Hi List,
Concerning :
- « validity unknown » displayed by Adobe Reader (tested in version 7
and 9, …)
- Using itext to sign a pdf document
- With a smart card : the belgium eid (identity card)
- Using an external signature
- With “PdfSignatureAppearance.SELF_SIGNED” option
When I consult a signed PDF with iText (I made the signature myself, based on
the example found here : http://itextpdf.sourceforge.net/howtosign.html), on my
computer, where all my certificates are registered, everything is displayed
correctly in Adobe Reader : the signature is displayed as “valid”.
However, when I try to read this PDF on another computer, the validity of the
signature is displayed as “validity unknown”.
I figured out that it could be :
Point 1) because the certificate chain is not included in the PDF.
Point 2) because the “Belgium Root CA” is not imported as “trusted CA” in
windows
Point 3) because the “Citizen CA” is not imported as “trusted CA” in windows
Point 1 :
I made the signature, passing the certificate chain extracted from the smart
card.
In debug mode, every certificate is there, and the complete chain is passed to
the API call : “sap.setCrypto(null, certs, null,
PdfSignatureAppearance.SELF_SIGNED);”.
So, this does not seem to be the problem (but I could not check it for sure) :
- on my PC, the certificate chain is well displayed by adobe reader
- And when I call this API at the end of the signature process :
“Certificate[] certsInPdf = stamper.getSignatureAppearance().getCertChain();”,
a Certificate[] is returned, containing the 3 certificates.
Point 2 :
I installed the “Belgium Root CA”, exported from my PC and imported on the pc
displaying “validity unknown”.
I tried this installation twice : in automatic mode, and in the “certification
store” named “Trusted Root CA”.
But it did not change anything to the display made by Adobe Reader…
Point 3 :
THIS was the solution !
I installed this certificate, using the same procedure from “Belgium Root CA”,
and, after that, the signature appeared as “valid” !
HOWEVER, due to the number of existing “Citizen CA”
(http://repository.eid.belgium.be/FR/CitizenCA.htm), it is not possible to do
this on every pc where the signed PDF will be consulted.
So, my question is…
Obviously, signature is well displayed if the 3 points are done.
Why is “point 3” necessary ?
I can understand (the users could accept) the necessity of “point 2”, but I can
NOT ask every user to do the same with every existing “Citizen CA”.
Any help, suggestion, explanation is welcome!
Best regards,
Julien.
Julien Vroonen - j.vroo...@nsi-sa.be<mailto:j.vroo...@nsi-sa.be>
Business Analyst
NSI IT Software & Services
Chaussée de Bruxelles, 174 A
B-4340 Awans
Tél. Direct : +32 (0)4 239 91 60
Tél. Général : +32 (0)4 239 91 50
Fax : +32 (0)4 246 13 08
www.nsi-sa.be<http://www.nsi-sa.be/>
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
iText-questions mailing list
iText-questions@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/itext-questions
Many questions posted to this list can (and will) be answered with a reference
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples:
http://itextpdf.com/themes/keywords.php
