I’m trying to get a certification to sign my PDF files these days.
- It is a certification signed by a trusted CA in Adobe Acrobat (of course it can’t be self-signed)
- It is cheap
What I did:
Check the current list of Adobe Approved Trusted CA (http://helpx.adobe.com/acrobat/kb/approved-trust-list1.html)
Check those CA’s website.
Many of those CA are used inside their company/organization only, Some “Widely known CA” like DigiCert, GlobalSign, Entrust cost a lot(200-800 USD/year) for the certification, and you maybe asked for purchasing a USB device for the cert, PLUS, some of them limit the number of files you signed.
Finally I found “CERTUM (Unizeto Technologies)” in Porland, they supply a certification for a low cost(~10USD/year) https://en.sklep.unizeto.pl/data-safety/id-certificates/certyfikat-professional-id.html
- The is no USA in the country list there, I emailed them about this, and they said it doesn’t matter, the certification is send by email. So you may select any country.
- for the payment, select “ecard”, then you can pay by a VISA/MASTER card, don’t forget, there might be a foreign transaction fee for some credit card.
- After the payment is confirmed, verify your email address first, then create the certification either online or CSR (If your prefer a super secure RSA cert(>2048 bits), I created a 4096 one1), Note. the common name for generation the RSA private key has to be your legal name.
- they will send a email to let you provide some other documents. (1.a copy of ID document of the Subscriber (ID card, passport, residence permit, student’s ID card, social insurance ID, etc.), 2.a copy of document to assure the subscriber is an employee or representative of company/institution,3. a document to verify company/institution authenticity (e.g. DUNS number, Articles of Incorporation, Business Licence, proprietorship documentation))
- After those documents a verified (this takes 2-3 hours for me) you can download either binary cert (.cer) or a plain-text one(.pem)
- I download the plain-text one, lets call it cert.pem, then download the public key for the intermediate cert(Certum Level III CA): https://www.certum.eu/certum/cert,expertise_root_certificates.xml#CLIIICA use the .pem one
- Copy and paste the public CA(should be called intermediate cert in this case) to the end of your cert.pem, Do NOT leave empty line between or after that.
Finally, generate the .p12 file for Adobe Acrobat
openssl pkcs12 -export -out yourIntendedFilename.p12 -inkey yourprivate.key -in cert.pem
You’d better set a password for it.
By the way, you may use https://timestamp.geotrust.com/tsa OR http://timestamp.comodoca.com/rfc3161 as the timestamp server.