RE: Adobe Acrobat Certificates?
Hi Jacob, The best way to view what CDS is, is via the Adobe Website. It's a medium assurance hardware based identity credential that we, and others, supply. It's ultimately rooted through to the Adobe Root CA...ie. A root in all Adobe reader versions from Version 6 onwards. http://www.adobe.com/security/partners_cds.html We, along with other well known names in the CA industry, offer CDS certificates to the market. If anyone is interested then please mail me separately and I'd be happy to provide more details away from the list, but an example is the best way to quickly show you the differences. This one is certified with a CDS certificate http://www.globalsign.co.uk/resources/documentsign-creating-trusted-document s.pdf and this one is self signed to allow you to compare the difference in the GUI on whatever version of Adobe Acrobat you are using http://www.globalsign.co.uk/document-security-compliance/adobe-cds/ You can use the certificate viewer built into Adobe Acrobat or Reader to examine the profile of the certificates. Thanks. Steve -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: 16 August 2010 15:52 To: openssl-users@openssl.org Subject: Re: Adobe Acrobat Certificates? On 16-08-2010 11:51, Steve Roylance wrote: Ivo, GlobalSign offers Adobe CDS based certificates to the market so we are very familiar with Adobe Acrobat. If you want to create a simple PKCS#12 self signed certificate and you have Acrobat Pro, then go into the 'Advanced' settings menu 'Security Settings' and simply click on 'Add ID' and a wizard will guide you through the process to end up with a PKCS#12 or an exportable certificate in your Windows PC cert store. It's very easy. Nice feature for test signatures, but I don't think that's what the OP wanted (see below). If you ever then need a real CDS (Recognizable by PDF reader worldwide) certificate GlobalSign would be pleased to help get one for you. Nice plug, but I guess the OP wanted to issue locally trusted certificates signed by an in-house enterprise CA that runs on a Linux machine and is based on OpenSSL (such as tinyCA, or Red Hat CA). So maybe you (based on your experience) can tell the rest of us exactly what makes an Adobe PDF Cert different from a generic X.509 cert? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adobe Acrobat Certificates?
Sal, Jakob, The CP for Adobe is here:- http://www.adobe.com/misc/pdfs/Adobe_CDS_CP.pdf and section 7 highlights the specific profile of the certificate. Sal, you are correct it's an X509 certificate and there are no deviations from that spec. However, there are specific OID and specific rules that the CP mandates and there are also specific services that are related to the certificate which are indicated within the profile (Time stamping for example). FYI, I've hopefully addressed Ivo's concerns in a separate e-mail and made suitable suggestions to him on ways to solve his particular issue. Thanks Steve -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Crypto Sal Sent: 17 August 2010 05:30 To: openssl-users@openssl.org Subject: Re: Adobe Acrobat Certificates? On 08/16/2010 10:52 AM, Jakob Bohm wrote: On 16-08-2010 11:51, Steve Roylance wrote: Ivo, GlobalSign offers Adobe CDS based certificates to the market so we are very familiar with Adobe Acrobat. If you want to create a simple PKCS#12 self signed certificate and you have Acrobat Pro, then go into the 'Advanced' settings menu 'Security Settings' and simply click on 'Add ID' and a wizard will guide you through the process to end up with a PKCS#12 or an exportable certificate in your Windows PC cert store. It's very easy. Nice feature for test signatures, but I don't think that's what the OP wanted (see below). If you ever then need a real CDS (Recognizable by PDF reader worldwide) certificate GlobalSign would be pleased to help get one for you. Nice plug, but I guess the OP wanted to issue locally trusted certificates signed by an in-house enterprise CA that runs on a Linux machine and is based on OpenSSL (such as tinyCA, or Red Hat CA). So maybe you (based on your experience) can tell the rest of us exactly what makes an Adobe PDF Cert different from a generic X.509 cert? Jakob, From my experiences: NOTHING. (So long as it has digital signing enabled) From what I have seen and know, Adobe CDS partners [ http://www.adobe.com/security/partners_cds.html ], get an intermediate certificate from Adobe, which they then use to issue digital signing certificates to Organizations or Individuals. (Entity/their customers). The only real benefit is much like having a publicly trusted SSL certificate from a CA (Verisign/GeoTrust, Comodo, Entrust, GlobalSign, GoDaddy, etc.) vs. that of a self-signed certificate in a browser. (It helps get rid of the browser nag, because what end-user wants to actually THINK before they do something?) I do like the fact that Adobe gives end-users the ability to trust who they want (much like the friendly browsers do these days), when they want and they don't have to rely on Adobe to certify CAs especially since Adobe hasn't decided not to partner with some of the more popular global CAs such as Comodo, StartSSL, GoDaddy, etc. (Even though: Mozilla, Opera and Microsoft DO) Hope this sheds some more light on the issue. However, we await Steve's response. --Sal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adobe Acrobat Certificates?
Ivo, GlobalSign offers Adobe CDS based certificates to the market so we are very familiar with Adobe Acrobat. If you want to create a simple PKCS#12 self signed certificate and you have Acrobat Pro, then go into the 'Advanced' settings menu 'Security Settings' and simply click on 'Add ID' and a wizard will guide you through the process to end up with a PKCS#12 or an exportable certificate in your Windows PC cert store. It's very easy. If you ever then need a real CDS (Recognizable by PDF reader worldwide) certificate GlobalSign would be pleased to help get one for you. Good Luck Kind Regards, Steve Roylance Business Development Director GlobalSign www.globalsign.com| www.globalsign.eu -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of ivo welch Sent: 16 August 2010 01:21 To: openssl-users@openssl.org Subject: Adobe Acrobat Certificates? Dear openssl experts---is anyone using openSSL certificates for adobe acrobat? if so, can this person please tell me the magic invokation to create a pkcs#12 certificate that expires in x days (linux), and perhaps how to get it working under Acrobat Pro (windows)? I am not an IT person, and my encryption knowledge is rudimentary. sorry to take everyone's time with this. sincerely, /iaw Ivo Welch (ivo.we...@brown.edu, ivo.we...@gmail.com) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL trusted root store
Dear list, One of my responsibilities is to ensure that GlobalSign's roots are embedded within devices and operating systems. Recently a major browser provider indicated the following:- However, for the most part we integrate with third party SSL/TLS libraries. On these devices we do not generally control what goes into the root store of the device. In these cases I think you will have to talk to the various device manufacturers we integrate with, and sometimes the SSL/TLS library provider. A few typical ones; Certicom, OpenSSL, MatrixSSL, etc. Can someone point me in the right direction please to ensure future OpenSSL versions have the correct GlobalSign Roots. We've recently updated our roots and therefore have new ones to embed. I'm not sure to whom I need to direct my request. Many thanks Kind Regards, Steve Roylance Business Development Director signature image001.gif