User Guide for Displaying and Validating Signed PDF Documents
The following instructions are intended to illustrate how documents signed by Retarus can be displayed with Adobe Reader and validated. The initial step in this process is generally to install Adobe Reader. In addition, this document contains a troubleshooting chapter to assist you if the display or the validation does not go as planned.
These instructions refer to the following program versions (as of Q1/2015):
Adobe Reader XI – Version 11.0.09.29
Adobe Flash Player – Version 15.0.0.189
Additional information is available on the Adobe website:
http://helpx.adobe.com/de/acrobat/using/validating-digital-signatures.html.
Adobe Reader Installation
As soon as a signed invoice is opened for the first time using Adobe Reader or Adobe Acrobat, the following notification may appear: “At least one signature has problems”. This notification is generated as soon as Adobe Reader recognizes an embedded signature that is unknown to the software and thus initially rated as untrustworthy. This means that the embedded signature has to be added only once to trustworthy certificates.
With regards to the initial addition of a new certificate to the group of trustworthy certificates, please ensure that there is an authentic pre-existing invoice that was issued by one of the specified invoice issuers.
The trustworthiness of a signature should not be confused with verifying the validity and integrity of a signature, which are always checked at runtime as soon as the document is opened with Adobe Reader.
Perform the steps below.
As illustrated in the screenshot below, after the signed PDF document is opened, begin by clicking on the Signature Panel button. The next step is to open the tree view of the Certificate menu so that the Certificate Details sub-point appears.
After you click on the Certificate Details menu entry, the Certificate Viewer window appears. In the left-hand column, select the root certificate and then navigate to the Trust menu.
Now click on Add to Trusted Certificates. Confirm the next Adobe security prompt by clicking on OK. We recommend that the certificate be rated as “trusted”. If so, you should click on OK to confirm the selection.
The next step is to close the Certificate Details window and click on the Validate all entry.
After the renewed validation is concluded, the following notification must appear: “Signed and all signatures are valid”. In the future, all certificates will be recognized as trustworthy. Configuration of the Adobe Reader is complete.
Troubleshooting
Adobe Reader and Adobe Flash
In most cases, invoices delivered by Retarus eSign already contain a validation report. This report certifies, immediately after signature provision, that the signature was validated prior to delivery. To ensure that the validation report’s annexes are not registered by Adobe Reader as alterations to the document, the invoice and validation report are “packaged” separately within a single PDF file in a so-called PDF container to ensure that only one file is sent. When you are notified that Adobe Flash Player is needed to display a PDF container in Adobe Reader, install it following the instructions that appear on your screen. Additional information is available at http://helpx.adobe.com/de/acrobat/using/flash-player-needed-acrobat-reader.html.
If your company’s security policies don’t permit you to install Adobe Flash Player, or you don’t have the necessary system rights, click on Cancel in the error message displayed above in Figure 6. The first document from the PDF container will then be displayed to you- it‘s always the invoice. Signature verification is likewise successfully executed via the Adobe Reader. Due to a lack of a navigation menu, access to the validation report is not possible without Adobe Flash.
Adobe Reader needs Adobe Flash Player to display the following:
With FlashPlayer
Without Flash Player
Possible alternatives
Alternative PDF readers, such as, for example, the Nitro Reader, can accurately display PDF documents that were created as part of the PDF container without the installation of Adobe Flash Player.
Failed validation in Adobe Reader
In most cases, invoices delivered by Retarus eSign already contain a validation report. This report certifies, immediately after signature provision, that the signature was validated prior to delivery. Previously, this report was attached to the document as a further revison that according to specifications, represented a valid method, without which the signature would become invalid and the signature validation would fail. However, Adobe modified the validation process in Adobe Reader. In the current Adobe Reader version, revisions are ignored during the initial validation test. Instead, the entire document is checked, which prevents the signature from inaccurately being rated as “invalid”.
However, to successfully validate the signature with Adobe Reader, you’ll have to open the signature window and select Click to view this version (see the screenshot above). The original document (the signed revision of the document) will now be displayed in a separate window. The Adobe Reader validation now indicates that the document has not been modified since it was signed and that the signature is valid.
Errors during validation of the Certificate Revocation List (CRL)
As part of the validation process for a signed PDF file, the Certificate Revocation List is checked by Adobe Reader. The path as well as the type of review performed is independent of the certificate used. This means that Adobe Reader can, either during or after a successful check, specify in the Signatures menu that a test revocation of the signer’s identity could not be done.
The purpose of the check is to determine whether the issuer of the certificate has put it on a CRL for security reasons. The CRL check is not intended to validate the integrity of the signature, meaning that the signature is valid even without the review. The genesis of the problem lies with the fact that Adobe Reader cannot be bypassed completely using CRLs. As a result, checks of qualified certificates, particularly by the German Trust Center, is only possible to a limited extent.
Details
CRLs can be either direct or indirect. With direct CRLs, the certificate to be checked as well as the CRL were signed by the same issuer certificate. In contrast, indirect CRLs have different issuers for certificates and CRLs. The Common PKI Standard stipulates, however, that in this case, the CRL issuer must be explicitly named in the certificate which is to undergo review. In Germany, this is not always mandated, e.g., with certificates issued by Signtrust, a subsidiary of Deutsche Post. The actual expenditure pattern for certificates and CRLs is, however, accurate, because it is backed up by a profile of the Common PKI Standards (SigG profiles). This makes it possible to eliminate CRL issue names even when indirect CRLs are utilized, which enables greater flexibility in the issuance of service certificates. Unfortunately, Adobe Reader does not appear to take this special case into account. Similar restrictions apply to revocation checks carried out online using Online Certificate Status Protocol (OCSP).
Since December 2014, Retarus only uses signature cards from D-Trust (part of the German Federal Printing Office) for qualified electronic signatures in Germany. D-Trust uses standardized CRL test methods, which prevent error messages from occurring in Adobe Reader. Signatures from Signtrust are no longer issued.
In order to ensure that affected invoices you’ve already received are correctly reviewed, we recommend using the following free webservice: https://signaturpruefung.secunet.com/.
After a successful check, you’ll receive an additional validation report in PDF format:
