RE: Adobe Acrobat Certificates?
Hi Jacob, The best way to view what CDS is, is via the Adobe Website. It's a medium assurance hardware based identity credential that we, and others, supply. It's ultimately rooted through to the Adobe Root CA...ie. A root in all Adobe reader versions from Version 6 onwards. http://www.adobe.com/security/partners_cds.html We, along with other well known names in the CA industry, offer CDS certificates to the market. If anyone is interested then please mail me separately and I'd be happy to provide more details away from the list, but an example is the best way to quickly show you the differences. This one is certified with a CDS certificate http://www.globalsign.co.uk/resources/documentsign-creating-trusted-document s.pdf and this one is self signed to allow you to compare the difference in the GUI on whatever version of Adobe Acrobat you are using http://www.globalsign.co.uk/document-security-compliance/adobe-cds/ You can use the certificate viewer built into Adobe Acrobat or Reader to examine the profile of the certificates. Thanks. Steve -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: 16 August 2010 15:52 To: openssl-users@openssl.org Subject: Re: Adobe Acrobat Certificates? On 16-08-2010 11:51, Steve Roylance wrote: Ivo, GlobalSign offers Adobe CDS based certificates to the market so we are very familiar with Adobe Acrobat. If you want to create a simple PKCS#12 self signed certificate and you have Acrobat Pro, then go into the 'Advanced' settings menu 'Security Settings' and simply click on 'Add ID' and a wizard will guide you through the process to end up with a PKCS#12 or an exportable certificate in your Windows PC cert store. It's very easy. Nice feature for test signatures, but I don't think that's what the OP wanted (see below). If you ever then need a real CDS (Recognizable by PDF reader worldwide) certificate GlobalSign would be pleased to help get one for you. Nice plug, but I guess the OP wanted to issue locally trusted certificates signed by an in-house enterprise CA that runs on a Linux machine and is based on OpenSSL (such as tinyCA, or Red Hat CA). So maybe you (based on your experience) can tell the rest of us exactly what makes an Adobe PDF Cert different from a generic X.509 cert? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adobe Acrobat Certificates?
Sal, Jakob, The CP for Adobe is here:- http://www.adobe.com/misc/pdfs/Adobe_CDS_CP.pdf and section 7 highlights the specific profile of the certificate. Sal, you are correct it's an X509 certificate and there are no deviations from that spec. However, there are specific OID and specific rules that the CP mandates and there are also specific services that are related to the certificate which are indicated within the profile (Time stamping for example). FYI, I've hopefully addressed Ivo's concerns in a separate e-mail and made suitable suggestions to him on ways to solve his particular issue. Thanks Steve -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Crypto Sal Sent: 17 August 2010 05:30 To: openssl-users@openssl.org Subject: Re: Adobe Acrobat Certificates? On 08/16/2010 10:52 AM, Jakob Bohm wrote: On 16-08-2010 11:51, Steve Roylance wrote: Ivo, GlobalSign offers Adobe CDS based certificates to the market so we are very familiar with Adobe Acrobat. If you want to create a simple PKCS#12 self signed certificate and you have Acrobat Pro, then go into the 'Advanced' settings menu 'Security Settings' and simply click on 'Add ID' and a wizard will guide you through the process to end up with a PKCS#12 or an exportable certificate in your Windows PC cert store. It's very easy. Nice feature for test signatures, but I don't think that's what the OP wanted (see below). If you ever then need a real CDS (Recognizable by PDF reader worldwide) certificate GlobalSign would be pleased to help get one for you. Nice plug, but I guess the OP wanted to issue locally trusted certificates signed by an in-house enterprise CA that runs on a Linux machine and is based on OpenSSL (such as tinyCA, or Red Hat CA). So maybe you (based on your experience) can tell the rest of us exactly what makes an Adobe PDF Cert different from a generic X.509 cert? Jakob, From my experiences: NOTHING. (So long as it has digital signing enabled) From what I have seen and know, Adobe CDS partners [ http://www.adobe.com/security/partners_cds.html ], get an intermediate certificate from Adobe, which they then use to issue digital signing certificates to Organizations or Individuals. (Entity/their customers). The only real benefit is much like having a publicly trusted SSL certificate from a CA (Verisign/GeoTrust, Comodo, Entrust, GlobalSign, GoDaddy, etc.) vs. that of a self-signed certificate in a browser. (It helps get rid of the browser nag, because what end-user wants to actually THINK before they do something?) I do like the fact that Adobe gives end-users the ability to trust who they want (much like the friendly browsers do these days), when they want and they don't have to rely on Adobe to certify CAs especially since Adobe hasn't decided not to partner with some of the more popular global CAs such as Comodo, StartSSL, GoDaddy, etc. (Even though: Mozilla, Opera and Microsoft DO) Hope this sheds some more light on the issue. However, we await Steve's response. --Sal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adobe Acrobat Certificates?
Ivo, GlobalSign offers Adobe CDS based certificates to the market so we are very familiar with Adobe Acrobat. If you want to create a simple PKCS#12 self signed certificate and you have Acrobat Pro, then go into the 'Advanced' settings menu 'Security Settings' and simply click on 'Add ID' and a wizard will guide you through the process to end up with a PKCS#12 or an exportable certificate in your Windows PC cert store. It's very easy. If you ever then need a real CDS (Recognizable by PDF reader worldwide) certificate GlobalSign would be pleased to help get one for you. Good Luck Kind Regards, Steve Roylance Business Development Director GlobalSign www.globalsign.com| www.globalsign.eu -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of ivo welch Sent: 16 August 2010 01:21 To: openssl-users@openssl.org Subject: Adobe Acrobat Certificates? Dear openssl experts---is anyone using openSSL certificates for adobe acrobat? if so, can this person please tell me the magic invokation to create a pkcs#12 certificate that expires in x days (linux), and perhaps how to get it working under Acrobat Pro (windows)? I am not an IT person, and my encryption knowledge is rudimentary. sorry to take everyone's time with this. sincerely, /iaw Ivo Welch (ivo.we...@brown.edu, ivo.we...@gmail.com) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Adobe Acrobat Certificates?
thank you, Steve. I already have a trial certificate from you guys. I need to check your pricing when it expires (90 days) to determine whether I will buy one. Alas, I want to learn what the capabilities of certificate encryption are, and what happens when they expire. (In particular, I want to create a document that expires in, say, 3 years.) So, I want to be able to create some test certificates that expire in tomorrow, the day after, etc., and then see whether the document becomes unusable. Unfortunately, Acrobat Pro seems to create 5-year certificates only. so, I need some sample certificates, and I figure openSSL can do this...somehow. /iaw On Mon, Aug 16, 2010 at 5:51 AM, Steve Roylance steve.royla...@globalsign.com wrote: Ivo, GlobalSign offers Adobe CDS based certificates to the market so we are very familiar with Adobe Acrobat. If you want to create a simple PKCS#12 self signed certificate and you have Acrobat Pro, then go into the 'Advanced' settings menu 'Security Settings' and simply click on 'Add ID' and a wizard will guide you through the process to end up with a PKCS#12 or an exportable certificate in your Windows PC cert store. It's very easy. If you ever then need a real CDS (Recognizable by PDF reader worldwide) certificate GlobalSign would be pleased to help get one for you. Good Luck Kind Regards, Steve Roylance Business Development Director GlobalSign www.globalsign.com| www.globalsign.eu -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of ivo welch Sent: 16 August 2010 01:21 To: openssl-users@openssl.org Subject: Adobe Acrobat Certificates? Dear openssl experts---is anyone using openSSL certificates for adobe acrobat? if so, can this person please tell me the magic invokation to create a pkcs#12 certificate that expires in x days (linux), and perhaps how to get it working under Acrobat Pro (windows)? I am not an IT person, and my encryption knowledge is rudimentary. sorry to take everyone's time with this. sincerely, /iaw Ivo Welch (ivo.we...@brown.edu, ivo.we...@gmail.com) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Adobe Acrobat Certificates?
On 16-08-2010 11:51, Steve Roylance wrote: Ivo, GlobalSign offers Adobe CDS based certificates to the market so we are very familiar with Adobe Acrobat. If you want to create a simple PKCS#12 self signed certificate and you have Acrobat Pro, then go into the 'Advanced' settings menu 'Security Settings' and simply click on 'Add ID' and a wizard will guide you through the process to end up with a PKCS#12 or an exportable certificate in your Windows PC cert store. It's very easy. Nice feature for test signatures, but I don't think that's what the OP wanted (see below). If you ever then need a real CDS (Recognizable by PDF reader worldwide) certificate GlobalSign would be pleased to help get one for you. Nice plug, but I guess the OP wanted to issue locally trusted certificates signed by an in-house enterprise CA that runs on a Linux machine and is based on OpenSSL (such as tinyCA, or Red Hat CA). So maybe you (based on your experience) can tell the rest of us exactly what makes an Adobe PDF Cert different from a generic X.509 cert? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Adobe Acrobat Certificates?
On Mon, Aug 16, 2010 at 10:49 AM, ivo welch ivo.we...@gmail.com wrote: [ ... ] So, I want to be able to create some test certificates that expire in tomorrow, the day after, etc., and then see whether the document becomes unusable. Unfortunately, Acrobat Pro seems to create 5-year certificates only. so, I need some sample certificates, and I figure openSSL can do this...somehow. As far as testing to make sure expirations work, I have found that messing with my system's clock is a good way to do that: create a certificate that expires in 5 years, then set your clock forward 5 years and 1 day to test. You may even find that it will trick Adobe's software: if you want a certificate that expires tomorrow, maybe you can set your clock to 5 years minus 1 day and create the certificate. Just a thought, I don't have answers to the rest of your question. :) Scott.
Re: Adobe Acrobat Certificates?
Ivo, You cannot set an expiry flag to a PDF file, encrypted with PDFs standard encryption technique. At the end it is the certificate that is going to expire and not the encrypted document. The Adobe LiveCycle Policy Server seems to offer such things... but until now I've never seen such a file in the wild. Cheers! Jan -- www.setasign.de - Original Message - From: ivo welch To: openssl-users@openssl.org Sent: Monday, August 16, 2010 4:49 PM Subject: Re: Adobe Acrobat Certificates? thank you, Steve. I already have a trial certificate from you guys. I need to check your pricing when it expires (90 days) to determine whether I will buy one. Alas, I want to learn what the capabilities of certificate encryption are, and what happens when they expire. (In particular, I want to create a document that expires in, say, 3 years.) So, I want to be able to create some test certificates that expire in tomorrow, the day after, etc., and then see whether the document becomes unusable. Unfortunately, Acrobat Pro seems to create 5-year certificates only. so, I need some sample certificates, and I figure openSSL can do this...somehow. /iaw On Mon, Aug 16, 2010 at 5:51 AM, Steve Roylance steve.royla...@globalsign.com wrote: Ivo, GlobalSign offers Adobe CDS based certificates to the market so we are very familiar with Adobe Acrobat. If you want to create a simple PKCS#12 self signed certificate and you have Acrobat Pro, then go into the 'Advanced' settings menu 'Security Settings' and simply click on 'Add ID' and a wizard will guide you through the process to end up with a PKCS#12 or an exportable certificate in your Windows PC cert store. It's very easy. If you ever then need a real CDS (Recognizable by PDF reader worldwide) certificate GlobalSign would be pleased to help get one for you. Good Luck Kind Regards, Steve Roylance Business Development Director GlobalSign www.globalsign.com| www.globalsign.eu -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of ivo welch Sent: 16 August 2010 01:21 To: openssl-users@openssl.org Subject: Adobe Acrobat Certificates? Dear openssl experts---is anyone using openSSL certificates for adobe acrobat? if so, can this person please tell me the magic invokation to create a pkcs#12 certificate that expires in x days (linux), and perhaps how to get it working under Acrobat Pro (windows)? I am not an IT person, and my encryption knowledge is rudimentary. sorry to take everyone's time with this. sincerely, /iaw Ivo Welch (ivo.we...@brown.edu, ivo.we...@gmail.com) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Adobe Acrobat Certificates?
On 08/16/2010 10:52 AM, Jakob Bohm wrote: On 16-08-2010 11:51, Steve Roylance wrote: Ivo, GlobalSign offers Adobe CDS based certificates to the market so we are very familiar with Adobe Acrobat. If you want to create a simple PKCS#12 self signed certificate and you have Acrobat Pro, then go into the 'Advanced' settings menu 'Security Settings' and simply click on 'Add ID' and a wizard will guide you through the process to end up with a PKCS#12 or an exportable certificate in your Windows PC cert store. It's very easy. Nice feature for test signatures, but I don't think that's what the OP wanted (see below). If you ever then need a real CDS (Recognizable by PDF reader worldwide) certificate GlobalSign would be pleased to help get one for you. Nice plug, but I guess the OP wanted to issue locally trusted certificates signed by an in-house enterprise CA that runs on a Linux machine and is based on OpenSSL (such as tinyCA, or Red Hat CA). So maybe you (based on your experience) can tell the rest of us exactly what makes an Adobe PDF Cert different from a generic X.509 cert? Jakob, From my experiences: NOTHING. (So long as it has digital signing enabled) From what I have seen and know, Adobe CDS partners [ http://www.adobe.com/security/partners_cds.html ], get an intermediate certificate from Adobe, which they then use to issue digital signing certificates to Organizations or Individuals. (Entity/their customers). The only real benefit is much like having a publicly trusted SSL certificate from a CA (Verisign/GeoTrust, Comodo, Entrust, GlobalSign, GoDaddy, etc.) vs. that of a self-signed certificate in a browser. (It helps get rid of the browser nag, because what end-user wants to actually THINK before they do something?) I do like the fact that Adobe gives end-users the ability to trust who they want (much like the friendly browsers do these days), when they want and they don't have to rely on Adobe to certify CAs especially since Adobe hasn't decided not to partner with some of the more popular global CAs such as Comodo, StartSSL, GoDaddy, etc. (Even though: Mozilla, Opera and Microsoft DO) Hope this sheds some more light on the issue. However, we await Steve's response. --Sal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org