Signed PDF showing message “The validity of the document is unknown”, iText

2
votes

I am using iText to apply digital signatures in PDF. The digitally signed PDF is showing message like "the validity of the document certification is unknown. The author could not be verified.At least one signature has problems." at the top.

When I add the certificate to my trust identities which is used to create signed PDF, then the generated signed PDF shows "Signed and all signatures are valid".

Is it possible to fix this by without adding certificate to trusted identities?

Thanks in advance.

3
itextdigital-signature
Unfortunately you did not supply a sample PDF to demonstrate that issue. But to trust some certificate you obviously have to explicitly trust it or some parent, greatparent, ... certificate of it and supply the intermediate certificates. Is the signer certificate in question self signed or does it belong to some private CA?mkl
Instead of manually trusting the certificate, it should automatically trust and it should not show the validity error. The signer certificate is obtained from verisign Inc.Ramasamy
As mentioned above, phrase supply a sample PDF.mkl
BTW, you expect the signature to be immediately accepted by Adobe Reader because "The signer certificate is obtained from verisign Inc." --- It does not suffice to use a certificate by Verisign, it has to be one which explicitly is generated for use with Adobe Reader. Thus, please supply a sample signature (or the certificate in question, not the private key!) to allow a check.mkl

3 Answers

2
votes

There are two reasons for the message to be displayed.

First, it's that you used self-signed certificate or other certificate, whose certificate chain doesn't end with the root certificate, trusted by validating application.

Second is when the signature parameters are not set right and Reader doesn't know that it needs to look for certificates in Windows certificate store. I don't know how to specify what I mean in iText - in our SecureBlackbox there's a property for this.

2
votes

Please read https://itextpdf.com/book/digitalsignatures

Section 3.4 is named "How to get a green check mark."

The short version: if you want a PDF that shows a green check mark without having to install a root certificate manually, you need at least a private key that is stored on a physical device such as a Hardware Security Module, a USB token or a smart card.

Do you have such a key? Did you ask your CA for CDS or AATL certificate?

1
votes

Re: Is it possible to fix this by without adding certificate to trusted identities?

Answer: no, unless you switch to a digital signature cert that was granted by a Certificate Authority trusted by Adobe.

This is an on-going issue with Adobe since Adobe Reader doesn't trust the CA's in the operating system. -- Instead, Adobe has their own list.

So either:

  1. You get a personal cert from one of the companies on the Adobe list.
  2. You publish your organization's root certificate on your website and provide instructions to recipients on how to tell Adobe to trust you. (Your organization can have just one member if you wish.) See below for more on this.
  3. You tell your recipients how to click on the Adobe signature toolbar to inspect the details of the signing cert (and ignore the scary default warnings from Adobe).

In the wet-signature world, there are cases where you simply sign something, and other cases where you need to provide a copy of your government issued identity document. Unfortunately, in the current digital signature world, it's as if every signature needs to be accompanied by a copy of your driver's license. And that is simply not reality.

A common and successful answer is to publish your organization's root cert for all of the organization's signers. See Apple and Wells Fargo examples.

You can publish your root cert on an SSL-protected page with a cert from a trusted CA. That will enable a business partner to feel secure about trusting that your org's root cert is really from your org.