To setup Digital ID on your account, please be guided by this Microsoft article 'Using digital IDs to sign or encrypt Windows Mail messages'. Should you have other questions or any other concerns, please reply to thread and we will be happy to further assist you. Administrators can control whether clients can access MSCAPI through Acrobat so that users can find, use, and set trust levels for Windows certificates. The following options are available: Adding the Windows Certificate Store as a searchable repository with bCertStoreImportEnable. To view your certificates in the MMC snap-in, select Console Root in the left pane, then expand Certificates (Local Computer). A list of directories for each type of certificate appears. From each certificate directory, you can view, export, import, and delete its certificates. View certificates with the Certificate Manager tool. Jun 04, 2012 I want to know where the Certificates are located on the hard drive or on the store, the certificates are stored so that i can migrate those certificates from WinXP to Windows 7 (which has IE 9.0 installed). The sole purpose is to migrate the above certiificates from source to destination machine. To view certificates in the MMC snap-in. Open a Command Prompt window. Type mmc and press the ENTER key. Note that to view certificates in the local machine store, you must be in the Administrator role. On the File menu, click Add/Remove Snap In. In the Add Standalone Snap-in dialog box, select Certificates. Choice between New PKCS#12 Digital ID File and Windows Certificate Store. If you are on Mac OS, you won’t see these options, so you can skip this step. Make sure that New PKCS#12 Digital ID File is selected (Windows only). This allows you to create your digital ID as a.pfx or.p12 file that is saved on your hard drive.
Security (Digital Signatures)
These settings pertain to content security (security features) rather than application security (securing the software environment). Content security includes digital signatures, security methods such as password and certificate security, and other rights management features.
Note the following:
This preference category contains the following subfeature(s): Signing: RSA-PSS Configuration
The DC release supports RSA-PSS Signing on Windows (April, 2017) and Macintosh (August 2017). Classic track (Windows and Macintosh both) support was added in November 2018. RSA-PSS is an RSA cryptosystem signature scheme that provides increased security assurance. For more details see https://www.emc.com/emc-plus/rsa-labs/historical/raising-standard-rsa-signatures-rsa-pss.htm. Support currently includes:
Summary table
Addressbook Import
The address book stores data for certificates used in digital signature and certificate encryption workflows. During a major upgrade (e.g. 10.x to 11.x), the product looks for existing address books on each user machine. Prior to install, you should decide whether to deploy a generic, enterprise address book or let the existing address book on each machine be imported into the new product. By default, when end users first launch the product, the application prompts them to import any discovered address book. The application looks for existing addressbooks from previous product versions by searching directories in this order.
Summary table
Security Setting Import
9.x products introduced a security feature that includes the ability to import and export security settings via an .acrobatsecuritysettings file, thereby enabling easier version upgrades as well as configuration of multiple machines. The security settings import/export features offers several advantages over FDF files:
The following options are available:
Summary table
Extended Certificate InformationSummary table
Indentrust PreferencesSummary table
Custom Security Handlers![]()
Security handlers are Acrobat plugins. Information about creating plugins in general and security handlers in particular can be found in the Acrobat Software Development Kit (SDK) and its HFTs, header files, and other API documentation. Because Acrobat's Adobe.PPKLite is becoming more feature rich with each release, it is unlikely that you will need a custom security handler.
Adobe.PPKLite is the default security handler used for performing private key functions, validating signatures, and signing and encrypting documents. This is represented in the user interface as Adobe Default Security in the Digital Signatures Advanced Preferences dialog on both the Verification and Creation tabs. Administrators can install custom handlers to perform these functions, in which case the drop down lists on these tabs will list the additional handlers. All entries in the cHandler folder are reset by the Digital Signature Preferences dialog's Reset button. If a custom handler is used, you can specify the following:
Summary table
FDF Import and Export
The File Data Exchange Format (FDF) provides a format for easily importing and exporting certificate data and application settings. These settings appear in SecuritycPubSec after a client uses the feature.
The default values are stored internally by the application and are not visible in the registry. An administrator can set the default behavior, but your configuration is subject to modification by end users via the user interface. The following features are available:
Summary table
Security Settings Console
Security Settings Console preferences persist information about the state of the console user interface. These preferences are user generated and implementation specific and are likely to change across application versions. These keys are not customizable and are provided for informational purposes only.
Summary table
Certificate Viewer Configuration
By default, the Certificate Viewer builds and displays the trusted chain from the EE to the trust anchor. However, it is possible to show all found chains whether they are trusted or not. While most users do not need this information, it can be used for troubleshooting and verification. End users can turn this option on and off by using the Certificate Viewer's checkbox Show all certification paths found.
