Enterprise Toolkit | Macintosh Plist Reference

Security (Digital Signatures)

These settings pertain to content security (security features) rather than application security (securing the software environment). Content security includes digital signatures, security methods such as password and certificate security, and other rights management features.

Note the following:

For more information, refer to the Digital Signatures Guide and related documentation.


This preference category contains the following subfeature(s):

Signing: RSA-PSS Configuration

The DC release supports RSA-PSS Signing on Windows (April, 2017) and Macintosh (August 2017). Classic track (Windows and Macintosh both) support was added in November 2018. RSA-PSS is an RSA cryptosystem signature scheme that provides increased security assurance. For more details see https://www.emc.com/emc-plus/rsa-labs/historical/raising-standard-rsa-signatures-rsa-pss.htm. Support currently includes:

  • Acrobat and Reader DC
  • Signature validation
  • Signature creation with digital ID files (PFX/P12)
  • Signature creation with digital IDs imported to Windows Certificate Store and devices such as smart cards supporting Cryptography API: Next Generation (CNG). CNG is designed to replace the legacy CryptoAPI. In addition to increased security, CNG is extensible and cryptography agnostic. For more detail and a list of features, see https://msdn.microsoft.com/en-us/library/windows/desktop/bb204775(v=vs.85).aspx
Signature creation with devices using Crypto API's are not supported.

Summary table
EnableRSAPSSSigning Specifies whether a signature should be created with the RSA-PSS algorithm.
RSAPSSHashAlgorithm Specifies the hash algorithm used for RSA-PSS signing.
RSAPSSSaltLength Specifies the Salt Length the RSA-PSS algorithm uses.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # DC Continuous: Windows April, 2017; Mac August 2017
Lock Path Not lockable
Summary Specifies whether a signature should be created with the RSA-PSS algorithm.
Details Possible values include:
  • 0: Do not sign with the RSA-PSS algorithm.
  • 1: Use the RSA-PSS algorithm.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 2 (atom)
Default null
Version # DC Continuous: Windows April, 2017; Mac August 2017
Lock Path Not lockable
Summary Specifies the hash algorithm used for RSA-PSS signing.
Details If bEnableRSAPSSSigning is enabled, this preference specifies the hash algorithm. If this preference is not present or has a null value, then the value specified by aSignHash is used. If aSignHash is not specified, then SHA256 is used. Possible values include:
  • SHA1
  • SHA224
  • SHA256
  • SHA384
  • SHA512
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 32
Version # DC Continuous: Windows April, 2017; Mac August 2017
Lock Path Not lockable
Summary Specifies the Salt Length the RSA-PSS algorithm uses.
Details When setting the salt length, you must assure the default base is hexadecimal. Either change the base to decimal or input its hex value. For example, if the salt length decimal value is 32, then set the hex value to 20.
GUI mapping N/A

Addressbook Import

The address book stores data for certificates used in digital signature and certificate encryption workflows. During a major upgrade (e.g. 10.x to 11.x), the product looks for existing address books on each user machine. Prior to install, you should decide whether to deploy a generic, enterprise address book or let the existing address book on each machine be imported into the new product. By default, when end users first launch the product, the application prompts them to import any discovered address book. The application looks for existing addressbooks from previous product versions by searching directories in this order.

  • (root)\AppData\Roaming\Adobe\Acrobat\11.0\addressbook.acrodata
  • (root)\AppData\Roaming\Adobe\Acrobat\10.0\addressbook.acrodata
  • (root)\AppData\Roaming\Adobe\Acrobat\9.0\addressbook.acrodata
  • (root)\Program Files (x86)\Adobe\Acrobat {current version such as 11.0}\Acrobat\Replicate


Summary table
ImportAddressBook Specifies whether the addressbook.acrodata file should be imported during a new install.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 1
Version # 11.0.06+
User Path Security\DigSig
Lock Path Not lockable
Summary Specifies whether the addressbook.acrodata file should be imported during a new install.
Details Many admins set a value of 2 so that the import dialog does not appear for end users. Possible values include:
  • 0: Do not copy the old address book. The user is NOT prompted and the address book should NOT be installed.
  • 1 or null: Default: The user is asked whether the address book should either be installed or not.
  • 2: Import the address book silently.
GUI mapping N/A

Security Setting Import

9.x products introduced a security feature that includes the ability to import and export security settings via an .acrobatsecuritysettings file, thereby enabling easier version upgrades as well as configuration of multiple machines. The security settings import/export features offers several advantages over FDF files:

  • Most document security and digital signature related settings can be encapsulated in an acrobatsecuritysettings file whereas FDF could only transport one setting type and a time and could not encapsulate registry settings at all.
  • One file can be used instead of many files.
  • Trust can be assigned to imported files on the fly, thereby simplifying workflows. Files can be signed and encrypted.
  • Updates can be configured to occur automatically on a specified schedule.
Use security settings files to backup and restore settings, to distribute settings in a workgroup or enterprise, and to send specific information to another user. Importing settings simply involves importing a file from a network (including automatically from a server) that has been exported from Acrobat and has then been made available from a trusted source.

The following options are available:

  • Specifying whether or not to poll a server for settings to import at regular intervals.
  • Configuring whether or not the user should grant permission prior to installing new settings.
  • Specifying a particular certificate so the signed settings will only be imported from a trusted source.

Summary table
AskBeforeInstalling Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0.
CheckEvery The polling interval to check the specified server for an updated security settings file.
data Binary data used for internal purposes.
iResourceID An internally used number created by Acrobat when it first sets up the "resource" pointed to by the URL. It is not user customizable.
LoadSettingsCERT Specifies a certificate that must be used to sign the imported security settings file.
LoadSettingsFromURL Specifies whether to load security settings from a server.
LoadSettingsNAME Specifies the signing certificate for the imported settings file.
LoadSettingsURL The server URL where the acrobatsecuritysettings file to import resides.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 1209600
Version # 9.0+
User Path Security\DigSig\CustomDownload
Lock Path Not lockable
Summary The polling interval to check the specified server for an updated security settings file.
Details The application can automatically check for and import a security settings file at regular intervals. The value is the number of seconds between checks for updates. Prior to March 2012, the default was 2419200. Possible values include:
  • 604800: 1 week
  • 1209600: 2 weeks (Default)
  • 2419200: 1 month
  • 7257600: 3 months
GUI mapping Preferences > Security > Security Settings panel > "Check every" radio buttons
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 9.0+
User Path Security\DigSig\CustomDownload
Lock Path Not lockable
Summary The server URL where the acrobatsecuritysettings file to import resides.
Details These settings include all the settings that can be configured, imported, and exported from an .acrobatsecuritysettings file.
GUI mapping Preferences > Security > Security Settings panel > URL text box
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default 9.0: 0; 10.0: 1
Version # 9.0+
User Path Security\DigSig\CustomDownload
Lock Path Not lockable
Summary Specifies whether to load security settings from a server.
Details Possible values include:
  • 0: Don't load settings from a server.
  • 1: Do load settings from a server.
GUI mapping Preferneces > Security > Security Settings panel > URL text box
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default null
Version # 9.0+
User Path Security\DigSig\CustomDownload
Lock Path Not lockable
Summary Specifies a certificate that must be used to sign the imported security settings file.
Details The value is a hexadecimal string corresponding to the SHA-1 hash of the certificate used to sign the settings file.
GUI mapping Preferences > Security > Security Settings panel > Settings must be signed by field
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default Allow Any Certificate
Version # 9.0+
User Path Security\DigSig\CustomDownload
Lock Path Not lockable
Summary Specifies the signing certificate for the imported settings file.
Details Admins can specify specific certificates that must be used to sign a settings file.
  • 0: Allow Any Certificate
  • 1: Any user-specified certificate
GUI mapping Preferences > Security > Settings must be signed by
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 9.0+
User Path Security\DigSig\CustomDownload
Lock Path Not lockable
Summary Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0.
Details
  • 0: Enable and install silently
  • 1: Enable and ask before installing
GUI mapping Preferences > Security > Security Settings panel > Ask before updating
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 9.0+
User Path Security\DigSig\CustomDownload
Lock Path Not lockable
Summary An internally used number created by Acrobat when it first sets up the "resource" pointed to by the URL. It is not user customizable.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 9.0+
User Path Security\DigSig\CustomDownload\LastChecked\
Lock Path Not lockable
Summary Binary data used for internal purposes.
Details It is not set during installation or for tuning pre-deployment clients. It can safely be deleted in an existing environment.
GUI mapping N/A

Extended Certificate Information

Summary table
CertIssuerInfo Contains a subkey for each certificate with extended information.
ExtendedCertInfo Contains a subkey for each certificate with extended information provided by attribute certificates.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default n/a
Version # 8.0+
User Path Security\PubSec
Lock Path Not lockable
Summary Contains a subkey for each certificate with extended information provided by attribute certificates.
Details The subkeys take the form c{DIGEST} where {DIGEST} is a SHA-1 digest of the associated certificate's public key encoded as hexadecimal. For example, \cPubSec\cExtendedCertInfo\cAD6716326BDAC87628DFAD6716326. Each subkey contains the friendly name, related ID card, and associated attribute certificates.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default n/a
Version # 8.0+
User Path Security\PubSec
Lock Path Not lockable
Summary Contains a subkey for each certificate with extended information.
Details The subkeys take the form c|{DN} where {DN} is the issuer certificate's distinguished name. For example, \cPubSec\cCertIssuers\c|cn=Adobe Systems, o=Acrobat Engineering. Each subkey contains the associated ID card for this issuer certificate.
GUI mapping N/A

Indentrust Preferences

Summary table
(someInteger) The default chain scope in which to look for the policy OIDs.
Value An array of strings containing the policy OIDs for a certificate to be considered acceptable.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default "iEnd"=dword:00000002 and "iStart"=dword:00000002
Version # 7.x+
User Path Security\AcceptablePolicyOIDs\
Lock Path Not lockable
Summary The default chain scope in which to look for the policy OIDs.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default See desc.
Version # 7.x+
User Path Security\AcceptablePolicyOIDs\(some integer)\
Lock Path Not lockable
Summary An array of strings containing the policy OIDs for a certificate to be considered acceptable.
Details For ICA certificates: Set to 1.2.840.114021.1.6.1 and 1.2.840.114021.1.2.1 For EE certificates: Set to 1.2.840.114021.1.4.1, 1.2.840.114021.1.4.2, 1.2.840.114021.1.7.2, 1.2.840.114021.1.10.1, 1.2.840.114021.1.10.2, 1.2.840.114021.1.13.2, 1.2.840.114021.1.16.2, 1.2.840.114021.1.19.2, 1.2.840.114021.1.22.2, 1.2.840.114021.1.25.2, 1.2.840.114021.1.28.2, 1.2.840.114021.1.30.2
GUI mapping N/A

Custom Security Handlers

Security handlers are Acrobat plugins. Information about creating plugins in general and security handlers in particular can be found in the Acrobat Software Development Kit (SDK) and its HFTs, header files, and other API documentation. Because Acrobat's Adobe.PPKLite is becoming more feature rich with each release, it is unlikely that you will need a custom security handler.

Adobe.PPKLite is the default security handler used for performing private key functions, validating signatures, and signing and encrypting documents. This is represented in the user interface as Adobe Default Security in the Digital Signatures Advanced Preferences dialog on both the Verification and Creation tabs. Administrators can install custom handlers to perform these functions, in which case the drop down lists on these tabs will list the additional handlers. All entries in the cHandler folder are reset by the Digital Signature Preferences dialog's Reset button.

If a custom handler is used, you can specify the following:

  • Separate handlers for signing/encryption and signature validation.
  • The default method displayed in the drop-down list of handlers.
  • Lock down the selections so they cannot be modified by end users.

Summary table
AddressBook Remembers a preferred handler for accessing Trusted Identity Manager functions including certificate data import from an FDF file.
Dialogs:xSelHandler The last on-screen coordinates of a handler's digital ID selection dialog
Directory Remembers a preferred handler for directory functions (e.g. LDAP), including for importing directory information from an FDF data exchange file.
PrivKey Used by DigSig and PubSec to store the handler that accesses private key functions.
Verify Remembers the name of the preferred handler to use when verifying signatures.
VerifyUseAlways Qualifies the use of aVerify.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 2 (atom)
Default Adobe.PPKLite
Version # 7.x+
User Path Security\Handlers
Lock Path FeatureLockDown\Security\Handlers
Summary Used by DigSig and PubSec to store the handler that accesses private key functions.
Details It is used for signing, decryption, and responding to an FDF file request to export contact information. The value should be set to Adobe.NoHandler if it is desired that the user be asked to select a handler.
GUI mapping Preferences > Security > Advanced Preferences > Creation tab > Method to use When Signing and Encrypting Documents
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 2 (atom)
Default Adobe.NoHandler
Version # 7.x+
User Path Security\Handlers
Lock Path FeatureLockDown\Security\Handlers
Summary Remembers the name of the preferred handler to use when verifying signatures.
Details If this value is not set, then the handler used to verify signatures is the handler that matches the Filter attribute in the signature dictionary; if this handler is not available, then the user is prompted to select a handler. If this value is set then, its meaning is qualified by the value of bVerifyUseAlways.
  • Adobe.NoHandler: Use the document-specified method, prompt if it is not available.
  • Adobe.PPKLite: Use the document-specified method, use the default method if it is not available.
  • The value set in aPrivKey: Always use the default method (overrides the document-specified method). Takes the value selected from Default Method for Verifying Signatures.
GUI mapping Preferences > Security > Advanced Preferences > Verification tab > the radio button selections under "When Verifying:"
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type
Default 0
Version # 7.x+
User Path Security\Handlers
Lock Path FeatureLockDown\Security\Handlers
Summary Qualifies the use of aVerify.
Details If true and aVerify is set to a handler name, then this handler is used to verify all signatures. If false, then the aVerify handler is used only to verify signatures when the handler specified by the signature dictionary Filter attribute is not present.
GUI mapping Preferences > Security > Advanced Preferences > Always use the default method (overrides the document-specified method)
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 2 (atom)
Default null
Version # 7.x+
User Path Security\Handlers
Lock Path Not lockable
Summary Remembers a preferred handler for accessing Trusted Identity Manager functions including certificate data import from an FDF file.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 2 (atom)
Default null
Version # 7.x+
User Path Security\Handlers
Lock Path Not lockable
Summary Remembers a preferred handler for directory functions (e.g. LDAP), including for importing directory information from an FDF data exchange file.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default null
Version # 7.x+
User Path Security\DigSig
Lock Path Not lockable
Summary The last on-screen coordinates of a handler's digital ID selection dialog
Details It is a subkey containing 4 keys: Top, Bottom, Left, and Right. This preference could be used by 3rd party handlers or by someone invoking a non-signing digital ID selection dialog via JavaScript.
GUI mapping N/A

FDF Import and Export

The File Data Exchange Format (FDF) provides a format for easily importing and exporting certificate data and application settings. These settings appear in Security\cPubSec after a client uses the feature.

The default values are stored internally by the application and are not visible in the registry. An administrator can set the default behavior, but your configuration is subject to modification by end users via the user interface.

The following features are available:

  • Specifying whether the default export behavior is to save or email the file.
  • Specifying whether the default export behavior is to sign the file.
  • Specifying whether the default certificate request behavior is to save or email the file.
  • Enabling or disabling WebBuy FDF processing (deprecated).

Summary table
FDFExportSave Persists whether user chose to save (1) or email (0) the FDF during export.
FDFExportSign Persists whether the user chose to sign the FDF during export.
FDFRequestExcludeCert Similar to the bFDFRequestSave.
FDFRequestSave Caches a user's answer to the question whether they want to save the request as an FDF or email it directly when that user requests a certificate.
WebBuyFDF Enables WebBuy FDF file processing.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 7+
User Path Security\PubSec
Lock Path Not lockable
Summary Persists whether user chose to save (1) or email (0) the FDF during export.
GUI mapping Save as and Email radio buttons in export dialog.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7+
User Path Security\PubSec
Lock Path Not lockable
Summary Persists whether the user chose to sign the FDF during export.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7+
User Path Security\PubSec
Lock Path Not lockable
Summary Similar to the bFDFRequestSave.
Details False includes the user's certificate in all certificate requests. True excludes it.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7+
User Path Security\PubSec
Lock Path Not lockable
Summary Caches a user's answer to the question whether they want to save the request as an FDF or email it directly when that user requests a certificate.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 6.0-8.0
User Path Security\PubSec
Lock Path Not lockable
Summary Enables WebBuy FDF file processing.
GUI mapping N/A

