FAQ for Entrust Adobe CDS Signing Certificates
What is Adobe® CDS?
Using digital signature technology, Adobe® Certified Document Services (CDS) provides recipients with assurances that certified PDF documents are authentic — that they did indeed originate from their stated author, and the portions of the document signed by the author have not been modified since authoring.
What is a CDS Certificate?
Authors interested in creating certified documents will register with Entrust, have their identification information verified and then be provided with a digital ID to be used in Adobe® Acrobat™ and LiveCycle™ products to certify documents in real time. When a document is signed with an Adobe® CDS certificate, the author's identity and the document content is verified every time a PDF document is opened. In recent versions of Acrobat™ Reader, a blue ribbon appears at the top of the document clearly indicating whether the document has been verified and who the author is.
How does it work?
Authors that use Adobe® products to create PDF documents can now apply a trusted digital signature to a document. Individuals using Adobe® Acrobat™ have always been able to apply a digital signature to documents; however recipients (readers) haven't had the tools available to verify those digital signatures. Now with Adobe® CDS signatures, the PDF reader can verify signatures and authenticity of signed documents in real time without having to download software or plug-ins. Organizations that use Adobe® Live Cycle can now have automated document processes certified so recipients can verify.
For recipients or end users, when an Adobe® Certified Document is opened, a verification trust dialog is immediately presented at the top of the document. The dialog may vary depending on the version of Adobe® Acrobat™ however signatures generally look like:
Document has a valid signature and is certified
Document has an invalid signature
The signature cannot be validated
From a workflow standpoint, visual indicators can exist in the document indicating that the document has been approved.
What are the steps to get a CDS Certificate?
Getting a CDS is simple.
Step 1: Select the CDS certificate that's right for you. Our Guide should help you decide.
Step 2: Click on the Buy Now button on www.entrust.net. You will be guided through the process of entering the necessary information to get your certificate. You will need to know your authorization, billing and technical contact information. You will also have to provide your domain and company information.
Step 3: Once the information is complete, Entrust will begin the process of verifying the information. Our stringent verification process may include phone calls and trusted third party searches to verify information. Once verified, your USB security token will be shipped to you unless you require a certificate for an HSM module.
Step 4: Once you receive a Secure USB token you will have to install a software package that initializes the token. Once complete the certificate is installed on the token.
If my CDS certificate expires, what happens to the documents that have been signed?
Both Adobe® Acrobat™ and Adobe® Live Cycle are highly configurable to allow signatures to ?expire?. In most cases however, the signature will remain valid after the certificate has expired thus allowing documents to be considered "valid" long after the initial signature.
How am I and my organization vetted?
In order to ensure the proper certificate is being issued, Entrust performs the following verification steps to ensure a proper certificate is issued:
Individuals without an Organization
These individuals are not associated with an organization. The individual's name will be identified in the CDS certificate.
- Entrust will verify a government issued identity received by fax or scan.
- A phone number for the individual will be obtained through a trusted third party source.
- A call will be placed to the subscriber with the found phone number.
- A validation email will confirm the email address of the subscriber via a shared secret.
Individuals or roles within an organization
In this case the certificate is for an individual associated with an organization. Both the individual's and the organization's names will be identified in the certificate.
- Confirmation of the legal existence of the organization will be obtained by Entrust using trusted third party sources of information.
- A phone number will be obtained through a third party listing.
- A call to the Organization Representative (OR) contact will verify the employment of the OR and confirm the authorization of the subscriber.
- A call to the subscriber will confirm the request.
- Entrust will validate the email address of the subscriber via a shared secret.
Organizations ordering certificates on behalf of the organization
In this case the certificate is for an organization whose name will be in the certificate. No individual's name will appear in the certificate; however, a individual will be assigned as the Key Custodian for the certificate:
- Confirmation of the legal existence of the organization will be obtained by Entrust using trusted third party sources of information.
- A phone number will be obtained through a third party listing.
- A call to the Organization Representative (OR) to verify the employment of the OR and confirm the authorization of the Key Custodian.
- A call to the Key Custodian to verify the request
- Entrust will validate the email domain of the organization.
Entrust Certificate Management Services
For customers of Entrust's Certificate Management Services (CMS) the verification must include authorization of administrators that will perform the role of Local Registration Authority (LRA):
- Confirmation of the legal existence of the organization will be obtained by Entrust using trusted third party sources of information.
- A phone number will be obtained through a third party listing.
- A call to the Organization Representative (OR) to verify the employment of the OR and confirm the authorization of the LRA's.A call to the Organization Representative (OR) to verify the employment of the OR and confirm the authorization of the Key Custodian.
