OPENSSL pdf signature

Question

I want to issue valid signatures to my PDF, at least on ADOBE readers. For testing purpose, I started with a simple CSR sen't to zerossl. I got a certificate, created a PFX file from it, and signed a PDF. The signature is invalid. The reason for it is stated as follows:

The selected certificate has errors: Invalid policy constraint

My guess is, I need to reissue the CSR with the right policy, but I cannot find how to set it (using OPENSSL), or if it's possible at all on a zerossl certificate (The source of trust is approved by ADOBE).

How can I apply for a certificate that will work for my PDF?

Thanks

Answer 1

ZeroSSL sells only SSL certificates. They are for webservers and not for digital signatures. While technically they are the same (this is why the signing process worked), they have flags that specify their intended usage (digital signatures, secure communications, etc).

Acrobat reports the policy error because it sees that the certificate is valid but its usage policy is not 'digital signatures'.

You have to purchase a digital certificate for digital signatures, these usually come on hardware tokens or as signing APIs such as GlobalSign.

Answer 2

First some backgrounds of iPDFdev's answer:

Adobe clarified here that they only accept signer certificates

• that have no Key Usage extension or such an extension with at least one of the values nonRepudiation and digitalSignature and
• that have no Extended Key Usage extension or such an extension with at least one of the values emailProtection, codeSigning, anyExtendedKeyUsage, and 1.2.840.113583.1.1.5 (Adobe Authentic Documents Trust).

---

In the case at hand, though, the issue might have yet another cause: Trust anchor CA certificates on the AATL can be registered there with the restriction that only such user certificates issued by the CA certificate in question shall be trusted that have a certain Certificate Policy extension.

For example look at the example analyzed in this Adobe Community Support Forum thread. The Adobe Acrobat Certificate Viewer showed:

Just like in the case of the OP there is

The selected certificate has errors: Invalid policy constraint

Selecting the Policies tab for the trust anchor, the Certificate Viewer showed the policy requirement:

As the text there explains, signatures (only) will be valid if the signer certificate matches the policy restriction. In the case at hand, though, the certificate policy entry of the signer certificate

was not among the registered policy ids.

---

The OP wondered whether they can select the matching policy in their CSR. Usually, though, the CA will issue a certificate with the certificate policies they select, not with those contained in the CSR structure.

Thus, you should check whether you indeed have a similar mismatch of policy IDs between the required ones and the actual one. If that is the case, contact the CA and ask them how you can request a certificate with one of the policy OIDs requested on the AATL.