Security Settings Console

Security Settings Console preferences persist information about the state of the console user interface. These preferences are user generated and implementation specific and are likely to change across application versions. These keys are not customizable and are provided for informational purposes only.

Summary table
Category A binary ID of the last-selected category in the tree view.
OpenCategories An array of binary IDs for all categories in the tree view that were opened.
SHS Indicates (in pixels) the position of the horizontal window splitter.
SVS Indicates (in pixels) the position of the vertical window splitter.
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default null
Version # 7.0+
User Path Security\SecurityConsole\
Lock Path Not lockable
Summary Indicates (in pixels) the position of the vertical window splitter.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default null
Version # 7.0+
User Path Security\SecurityConsole\
Lock Path Not lockable
Summary Indicates (in pixels) the position of the horizontal window splitter.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 6 (binary)
Default null
Version # 7.0+
User Path Security\SecurityConsole\
Lock Path Not lockable
Summary A binary ID of the last-selected category in the tree view.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type
Default null
Version # 7.0+
User Path Security\SecurityConsole\
Lock Path Not lockable
Summary An array of binary IDs for all categories in the tree view that were opened.
GUI mapping N/A

Certificate Viewer Configuration

By default, the Certificate Viewer builds and displays the trusted chain from the EE to the trust anchor. However, it is possible to show all found chains whether they are trusted or not. While most users do not need this information, it can be used for troubleshooting and verification. End users can turn this option on and off by using the Certificate Viewer's checkbox Show all certification paths found.

Summary table
ShowAllChains Specifies whether to show all chains in the Certificate Viewer.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7.0+
User Path Security\PPKHandler
Lock Path Not lockable
Summary Specifies whether to show all chains in the Certificate Viewer.
Details If true, the Certificate Viewer shows all the chains; otherwise, it shows only the trusted chain. If there are no trusted chains, then all the chains are shown and this preference is ignored.
GUI mapping N/A

Password Caching

By default, password caching is turned on so that users will not always have to enter a password when one is required. This feature affects Adobe LiveCycle Rights Management Server log in, signing with digital IDs in the Acrobat store (pfx or p12 files), changing password timeout policies, and creating new password security policies. For example, setting the option to false disables the menu option Save password with the policy when creating a new policy.

The following options are available:

  • Controlling whether some passwords are cached to disk.
  • Disabling the option to save a password with a policy.
  • Streamlining Adobe LiveCycle Rights Management Server workflows. This key does not exist in HKCU. It can only be used in HKLM.
Note: Disabling Never ask for password on a digital ID's password timeout dialog does not work in version 9.0.

Summary table
AllowPasswordSaving Controls whether certain passwords can be cached to disk; for example, passwords for digital IDs.
Security hardeningSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 7.0+
Lock Path FeatureLockDown\Security\PPKLite
Summary Controls whether certain passwords can be cached to disk; for example, passwords for digital IDs.
Details If false, users are prompted to enter a password every time one is required. Not all passwords are affected by this setting.
GUI mapping User interface items where passwords are used: Save passwords with the policy in the New Security Policy dialog; Never checkbox on the Password timeout dialog.

Examine Document

The Examine Document dialog box identifies hidden document information that might pose a risk to the integrity of security and signature workflows. Found content is listed and linked to in the Examine Document pane. Users can click on a link to view the content and check/uncheck items to mark them for removal. Checked items are removed when the user selects the Remove button.

The following options are available:

  • Examining a document each time it is closed.
  • Examining a document each time it is emailed.