- Entrust will validate the email domain of the organization.
What kind of certificates are there?
Entrust offers four different CDS Certificates:
Individual Signing Certificates — Manual: These certificates are used by individuals who wish to sign and certify documents on an ad hoc basis. Examples of this are workflow approvals, legal documents, contracts and letters. The certificates are assigned to an individual whose first and last name appears in the signature along with their email address. This certificate is sold on a secure token.
Group Signing Certificates — Manual: These Adobe® CDS Certificates are used by groups that wish to sign and certify documents on behalf of a group. These certificates, delivered on a secure token, display the organizational group name and email in the signature rather than an individual name. They are intended for ad hoc use. For example a sales department may decide to sign its proposals or RFP responses.
Group Signing Certificates — Automatic: These Adobe® CDS Certificates display the same signature properties as the manual group signing certificates. The difference is that these are intended for use in an automated process, (usually Adobe® Live Cycle) to sign and certify documents. Typical use cases for this signature are invoices, account statements, transcript requests and confirmations.
Enterprise Signing Certificates — Automatic: Intended for corporate use, Enterprise signing certificates display the company name in the signature properties rather than the name of an individual or group.
Why do I need special hardware?
A requirement for providers of Adobe® CDS is to ensure the security of the private signing key. To this end, the private key is generated and stored on a FIPS compliant cryptographic hardware that ensures the key cannot be duplicated thus preserves the solution for non-repudiation. Entrust includes a Safenet iKey with each certificate sold. This key is secured by passwords and is easily accessed by signing applications. For Enterprise CDS signatures, organizations can download their certificate to a HSM (Hardware Security Module) which is also FIPS compliant.
What products work with Adobe® CDS Certificates?
Adobe® CDS Certificates can be interpreted and displayed by Adobe® Acrobat™ Professional starting at version 6, Adobe® Acrobat™ Standard starting at version 6.x, Acrobat™ Elements version 6.x onwards, Adobe® Reader version 6.x and higher and LiveCycle™ version 8.x and higher.
Authoring software that work with Adobe® CDS certificates are Acrobat™ Professional and Standard, versions 6.x onwards and Adobe® LiveCycle™ Document Security Server version 8.x and higher as well as LiveCycle™ ES Digital Signatures.
How does this differ from other client certificates?
Most client certificates work well inside an organization that had deployed software to validate and sign digital documents. Typically PKI customers have the ability to apply digital signatures and have them validated by coworkers inside the organization. The problem comes when exchanging documents outside the organization. Many recipients do not have the technology in place to verify signatures, nor the skills to configure that technology.
Adobe® CDS certificates are different because the technology to interpret them is built into Adobe® Reader which is ubiquitous. The benefit of using signatures in an application that is readily available and on most desktops is that readers do not have to configure software and no special skills are needed.
Can I reissue Adobe® CDS Certificates?
Adobe® CDS certificates can be reissued to the same identity throughout the life of the certificate. A certificate may be reissued if passwords are forgotten, tokens are misplaced (an administrative fee applies to the replacement token), a key is compromised, or if the individual leaves and organization. If the subscriber leaves the organization, the key should be revoked without re-issue.
Re-issuing certificates should not be confused with recycling certificates which is a feature of server based SSL certificates in the Certificate Management Service (CMS). With the CMS service an administrator can revoke a certificate and reissue that certificate again to another server without depleting their inventory of certificates. This feature of CMS is not available for Adobe® CDS certificates.
What information does the certificate contain?
Certificate information varies by Certificate type:
| Individual Adobe® CDS Certificate | ||
| Element | Required/Optional | Values |
| cn | Required | Individual's name |
| Required | ||
| ou | Optional | |
| o | Not Required | |
| l | Optional | |
| st | Optional | |
| c | Required | |
| Group Adobe® CDS Certificate | ||
| Element | Required/Optional | Values |
| cn | Required | Role, Department, Organization |
| Required | ||
| ou | Optional | |
| o | Required | Organization Name |
| l | Optional | |
| st | Optional | |
| c | Required | |
What's the difference between certified and approval signatures?
A document that is certified attests to the content of the document and certifies that it has not been altered in any way. When a document is certified, the author can specify what changes can be made to the document before its certification is no longer valid. That usually takes the form of:
- no changes permitted
- form fields filled out only
- comments on the document allowed
When a person (not necessarily the author) signs a document to consent or approve it, an approval signature is applied. In all cases for approvals and certification, the document displays the certificate status in the blue bar at the top of the window.