Summary table
Password Caching
By default, password caching is turned on so that users will not always have to enter a password when one is required. This feature affects Adobe LiveCycle Rights Management Server log in, signing with digital IDs in the Acrobat store (pfx or p12 files), changing password timeout policies, and creating new password security policies. For example, setting the option to false disables the menu option Save password with the policy when creating a new policy.
The following options are available:
Note: Disabling Never ask for password on a digital ID's password timeout dialog does not work in version 9.0. Summary table
Examine Document
The Examine Document dialog box identifies hidden document information that might pose a risk to the integrity of security and signature workflows. Found content is listed and linked to in the Examine Document pane. Users can click on a link to view the content and check/uncheck items to mark them for removal. Checked items are removed when the user selects the Remove button.
The following options are available:
Summary table
Roaming ID Configuration
These preferences are only used for signature workflows where users access roaming IDs on a roaming ID server. While the needed configuration can be handled through the user interface by end users, you can set the following:
Summary table
Roaming ID Provider Persistent Storage
These preferences store roaming ID server data. Some values are provided by the user and some are provided by the server. These keys cannot be customized and are provided for informational purposes only.
Summary table
Roaming ID Server Data
These preferences are created as a result of communications with a roaming ID server. Whether or not you customize these settings is determined by the needs or your particular implementation.
Summary table
Roaming ID Authentication
The authentication mechanism provider pertains only to roaming IDs. It enables you to specify one or more authentication mechanisms. The mechanism must be supported by the roaming ID server with which the application communicates.
The following features are available:
Summary table
Kerberos Authentication
This option is only relevant if the ASSP-Kerberos SPI is selected.
Summary table
Self Sign Digital IDs
By default, users can create self signed digital IDs. However, if you would like to prevent users from creating their own IDs, turn this feature off. Disabling this option prevents users from selecting Create a self-signed ID option in Add ID workflows.
Summary table
PKCS#11 Configuration
The key contains a list of P11 modules the user has loaded by choosing Attach Modules in the Security Settings console. By specifying a valid path to a PKCS#11 DLL, modules can be pre-attached to installed clients. Because various errors appear as a result of a bad filename or pointing to a dll that is not a valid PKCS#11 module, test the settings and file before distributing them.
The following options are available:
Summary table
Digital ID Defaults
Most digital ID default values are set by the application when a user first uses an ID or manually specifies a default value in the Security Settings Console. Moreover, since user actions will overwrite some preconfigured value an administrator might provide, setting many of these properties is usually not worthwhile. However, it is possible and the following options are available:
Summary table
Digital ID File Import and Export
The digital ID default path preferences point to the application security folder. For example, C:Documents and Settings(user name)Application DataAdobeAcrobat8.0Security. The path is used when the user imports or exports an ID from the Security Settings Console. Since the application remembers the last accessed directory, if a user chooses a different directory, that action will overwrite the preconfigured value an administrator might provide.
The following options are available:
Summary table
Adobe Acrobat Trust List
The Adobe Approved Trust List (AATL) program allows signers to automatically trust digital signatures chain to the trustworthy AATL certificates. By default, both Acrobat and Reader download a list of 'trusted' root digital certificates automatically. 9.x products download every 90 days while 10.x and later products download every 30 days.
To assure that downloaded (as well as any other) trust anchors have not been revoked, configure bRevCheckTrust.For more about the AATL program, see the AATL pageand this blog. Summary table
European Union Trust List
Like the AATL program, the European Union Trust List (EUTL) program allows signers to automitically trust digital signatures that chain to trustworthy EUTL certificates. While the feature was introduced with 11.0.06, the first EUTL trust lists were made available with the October 13, 2015 release.
To assure that downloaded (as well as any other) trust anchors have not been revoked, configure bRevCheckTrust. Note that both the AATL and EUTL features load certificates into the user's Acrobat Address Book (Acrobat Trust Store). The addition of the EUTL certificates increases the size of the address book and can affect the performance of signature validation in versions 11.0.06 to 11.0.10. Later product versions should validate in about 1/2 second. If you experience performance issues, update to the latest product. Alternatively, you can remove the EUTL preference (not recommended). For more about the EUTL program, see the blog. Summary table
Windows Digital Certificate Management
Windows Integration
While Acrobat has its own store, the Windows store may already contain needed certificates or your enterprise may simply be a Windows shop. Windows integration allows end users to search for and use certificates in the Windows Certificate Store.