Summary table
AutoLaunchAtDocClose Automatically examines the document for hidden content when it is closed.
AutoLaunchAtSendMail Automatically examines the document for hidden content when it is sent in an email.
DontRemoveOverlapping Specifies whether to remove hidden content when sanitizing a document.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 9.0+
User Path Security
Lock Path Not lockable
Summary Automatically examines the document for hidden content when it is closed.
GUI mapping Preferences > Document > Examine document when closing document
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 9.0+
User Path Security
Lock Path Not lockable
Summary Automatically examines the document for hidden content when it is sent in an email.
GUI mapping Preferences > Document > Examine document when sending document by email
Supported on WindowsSupported on MacSupported by Acrobat
Data type 0 (bool)
Default 1
Version # October, 2020 Continuous
User Path Security
Lock Path Not lockable
Summary Specifies whether to remove hidden content when sanitizing a document.
Details During sanitization workflows, the app automatically rasterizes the document if overlapping content exists. This can result in a large file size increase. Disable this feature to avoid extremely large files.
  • 0: Remove hidden (overlapping) content.
  • 1: Do not remove hidden content when sanitizing a document.
GUI mapping Preferences > Document > Do not remove overlapping conent while sanitizing document.

Roaming ID Configuration

These preferences are only used for signature workflows where users access roaming IDs on a roaming ID server. While the needed configuration can be handled through the user interface by end users, you can set the following:

  • Specifying a Default Roaming ID Server : When a user adds a roaming ID account through the GUI, a dialog asks for a friendly name and a server URL. If no other accounts have been configured and cDefaultServerInfo exists in the preferences, its values populate both the friendly server name and URL fields in the Add a Roaming ID dialog.
  • Specifying one or more authentication methods.

Summary table
ServerName A user friendly roaming ID server name.
URL The URL of the Roaming ID server.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 8.0+
User Path Security\ASPKI\Adobe_RoamingID\DefaultServerInfo
Lock Path Not lockable
Summary A user friendly roaming ID server name.
GUI mapping Add a Roaming ID panel.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 8.0+
User Path Security\ASPKI\Adobe_RoamingID\DefaultServerInfo
Lock Path Not lockable
Summary The URL of the Roaming ID server.
GUI mapping Add a Roaming ID panel.

Roaming ID Provider Persistent Storage

These preferences store roaming ID server data. Some values are provided by the user and some are provided by the server. These keys cannot be customized and are provided for informational purposes only.

Summary table
Accounts Contains entries for user accounts on roaming ID servers that the provider knows about.
RecentServerURLs Contains an array of roaming ID server URLs recently entered by the user.
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default null
Version # 8.0+
User Path Security\PPKHandler\RC(version)
Lock Path Not lockable
Summary Contains entries for user accounts on roaming ID servers that the provider knows about.
Details Every account is identified by a unique 9-character key such as cAB2CFECD.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default null
Version # 8.0+
User Path Security\PPKHandler\RC(version)
Lock Path Not lockable
Summary Contains an array of roaming ID server URLs recently entered by the user.
GUI mapping N/A

Roaming ID Server Data

These preferences are created as a result of communications with a roaming ID server. Whether or not you customize these settings is determined by the needs or your particular implementation.

