Hi:
I guess I"m not sure what is going on here.
The setting you describe sounds like it determines that we do a check
if the certificate you are checking has an AIA extension.
This appears to be the case in your scenario. The setting you chose
to work around the problem merely ignores bad checks.
There still appears to be some issue when you have it set to "2", where
Adobe doesn't like the OCSP cert itself.
I assume this is Windows, so you might go into the "Internet" config options
and look at the certs to see if the OCSP cert chain is fully trusted.
This is just a guess of course.
----- Original Message -----
From: "Alexander" <ricardoalx.perez(a)gmail.com>
To: pki-users(a)redhat.com
Sent: Wednesday, September 21, 2016 10:04:34 AM
Subject: Re: [Pki-users] Pki-users Digest, Vol 101, Issue 4
Hi John, thanks for answering...
Yes it is, My CA it's trusted by the Adobe Application.
I solved it partially, but I think the problem is with the certificate of the OCSP.
Solution:
1. Enable LOG for Abode Acrobat or Adobe Reader to see more details of the error.
Check this info:
http://www.adobe.com/content/dam/Adobe/en/devnet/reader/pdfs/acrobat_read...
Page 127
5.3.4.4 Validation Certificate Data Logging
Example 5.7: Chain building log file settings
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Security\cASPKI\cAdobe_ChainBuilder]
"ILogLevel" = dword: 00000008
"SLogFilePath" = <BINARY path to Existing directory for log file>
The folder path has to exist, but Acrobat will create the file if it's missing. For
example, if you want to save the file to C:\LogFile\digSigLog.txt the folder LogFile would
have to exist on the C drive, but the log file itself will get created if it's not
there already.
When you type in the file path and name in the Edit Binary Value dialog in regedit, make
sure you null terminate the string by typing a zero at the end of the hex data on the left
side of the dialog. It will look like a dot on the right side, but it's not really a
dot (a dot is 2E in hex).
2.- Signature Validation RevCheck
http://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/Securit...
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Security\cASPKI\cAdobe_OCSPRevChecker]
"iReqRevCheck" = dword: 1
iReqRevCheck: Indicates whether revocation checks are required to succeed on the OCSP
response.
Set this value to 1 (1: Do a check IF certificate has AIA extension or responder info is
in registry; don't fail if the check fails.)
After setting these values in the registry, I indicated that the signatures are valid.
If I leave the default value of 2 (2: Do you have to check IF AIA certificate extension or
respond info is in registry, all checks must succeed if there is data and to check
OCCURS.)
Continued to receive the same error message
So I think the key to solve completely the problem is:
The OCSP certificate or certificates used to sign must have: Authority Information Access
(AIA) certificate extension or respond info is in registry.
Really do not know how this or how to verify that the certificates comply with this
requirement.
2016-09-21 11:00 GMT-05:00 < pki-users-request(a)redhat.com > :
Send Pki-users mailing list submissions to
pki-users(a)redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/pki-users
or, via email, send a message with subject or body 'help' to
pki-users-request(a)redhat.com
You can reach the person managing the list at
pki-users-owner(a)redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Pki-users digest..."
Today's Topics:
1. Re: ocsp doesn't work on the client side - "OCSP response
signature invalid" (John Magne)
----------------------------------------------------------------------
Message: 1
Date: Tue, 20 Sep 2016 14:02:37 -0400 (EDT)
From: John Magne < jmagne(a)redhat.com >
To: Ricardo Alexander Perez Ricardez < rperez(a)osh.com.mx >
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] ocsp doesn't work on the client side - "OCSP
response signature invalid"
Message-ID:
< 1939478162.975581.1474394557729.JavaMail.zimbra(a)redhat.com >
Content-Type: text/plain; charset=utf-8
Is your CA being trusted by the Adobe application in question?
----- Original Message -----
From: "Ricardo Alexander Perez Ricardez" < rperez(a)osh.com.mx >
To: pki-users(a)redhat.com
Sent: Thursday, September 15, 2016 1:12:21 PM
Subject: [Pki-users] ocsp doesn't work on the client side - "OCSP response
signature invalid"
Error: "OCSP response signature invalid"
On the server side I have configured an instance of pki working properly, I have two
subsystems a CA, and OCSP.
On the client side I have a valid certificate that I use to sign a PDF document
In Adobe Reader or Adobe Acrobat I perform the following steps:
1. Signing a PDF document
2. Validate Signature
3. I receive the message: "The validity of the signature is unknown"
4. Click on: Check the properties of signature
5. Click on: Show signer certificate
6. Click: Revocation tab
The following message is displayed:
We attempted to determine whether the certificate is valid by performing a revocation
check using the protocol online certificate status (OCSP Online Certificate Status
Protocol).
The OCSP response was signed by "OCSP Signing CA Certificate" on 2016/09/15
14:53:06 -05'00 '.
Click Details signer for more information on the source of the revocation information.
Click trouble seeing the problems encountered when performing this check revocation.
6. Click on: Problems Found
7. I get the message: "OCSP response signature invalid"
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
End of Pki-users Digest, Vol 101, Issue 4
*****************************************
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users