End users can configure their application for Windows integration through the application's Preference panel. Configuration options allow users to search the Windows store from the Trusted Identity Manager (through the Search button), set trust levels for any found certificate, and choose which certificates to use for encryption (once the certificate is located and added to the Trusted Identity Manager). If a user has a personal ID in the Windows store, it appears in the Security Settings Console automatically without any special configuration. Administrators can control whether clients can access MSCAPI through Acrobat so that users can find, use, and set trust levels for Windows certificates. The following options are available:
Summary table
Trusted Identity List Configuration
The trusted identity list contains all of a users imported certificates that they use for validating someone else's signature or encrypting a document for them. The list is maintained and managed via the Trusted Identity Manager; however, administrators can preconfigure applications to use non-default list files, add certificates from the Windows, store, and so on.
The following options are available:
Summary table
Signature Validation Directory Providers
The directory provider SPI provides access to trust anchors and intermediate CAs used for signature validation. By default, certificates in all of the supported locations are used.
The following options are available:
Summary table
Signature Validation (Main Settings)
While users can configure these general signature validation preferences via the GUI, admins usually preconfigure the application.
The following options are available:
Summary table
Signature Validation Status Icons
By default, when an application validates a signature it displays a signature status icon in the Signature Properties dialog, and in the Signatures Pane. You can customize status icon behavior for a particular enterprise requirement. For example, a blue i appears on a signature status icon based on certain rules when a document is changed after it was signed.
The following options are available:
Summary table
Signature Validation Logging
Versions 8.x and later enable logging certificate validation and revocation checking information. You can set both the logging level and log location. The path must already exist for logging to take place. Note that when Protected Mode is enabled, the log file path must be one that Protected Mode permits.
The following options are available:
Chain building log file settingsLog file for troubleshooting certificate validationSummary table
Signature Validation Rev Check ConstraintsThe following options are available:
Summary table
Signature Validation Rev Check (OCSP)
OCSP revocation checking can occur both during signature creation and signature validation on both the signing certificate as well as for the certificates associated with any revocation check responses. It is possible to require certain features for certificates used to sign OCSP requests and responses. If either does not meet the specified parameters, it is considered invalid and the signature status may be Unknown or Invalid. See RFC 2560 for details.
Prior to 10.1, OCSP responses without nextUpdate were never embedded in a signature. For 10.1 and later, OCSP responses are always embedded irrespective of the presence of nextUpdate; however, whether they are used for signature validation depends on certain conditions:
This behavior is designed to support the long term validation feature and allows validating a signature with embedded responses that were valid at signing time. The following options are available:
Summary table
Signature Validation Rev Check (CRL)Installing Digital Certificate Windows 7
CRL revocation checking can occur both during signature creation and signature validation on both the signing certificate as well as for the certificates associated with any revocation check responses.
The following options are available:
The following options are available:
Summary table
Signature Validation Cert. Chain Building
The revocation checking process includes building the certificate chain so that each discovered certificate can be analyzed and processed as specified by other application preferences. Administrators do have some control over what certificates are used to build a chain.
The following options are available:
Summary table
Signing: Rev Check
Applying a signature to a document involves both creating a signature and then validating it. Despite the fact that end users see only one step (the signature appears with a status icon), there are actually two phases which an administrator independently configure. Revocation checking can occur during the initial signing phase to control whether or not a signature is created.
The following option is available:
Note: Interacts with bIsEnabled. For more detail about how revocation checking affects signing and signature validation, see Certificate Processing. Summary table
Signing: Long Term Validation
Whether revocation checking information is stored in a signature varies by version. Storing such data in a signature enables offline revocation checking and a determination of whether the signing certificate was valid at the time of signing.
Setting bIsEnabled to 1 via the GUI or registry automatically sets cSigniReqRevCheck to 2. The rationale is that if you choose to embed the revocation status you probably want a status to embed. A consequence of this choice is that you must do a check and retrieve a good result; otherwise, no signature is created. In other words, signing with a revoked certificate is prevented when this setting is on. The following options are available:
Note: If you are setting up a signing workflow for both signers and signature validators, you may want to set iUseArchivedRevInfo so that document recipients can validate signatures based on a signer's bIsEnabled setting. Summary table
Signature Validation Rev Check (Providers)
The revocation checker provider provides revocation checking services. You can specify one or more revocation checking methods and choose whether to use the default methods or some MSCAPI-specific method.
The following options are available:
Summary table
Signing: Preview Mode
Preview mode turns off (suppresses) rich content and dynamic document behavior that could prevent the signer from seeing what they are signing. While the use of preview mode adds an extra step in the signing workflow, it turns off potentially bad content, checks the document for the presence of any PDF constructs that may cause problems with signature integrity and provides a report about any found problems.
The following option is available:
Summary table
Signing: Appearances
The application remembers what signature appearance a signer used and stores its index number in iAPIndex. Because an end user's appearance selection will overwrite any custom value here, customization by an administrator would serve no useful purpose.