Summary table
Credentials The value is provided by the server.
SAML_Assertion Holds an encrypted SAML assertion obtained during last successful authentication.
SAML_Assertion_Expiration Holds the time after which roaming ID provider will not attempt to use the SAML assertion stored in cSAML_Assertion.
SAML_Assertion_Source Holds the URL of the authentication server from which the SAML assertion stored in cSAML_Assertion was obtained.
SAML_Name_Format SAML_NAME_<Value, Format, Qualifier> comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication.
SAML_Name_Qualifier SAML_NAME_<Value, Format, Qualifier> comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication.
SAML_Name_Value SAML_NAME_<Value, Format, Qualifier> comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication.
SASL_Mechanism The SASL id of the authentication mechanism.
SASL_UserName The mechanism-specific persistent data.
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default null
Version # 8.0+
User Path Security\PPKHandler\RC
Lock Path Not lockable
Summary The value is provided by the server.
Details An array of certificates corresponding to digital IDs available through this account. The certificates are in the binary X.509 format.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default null
Version # 8.0+
User Path Security\PPKHandler\RC
Lock Path Not lockable
Summary Holds an encrypted SAML assertion obtained during last successful authentication.
Details Possession of this assertion is proof of a user's identity. Therefore, the assertion is encrypted using 256-bit AES algorithm in CBC mode. The encryption key is stored in Microsafe database that is protected by the OS login. There are two binary entries under the cSAML_Assertion cab: xEncryptedData contains the encrypted assertion, 'xIV' contains the initialization vector used by the AES encryption algorithm for this assertion.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 8.0+
User Path Security\PPKHandler\RC
Lock Path Not lockable
Summary Holds the time after which roaming ID provider will not attempt to use the SAML assertion stored in cSAML_Assertion.
Details This time is calculated when an assertion is first obtained and takes into account the clock difference between the client machine and the server that generated the assertion. Time is represented in BER GeneralizedTime format without the type and length octets.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 8.0+
User Path Security\PPKHandler\RC
Lock Path Not lockable
Summary Holds the URL of the authentication server from which the SAML assertion stored in cSAML_Assertion was obtained.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 8.0+
User Path Security\PPKHandler\RC
Lock Path Not lockable
Summary SAML_NAME_<Value, Format, Qualifier> comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication.
Details The identifier is essentially a machine-readable user name that is unaffected by the choice of authentication mechanisms.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 8.0+
User Path Security\PPKHandler\RC
Lock Path Not lockable
Summary SAML_NAME_<Value, Format, Qualifier> comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication.
Details The identifier is essentially a machine-readable user name that is unaffected by the choice of authentication mechanisms.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 8.0+
User Path Security\PPKHandler\RC
Lock Path Not lockable
Summary SAML_NAME_<Value, Format, Qualifier> comprise the subject name identifier taken from the SAML assertion received during the account's last user authentication.
Details The identifier is essentially a machine-readable user name that is unaffected by the choice of authentication mechanisms.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 8.0+
User Path Security\PPKHandler\RC
Lock Path Not lockable
Summary The SASL id of the authentication mechanism.
Details For example, a user name and password mechanism may store the username so that only the password needs to be entered during consequent authentications.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 8.0+
User Path Security\PPKHandler\RC
Lock Path Not lockable
Summary The mechanism-specific persistent data.
Details Some authentication implementations may store user data. For example, a user name and password mechanism may store the username so that only the password needs to be entered during consequent authentications.
GUI mapping N/A

Roaming ID Authentication

The authentication mechanism provider pertains only to roaming IDs. It enables you to specify one or more authentication mechanisms. The mechanism must be supported by the roaming ID server with which the application communicates.

The following features are available:

  • Enabling multiple authentication mechanisms.
  • Limiting the authentication mechanism to one specified type.
  • Turning off authentication so that roaming IDs cannot be used.

Summary table
AuthMechanisms Specifies which registered provider(s) to use.
AuthMechanisms An array of text entries (t0-tn) where each entry contains the name of a registered provider.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 2
Version # 8.0+
User Path Security\ASPKI\SPIs
Lock Path Not lockable
Summary Specifies which registered provider(s) to use.
Details
  • 0: Use none of the registered providers.
  • 1: Use first registered provider.
  • 2: Use all registered providers.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default An array of all values listed in the description.
Version # 8.0+
User Path Security\ASPKI\SPIs
Lock Path Not lockable
Summary An array of text entries (t0-tn) where each entry contains the name of a registered provider.
Details
  • PLAIN: A mechanism defined in RFC2595 consisting of a single message specifying the user's ID and password.
  • ASSP-Kerberos: A mechanism commonly used on Windows that passes a Single Sign On token and receives back a SAML assertion.
  • ASSP-ArcotID: A mechanism recognized by Arcot roaming ID servers.
  • ASSP-QnA: A mechanism that initiates a question-answer dialog between the user and server.
GUI mapping N/A

Kerberos Authentication

This option is only relevant if the ASSP-Kerberos SPI is selected.

