is necessary to send back a response from the time stamp server that includes the chain of trust for the TSA certificate. This sometimes causes issues if the allocation is not big enough. The solution depends upon the signing software you are using. If you have an early version of Adobe Acrobat (7) then we recommend that you upgrade. If you use iText then please ensure you allocated sufficient signature space. If you use LifeCycle ES then follow these instructions:
Adobe LiveCycle - Predicted Time Stamp Token Size (In Bytes)
Sets the estimated size, in bytes, of the TSP response. The size is used to create a signature hole in the PDF document. This value represents the maximum size of the timestamp response that the configured TSP could return. Valid values are from 60 to 10240. The default value is 4096.
Note: Configuring an undersized value can cause the operation to fail; however, configuring an oversized value causes the size to be larger than necessary. It is recommended that this value is not modified unless that timestamp server requires a response size to be less than 4096 bytes.
PDF Signing Resources
Vertical Industry Datasheets:
Example Certified PDFs:
Example Certified PDFs:
