Table of Contents
Advertisement
Acrobat 9 Family of Products
Security Feature User Guide
Certificate Chains and Trust Anchors /Roots
Certificates usually exist as part of a hierarchy or "chain" of certificates, and part or all of the chain can be
wrapped in an FDF file. The bottom-most and end user certificate (yours) is called an "end entity" (EE)
certificate. The top-most certificate, (the root) is typically belongs to a trusted Certificate Authority (CA).
Certificates in between the end entity and root certificates are sometimes called "intermediate certificates"
(ICAs) and are issued by the CA or ICAs underneath the CA. Acrobat enables users to specify one or more of
the certificates in a chain as trusted for specific operations. Thus, an EE certificate could have one or more
trust anchors (trusted ICAs) that chain up to a the top-most CA certificate which is the primary trust anchor
or "trusted root. "
A typical chain might include your certificate, your company's ICA, and a root CA. Certificates inherit trust
from certificates on the root end of the chain. For example, if the root certificate is trusted, then any
certificates chaining to the that root will also be trusted. Some organizations have their own root CA or use
an ICA certificate that is issued by an external CA and make these the trust anchors for their employees.
It is a common practice to trust certificates as high up in the chain as is reasonable since revocation
checking starts at the chain bottom and continues until it reaches a trust anchor. Revocation checking
occurs until reaching a certificate that is absolutely trusted by you or your organization. It also allows users
to trust other certificates that chain up to the same root. The trust anchor is often an ICA for example, since
if the root is issued by a company such as VeriSign, it might not be wise to make it a trust anchor as that
tells Acrobat to trust the millions of certificates that chain up to VeriSign.
Distributing and installing ICA or CA trust anchors to a user or group of users allows them to:
Distribute certified or signed documents to partners and customers.
Help document recipients validate the signatures of document authors.
Exporting a Trust Anchor
When Acrobat exports a certificate, it automatically exports other selected certificates in that certificate's
chain and includes them in the FDF file.
1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities.
2. Choose Certificates in the Display drop-down list.
In addition to this method, you can also display the certificate from any signature or certificate security
method workflow where a Show Certificate or Certificate Details button appears, such as the
Signature Properties dialog.
3. Select the certificate
4. Choose Show Certificate. The Certificate Viewer displays the certificate.
5. Select a certificate in the chain that appears in the left-hand window.
(Figure
116).
Note:
In the unlikely event that you can sign the FDF file with a signature the recipient can
validate (they will use a different certificate than the one you are exporting), set the
certificate's trust level before exporting it. For details, see
Level" on page 158
Tip:
You could just choose Export and bypass the following two steps. However, exporting
the certificate from the Certificate Viewer allows you to see the entire certificate chain
where you can select all or part of it.
Migrating and Sharing Security Settings
Exporting Application Settings with FDF Files
"Setting the Certificate Trust
156
Advertisement
Table of Contents
Troubleshooting
