Experience

How to get a certification to sign PDFs

I’m trying to get a certification to sign my PDF files these days.

My Goal:

  1. It is a certification signed by a trusted CA in Adobe Acrobat (of course it can’t be self-signed)
  2. It is cheap

What I did:

Check the current list of Adobe Approved  Trusted CA (http://helpx.adobe.com/acrobat/kb/approved-trust-list1.html)

Check those CA’s website.

Many of those CA are used inside their company/organization only, Some “Widely known CA” like DigiCert, GlobalSign, Entrust cost a lot(200-800 USD/year) for the certification, and you maybe asked for purchasing a USB device for the cert, PLUS, some of them limit the number of files you signed.

Finally I found “CERTUM (Unizeto Technologies)” in Porland, they supply a certification for a low cost(~10USD/year)  https://en.sklep.unizeto.pl/data-safety/id-certificates/certyfikat-professional-id.html

Note:

  1. The is no USA in the country list there, I emailed them about this, and they said it doesn’t matter, the certification is send by email. So you may select any country.
  2. for the payment, select “ecard”, then you can pay by a VISA/MASTER card, don’t forget, there might be a foreign transaction fee for some credit card.
  3. After the payment is confirmed, verify your email address first, then create the certification either online or CSR (If your prefer a super secure RSA cert(>2048 bits),  I created a 4096 one1), Note. the common name for generation the RSA private key has to be your legal name.
  4. they will send  a email to let you provide some other documents. (1.a copy of ID document of the Subscriber (ID card, passport, residence permit, student’s ID card, social insurance ID, etc.), 2.a copy of document to assure the subscriber is an employee or representative of company/institution,3. a document to verify company/institution authenticity (e.g. DUNS number, Articles of Incorporation, Business Licence, proprietorship documentation))
  5. After those documents a verified (this takes 2-3 hours for me) you can download either binary cert (.cer) or a plain-text one(.pem)
  6. I download the plain-text one, lets call it cert.pem, then download the public key for the intermediate cert(Certum Level III CA):  https://www.certum.eu/certum/cert,expertise_root_certificates.xml#CLIIICA    use the .pem one
  7. Copy and paste the public CA(should be called intermediate cert in this case) to the end of your cert.pem, Do NOT leave empty line between or after that.

Finally, generate the .p12 file for Adobe Acrobat

openssl pkcs12 -export -out yourIntendedFilename.p12 -inkey yourprivate.key -in cert.pem

You’d better set a password for it.

Done.

By the way, you may use https://timestamp.geotrust.com/tsa   OR  http://timestamp.comodoca.com/rfc3161   as the timestamp server.