Summary table
Signing: Signer Details
The signing dialog has the capability of showing a location and contact information fields during a signing workflow. Field fill-in is optional. By default, the option is off, but end users and administrators can turn this option on. The location will appear in the Signature Properties dialog and in the Signature's pane and may optionally appear in the signature appearance.
The following options are available:
Note: If the end user changes the field data in the signing dialog, those values will overwrite the registry-specified values. Summary table
Signing: Reasons
The signing dialog has the capability of showing a signing reasons drop down list during a signing workflow. By default, the option is off, but end users and administrators can turn this option on. If a reason is used, it appears in the signature appearance, the Signature Properties dialog, and in the Signatures pane.
The following options are available:
Summary table
Signing: Certification
A 'certification signature' is simply the first signature in a document where the user has indicated via a user interface choice to 'certify' the document. These preferences only control certification signature behavior and have no effect on approval signature behavior.
In addition to the general signature preferences described elsewhere in this document, the following options are available:
Summary table
Signing: User interfaceSummary table
Signing: Document Warnings
The Sign dialog is capable of showing a Review button. The button invokes the PDF Signature Report which analyzes the document for the presence of any dynamic content that could adversely affect the integrity of signing workflows. If none is found, a dialog appears indicating that there are no problems. If content such as a comment or JavaScript is discovered, the PDF Signature Report appears with a list of any PDF constructs that may cause problems with signature integrity.
The following options are available:
Summary table
Signing: Font Warnings
LegalPDF warnings have been replaced by PDF Signature Report errors in versions 8.0 and later. Both mechanisms provide similar warnings. The following option is available:
Summary table
Signing: Hash Algorithm
The default algorithm used to create a message digest (document hash) during signing can be customized. In some enterprise situations, such as when FIPS compliance is required, you may need a more secure algorithm. Alternate hashing algorithms can be specified by name or OID as shown below. The algorithm that is used is displayed in the Hash Algorithm field of the Signature Properties dialog's Document tab. Usage rules:
Summary table
Signing: Format
The default format for creating the signature object that is embedded in a signed document is PKCS#7. The object contains the encrypted message digest, certificates, timestamps, and other information. It does not include the signature appearance and data outside of Contents in the signature dictionary. Format choices are limited so that a signature encoded by one handler can be unencoded (validated) by another handler. Providing a value for aSignFormat writes that value to the signature dictionary's SubFilter object. For details, see 'Signature Interoperability' in the PDF Reference.
Summary table
Signing: Digest Comparison
When signing a PDF document, a message digest is created for the document and sent to the cryptographic module that performs the signing operation. Setting the registry entry bEnforceSecureChannel to 1 ensures the message digest sent to the cryptographic module is checked against the signed message digest that it returns. This flag ensures that intermediate layers of software between Acrobat and the cryptographic module do not tamper with the signing operation.
The following rules apply:
Summary table
Signature ClearingSummary table
Timestamp Server: UsageSummary table
Timestamp Server: List
Timestamp servers are automatically used during signing only if a timestamp server has been configured and selected as a default. The full list of available servers appears under cPPKHandler.
The default server is identified by a star in the Security Settings Console, and that information is also written to sURL and bAuthReqd under cAdobe_TSPProvider. End users can overwrite these preference values by changing them in the Security Settings Console. The following options are available:
Summary table
Timestamp Server: Default
Timestamp servers are automatically used during signing only if a timestamp server has been configured and selected as a default. The full list of available servers appears under cPPKHandler.
How to install microphone driver windows 7. The default server is identified by a star in the Security Settings Console, and that information is also written to sURL and bAuthReqd under cAdobe_TSPProvider. End users can overwrite these preference values by changing them in the Security Settings Console. The following options are available:
Summary table
Security Envelopes
These keys appear after a user creates a security envelope to deliver one or more documents securely. The keys in cMain remember the user choices such as the last search path for finding attachments and so on. An administrator could set a default value, but these values would be changed by user actions.
Summary table
LiveCycle Server Configuration
The preferences in EDC (a legacy name) define Adobe LiveCycle Right Management Server connections. Users can specify servers through the Security Settings Console. However, administrators can preconfigure user machines to control the end user experience.
The following options are available:
Summary table
Security Policy FavoritesDigital Id Windows Certificate Store Download
The keys at SecuritycPPKLitecSP_Favorites contain an array of subkeys c0-cN where each index defines a favorite security policy. Both user and organizational policies can be favorites. Any policy marked as a favorite will appear in the user's favorite's list. End users make a policy a favorite by opening the Manage Security Policies dialog, highlighting the policy, and choosing Favorites. A star icon appears to the left of the policy name and the policy becomes available in the top level menu.
The following options are available:
Summary table
Copyright 2012-2018 Adobe Inc.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |