How to filter list of digital certificates for signing PDF

Is it possible to change the configuration of Reader installation to filter the list of installed certificates that can be used for digitally signing documents?
The filtered list will appear when users attempt to select a certificate for digitally signing a document.
Thanks.

Hi Carla,
Unfortunately, Extended Key Usage is not one of the properties you can enforce.
The things you can set are:
appearanceFilter (i.e. enforce the use of a custom signature appearance)
certspec(i.e. the signing certificate must meet some specific criteria)  <<<----- This is what you are more interested in, more below
digestMethod(i.e. enforce the use of a specific cryptographic hashing algorithm)
filter (i.e. enforce the use of a specific security handler if you want to use something other than the one built into Acrobat)
legalAttestations (i.e. enforce the reason or purpose of the certifying signature)
lockDocument (i.e. enforce any further changes to the document after the signature is applied)
mdp (i.e. the rules for changing the document applied as part of a certifying signature)
reasons (i.e. a list of one or more reasons the signer can use, as opposed to them adding their own)
shouldAddRevInfo (i.e. force the inclusion on the revocation information (CRL or OCSP response) in the PDF file)
subFilter (i.e. require the use of a specific signature format. This is very arcane)
timeStampspec (i.e. require the use of a specific time stamp server)
version (i.e the minimum version of Acrobat that can decipher the signature. the only two options are versions 6 or 8)
The second item is the certspec, and this is what I've been pointing you towards. For the sake of discussion, think of everything you can read in a certificate as an extension. The serial number is an extension, the subject is an extension, the valid from date is an extension, etc. When a certificate is created, some of these extensions are required, other optional, and you can even add in extension that are not publicly defined, and only you will know about.
Acrobat has the ability to enforce the signer to use a certificate that contains some, but not all of the known extensions. The extensions it can enforce are:
issuer (i.e. require the use of a certificate that is issued by a specific Certificate Authority)
keyUsage (i.e. require the signers certificate contain one or more of the nine possible values that can be included)
oid (i.e. require that the Certificate Policy extension contain a specific value)
subject (i.e. require that the document is signed by one specific person using one specific digital ID)
subjectDN (i.e. require that the document is signed by one specific person, but they get to choose which digital ID to use)
url (i.e. if a required digital ID is not available, where the signer can procure an acceptable digital ID)
urlType (i.e. if the user is directed to the URL, should it be a web server where they can download a digital ID or a remote signing server where the digital ID stays on the remote server)
That's it. If it's not one of these items then Acrobat cannot enforce that the item is available. Extended Key Usage is not on the list.
Steve

Similar Messages

  • How do I get a digital certificate for WebLogic Server?

    I has three files(*.der, *.pem, *.pem)generated by weblogic certificate sevlet. And I has also got file from verisign throuth my CSR file. But when I give the *.der file to server key file name field on the console, some error occur in my weblogic:
    <2002-6-12 %u4E0A%u534811%u65F622%u520614%u79D2> <Alert> <WebLogicServer> <Security configuration pr
    oblem with certificate file config/mydomain/eintech-key.der, java.io.EOFExceptio
    n>
    java.io.EOFException
    at weblogic.security.Utils.inputByte(Utils.java:133)
    at weblogic.security.ASN1.ASN1Header.inputTag(ASN1Header.java:125)
    at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
    at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
    at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:397)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
    at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1045)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:480)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
    at weblogic.Server.main(Server.java:35)
    I don't know where is the error raise? help me?

    Hi.
    Just a guess, but sometimes this happens when the .der file is actually in .pem format, or vice versa. You might try changing the name of the cert to .pem, specify it in the console and see if that helps.
    You also might get a better answer posting this question on the security newsgroup.
    Regards,
    Michael
    javachina wrote:
    I has three files(*.der, *.pem, *.pem)generated by weblogic certificate sevlet. And I has also got file from verisign throuth my CSR file. But when I give the *.der file to server key file name field on the console, some error occur in my weblogic:
    <2002-6-12 %u4E0A%u534811%u65F622%u520614%u79D2> <Alert> <WebLogicServer> <Security configuration pr
    oblem with certificate file config/mydomain/eintech-key.der, java.io.EOFExceptio
    n>
    java.io.EOFException
    at weblogic.security.Utils.inputByte(Utils.java:133)
    at weblogic.security.ASN1.ASN1Header.inputTag(ASN1Header.java:125)
    at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
    at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
    at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:397)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
    at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1045)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:480)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
    at weblogic.Server.main(Server.java:35)
    I don't know where is the error raise? help me?--
    Michael Young
    Developer Relations Engineer
    BEA Support

  • How do i delete a bad certificate for google I'm using 3.5.9. Foxflags show it's from Poland

    how do I delete a bad certificate for google.I'm using 3.5.9. with fox flags. Which says it's from Poland.I get a notice when I open firefox of the bad certificate but I can't find where to delete this.
    any help would be appreciated.
    == This happened ==
    Every time Firefox opened
    == Monday

    Hi, and welcome to Apple Discussions.
    Yes, the iBook G3 has USB 1.1.
    If your DVD burner needs USB 2.0, it isn't going to find it here.
    Since I've never done it, I hope you'll find an answer from someone in the Mac OS X 10.3 forum, where I see you've posted.
    You may also find some help in the iDVD forum, so you may want to post there, also:
    http://discussions.apple.com/category.jspa?categoryID=128
    Good luck!

  • Where and how can i download adobe digital edition for android (samsung tab 2.0)?

    Where and how can i download adobe digital edition for android (samsung tab 2.0)

    You will want to download a copy of Bluefire Reader from the Google Marketplace.

  • How to create a signature in Yosemite for signing documents?

    How do I create signatures in Yosemite for signing documents?
    It used to be in Preview but can't find it now in Yosemite.
    Thanks.

    It can be accessed through Preview in Yosemite also. You can go to Tools -> Annotate -> Signature -> Manage Signature, to create new signature or edit the existing one.
    Thanks,
    Sanjeev

  • How can I get a monthly subscription for combining PDF files

    How can I get a monthly subscription for combining PDF files. I have been able to subscribe in the past, but now all I see is annual subscription. I do not need an annual subscription because I do not use it often enough.

    Hi paige1186,
    The Adobe PDF Pack subscription, which allows you to combine PDF, is only available at an annual rate of $89.99. We do offer month-to-month subscriptions of Acrobat Pro and Standard, but I think you'd actually come out ahead with the annual PDF Pack subscription, if you planned on combining files more than 3-4 times throughout the year.
    Best,
    Sara

  • How to use digital certificate for client authentication in PCK

    My sap jca adapter need support digital certificate on client authentication. how to implement it in j2ee or pck?
    Message was edited by: Spring Tang

    refer the following links
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/092dddc6-0701-0010-268e-fd61f2035fdd
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2a56861-0601-0010-bba1-e37eb5d8d4a9
    please let me know if u dont find relevant information

  • How can I provide my own list of CA-certificates for TLS-connections from within a Add-On

    I'm considering writing an Add-On that does a DNSSEC/DANE lookup.
    My scenario is that a DNSSEC query for the TLSA (DANE) records of a site return a full Root Certificate for a site. (2,0,0 in DANE jargon.)
    I want to create new TLS context with a CA-pool containing just that Certificate, so that when I browse to the site, the TLS-layer verifies the site certificate against the DNSSEC-specified Root CA.
    My question: how do I program that in an add on? How can I specify a *certain* CA root certificate before opening the connection.

    Replying to myself to add some more information.
    For doing the DNSSEC-DANE lookup, I use a strategy as pioneered by the DNSSEC validation Add On.
    My question is how to create a TLS-connection context with a certain Root CA before connection to the site.

  • How to filter list items by current system time in search result wp or result source SharePoint 2013

    I want to display Items with PressDate less than or equal
    to current time in my search result webpart in SharePoint 2013.
    It is working fine for current date but not considering current time.
    {searchTerms} ContentType="ABC" PressDateTime<{Today+1}
    Above query not supporting for Now(), due to that it
    is showing items which are less than or equal to current (today's) date.
    How can I compare time with current system Time?..Thanks in advance.
    Regards, --NP

    You can achieve the same by using a Current Date Offset in a CAML Query to Filter List Items.
    Have below links for your reference.
    Sharepoint Tips And Tricks
    CAML Query to Date prior to 30 days from today
    Thanks.

  • How do I delete a digital certificate that is no longer valid?

    Whenever I try to send an email I get an alert about an invalid digital certificate that is no longer valid but I don't know how to get rid of it.  The email account was deleted some time ago.  It also shows up in my address book and  in my calendar which I also don't know how to delete the calendars tied to this account..

    Hmmm. Think I just solved this myself...
    For those others that have this problem,
    System Preferences
         General
              Recent Items
    Set recent items to zero then back again.
    NOTE:
         This will remove your recent apps and documents as well.
    Thanks anyway!

  • How to get list of approved MSU for specified target group

    Hello guys,
    I have question about WSUS on windows server 2008 r2 sp1.
    I need to get list of approved MSU for specified target group only for windows server 2008 r2 sp1, but I don't know whole syntax.
    I can get list of approved updates for w2k8r2sp1:
    $Title_r2='R2'
    $Itanium='Itanium'
    $wsus.GetUpdates() | Select Title | Where {
       $_.Title -match $Title_r2 -and $_.Title -notmatch $Itanium -and $_.IsApproved -eq 'True'
    But how can I get it for specified target group?
    Please, help :)

    But how can I get it for specified target group?
    Is there some reason you're not just using the native console reporting to do this?
    Testing for 'R2' in the title will not guarantee getting all of the applicable updates, you need to query by Product Category to get all of them.
    From my quick research, it appears that GetUpdates() does not return target group information, just a flag state on whether the update has been approved, or not. I don't have a working PS WSUS instance available to me at the moment, but my guess would be
    that GetUpdateApprovals() (or something like it) is what you'll need to use to filter by Target Group.
    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

  • Purchasing a digital certificate for SCOM usage

    I am having problems with certificiates for SCOM (based on our infrastructure I believe not SCOM) and have asked some questions on it below -
    Digital certificate issues
    However I would like to break out one question and that is if I dont want to (read cant) use an internal CA at the moment where can I purchase two certificates for SCOM MS and gateway? When I look on the obvious sites such as Entrust and Thawte for instance
    it seems easy to order a web SSL certificate for instance but how would I go about ordering the type I need and what sort of information would I need to provide?
    Many thanks

    Hi,
    This can be a public CA such as VeriSign. Please check if the following post is helpful.
    http://social.technet.microsoft.com/Forums/systemcenter/en-US/7e8dde55-6e55-4109-8da5-85a93fa64ea0/using-a-thirdparty-for-ssl-cert-for-scom-gateway?forum=operationsmanagerdeployment
    Niki Han
    TechNet Community Support

  • How can I delete a digital certificate in Firefox's certificate store?

    <blockquote>Locking duplicate thread.<br>
    Please continue here: [/questions/780242]</blockquote><br>
    The company that manages my health savings account has just told me that my digital certificate (didn't know I had one) needs to be deleted from my browser's "certificate store" before I can (or they can) establish a new one. I cleared the cache, but am still getting this message.

    Hi Gordon50501,
    You would have to manage the bookmark folders on a Desktop computer. [[How do I set up Firefox Sync?]] would allow you to do this.
    You can remove individual bookmarks by tap an holding on one of the bookmarks and selecting "Remove"

  • Best practices for buying a digital certificate for Exchange 2013

    Good dayfriends,
    Could you indicateme which are the bestpractices when buying
    a public digital certificatefor use onExchangeServer 2013.
    I'd be interested in knowing your opinion about
    using wildcardor SAN certificates.
    Likewise what are the best recommendations
    to include names and why they should or
    should not include the internal FQDN
    of my servers.
    Currently I have an infrastructure that has two
    MailBox servers,two CAS servers and an EDGE
    2010 server, but I'm planning update it to Exchange 2013.
    I searched what are the best
    practices according to Microsoft but
    have found little information.
    I would appreciate
    if you can post links like
    Microsoft KBs and other technical documents that
    discuss the above mentioned.
    Thanking your
    invaluable support.
    Greetings.

    Hi,
    Personal suggestion, we can use two namespaces for your Exchange 2013:
    Autodiscover.domain.com (Used for autodiscover service)
    Mail.domain.com (used for all Exchange services external and internal URLs)
    Please pointed mail.domain.com and autodiscover.domain.com to your internet facing CAS 2013.
    For more information about Digital Certificates and SSL in Exchange 2013, please refer to the
    Digital Certificates Best Practices part in the following technet article:
    http://technet.microsoft.com/en-us/library/dd351044%28v=exchg.141%29.aspx?lc=1033
    Additionally, here are some other scenarios about certificate planning in Exchange 2013:
    http://blogs.technet.com/b/exchange/archive/2014/03/19/certificate-planning-in-exchange-2013.aspx
    Regards,
    Winnie Liang
    TechNet Community Support

  • How to create a SHA256 SAN Certificate for Exchange

    Dear.
    When using the command as described below to create a SAN Certificate for Exchange, only SHA1 certificate requests are created. How can I create the same request but for SHA256?
    It seems that it's not possible to do this through the New-exchangecertificate.
    Do you know the alternative command when using certreq for the following Exchange command:
    New-ExchangeCertificate -PrivateKeyExportable:$true -FriendlyName 'mail.domain.com' -SubjectName 'C=NL,S="aaaa",L="bbbb",O="cccc",OU="dddd",CN=mail.domain.com' -DomainName @('mail.domain.com','exchange.wps.domain.com','webmail.domain.com','ews.domain.com','as.domain.com','oa.domain.com','oab.domain.com','ps.wps.domain.com','autodiscover.domain.com')
    -RequestFile '\\10.0.6.151\c$\temp\certificate_Request.req' -GenerateRequest:$true -KeySize '2048' 
    Thanks for the feedback.
    Regards.
    Peter
    Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

    Hi Peter,
    There is no parameter in New-ExchangeCertificate to select the Algorithm type (Secure Hash Algorithm (SHA)) to generate request. Personal opinion, we can create the certificate signing request using the Certificates MMC and then creating a custom request
    as follows:
    1. Open MMC.exe. Click File >
    Add/Remove snap in…
    2. In the Available snap-ins tab, select Certificates >
    Add > Computer account > Local computer >
    Finish.
    3. Expand Certificates (Local Computer) > Personal > Certificates.
    4. In Action pane, click More Actions > All Tasks > Advanced operations > Create custom request.
    5. click Next > Proceed without enrollment policy > Next > Next.
    6. In Certificate Information page, click Details > Properties.
    7. Then you can fill in the needed information for your request.
    8. In Private Key tab, expand Select Hash Algorithm, set the Hash Algorithm to
    sha256.
    9. Click OK > Next. Fill in File Name and select the request location.
    10. Finish it and send this request to the certificate authority.
    Regards,
    Winnie Liang
    TechNet Community Support

Maybe you are looking for

  • Hook up to HDTV

    I have a black MacBook (I got it right before they stopped selling the black ones).  So I bought a Mini-DVI to HDMI and the proper cables to hook up the HDMI end to the HDMI on my Panasonic 32" but nothing is happening.  I have tried turning off both

  • Need to change focus on Click of af:goLink

    Hi All I have a requirement that when a user clicks on a link which is present in a left hand side of a page it loads a content in right side of the same page, but the focus stays at the link, user has to manually scroll to see the content loaded. Us

  • Why am I getting a white screen?

    My laptop with fcp 6 had to go into the shop for a new graphic card.  To finish a project, I just downloaded my final cut pro 6 discs onto my imac.  On my laptop, all my footage is captured and appears immediately in the viewer.  Using FCP 6 on the i

  • Adobe Photo Shop Elements 11 Install

    My APE11 stopped opening after I imported my photos from the C drive.  I can't reinstall because I can't get into it to deactivate the serial number.  Any suggestions?

  • Resize Photoshop actions for blogging

    I found this really useful set of actions for doing quick resize with watermark using Photoshop actions. You can always do a batch inside photoshop.