Manage trusted identities

A digital ID includes a certificate with a public key and a private key. Participants in signing and certificate security workflows exchange the public part (the certificate) of their digital ID. Once you obtain someone’s certificate and add it to your trusted identities list, you can encrypt documents for them. There may be instances when the certificate does not already chain up to a trust anchor that you have specified. In such cases, you can set the certificate’s trust level so that you can validate the owner’s signature. Understanding what a trusted identity is and how trust levels are set lets you streamline workflows and troubleshoot problems. For example, you can add trusted identities in advance and individually set the trust for each certificate. In enterprise settings, your trusted identities list may be preconfigured. You may also be able to search a directory server for additional certificates.

Import and export a certificate

To import a certificate for use in signature validation and certificate security workflows:

  1. Do one of the following:
    • In Acrobat, choose Tools > Sign & Certify > More Sign & Certify > Manage Trusted Identities.

    • In Reader, choose Edit > Protection > Manage Trusted Identities.

    Note: If you don't see the Sign & Certify or Protection panel, see the instructions for adding panels at Task panes
  2. In the Display menu, select Contacts, and then click Add Contacts.
  3. Do any of the following:
    • If Windows certificate digital IDs are allowed, select the appropriate directory and group.

    • If your organization has configured an identity search directory, click Search to locate certificates.

    • Click Browse, select the certificate file, and click Open.

  4. Select the added certificate in the Contacts list to add it to the Certificates list. Select the certificate in the Certificates list, and click Details.
  5. If the certificate is self-signed, contact the originator of the certificate to confirm that the fingerprint values on the Details tab are correct. Trust the certificate only if the values match the values of the originator.
  6. Click Trust, specify trust options, and click OK.

You can export a certificate and contact data via e-mail directly from the Trusted Identity Manager. This allows other users to add that data to their trusted identity list. Contact data added in this manner helps expand the number of users that can participate in secure document workflows. See the Digital Signature Guide (PDF) at www.adobe.com/go/learn_acr_security_en for information on exporting certificates.

Setting certificate trust

You build a list of trusted identities by getting digital ID certificates from signing participants and certificate security workflows. You get this information from a server, file, or a signed document. For signing workflows, you can get this information during the signature validation process. For certificate security workflows involving encryption, request the information in advance. This enables you to encrypt the document with the document recipient’s public key. See the Digital Signature Guide (PDF) at www.adobe.com/go/learn_acr_security_en for more information on setting up certificate trust.

Adobe Approved Trust List (AATL)

The Adobe Approved Trust List (AATL) allows users to create digital signatures that are trusted whenever the signed document is opened in Acrobat 9 or Reader 9 and later. Both Acrobat and Reader access an Adobe hosted web page to download a list of trusted root digital certificates every 30 days. Any digital signature created with a credential that can trace a relationship back to a certificate on this list is trusted. The trusted root certificates have been verified by Adobe and other authorities to meet specific technical requirements. They represent high assurance identity and signing credentials. The certificates include government and citizen credentials from across the world. In addition, they include credentials from global commercial certificate authorities and qualified certification service providers (CSPs) in Europe.

For details about this feature and why it is important for validating a signature, see the AATL web page at www.adobe.com/security/approved-trust-list.html.

AATL is enabled by default. The list downloads when you first open or create a signed document, or access the various security preferences dialogs. You are asked to verify if the automatic update in the AATL is acceptable to you. Click Yes if you want to receive the updates.

Note: Check with your administrator if your organization has turned off access to the AATL for some reason.

To verify the AATL is enabled:

  1. Choose Edit > Preferences (Windows) or Acrobat/Adobe Reader > Preferences.

  2. From the Categories on the left, select Trust Manager.

  3. Select the option Load Trusted Root Certificates From An Adobe Server.

    This option allows Acrobat or Reader to automatically download trust settings from an Adobe server. These trust settings ensure that the user or organization associated with the certificate has met the assurance levels of the Adobe Approved Trust List program.

  4. Do one of the following:

    • To be prompted when new root certificates are available from Adobe, select Ask Before Updating.

    • To download the latest version of the Trust List from Adobe, click Update Now.