Summary table
ServiceName The administrator-specified roaming ID Kerberos service name.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 8.0+
User Path Security\ASPKI\Kerberos_AuthMechanism
Lock Path Not lockable
Summary The administrator-specified roaming ID Kerberos service name.
Details If the key is not present, the default value of ASSP is assumed. If the key is present and the value is empty string, Acrobat asks the roaming ID service for it's Kerberos service name. This method is not secure and enterprises are advised not to use this option.
GUI mapping N/A

Self Sign Digital IDs

By default, users can create self signed digital IDs. However, if you would like to prevent users from creating their own IDs, turn this feature off. Disabling this option prevents users from selecting Create a self-signed ID option in Add ID workflows.

Summary table
SelfSignCertGen Specifies whether or not the Create a self-signed ID option in Add ID workflows is available.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 7.x+
User Path Security\PubSec
Lock Path Not lockable
Summary Specifies whether or not the Create a self-signed ID option in Add ID workflows is available.
Details Prevents users from creating a self-signed digital ID. Note that for products released after June 2016, disabling a user's ability to create a self-signed digital ID requires setting both bSelfSignCertGen and bEnableCEFBasedUI to 0. Possible values include:
  • 0: Don't allow creating self-signed digital IDs.
  • 1: Allow self-signed digital IDs.
GUI mapping Create a self-signed digital ID for use with Acrobat.

PKCS#11 Configuration

The key contains a list of P11 modules the user has loaded by choosing Attach Modules in the Security Settings console. By specifying a valid path to a PKCS#11 DLL, modules can be pre-attached to installed clients. Because various errors appear as a result of a bad filename or pointing to a dll that is not a valid PKCS#11 module, test the settings and file before distributing them.

The following options are available:

  • Preconfiguring the key when tuning the installer and distributing the module file or when modules are already installed.
  • Setting the default browse path in which to look for additional modules.
For Reader X (10.0), not all PKCS#11 devices may work with Protected Mode (PM) enabled. However, in most cases, they do. Installation of such devices usually involves disabling Protected Mode, installing the driver, restarting the application, and then re-enabling Protected Mode. For the latest information about PM compatibility with certain features, see http://kb2.adobe.com/cps/860/cpsid_86063.html.

Summary table
Modules Array of dynamic library paths to PKCS#11 modules.
P11Credentials Contains an array of subcabs for all known PKCS#11 digital IDs.
P11Path Stores the last folder in which the user browsed for a P11 module.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default n/a
Version # 7.x+
User Path Security\ASPKI\Adobe_P11CredentialProvider\
Lock Path Not lockable
Summary Array of dynamic library paths to PKCS#11 modules.
Details These may not necessarily be full paths but just something that the OS dynamic library loading functions will accept. For example, t0 may be a path to C:\WINDOWS\system32\dkck201.dll.
GUI mapping Security Settings console > Attach Module
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default n/a
Version # 7.x+
User Path Security\PubSec
Lock Path Not lockable
Summary Stores the last folder in which the user browsed for a P11 module.
Details The next time the user goes to add a P11 module browsing starts in that folder.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default n/a
Version # 7.x+
User Path Security\PPKHandler
Lock Path Not lockable
Summary Contains an array of subcabs for all known PKCS#11 digital IDs.
Details The format is as follows:
  • xCert: Binary value of the certificate
  • 1: xTokenKey: Binary value generated from the IDs PKCS#11 token. The binary value is generated with the following method: Initialize SHA-1 digest, add the digest the value of the token label, token manufacturer, token model, and token serial. Finish the SHA-1 digest operation. The resulting 20-byte value is the token key.
GUI mapping N/A

Digital ID Defaults

Most digital ID default values are set by the application when a user first uses an ID or manually specifies a default value in the Security Settings Console. Moreover, since user actions will overwrite some preconfigured value an administrator might provide, setting many of these properties is usually not worthwhile. However, it is possible and the following options are available:

  • Specifying a default URL to obtain a new digital ID. This value is NOT overwritten by user actions.
  • Listing a set of attribute certificates.
  • Specifying a default signing ID. This value is end user-specific.
  • Specifying a default encryption ID. This value is end user-specific.
  • Customizing a default directory server used to locate certificates that can be imported into the Trusted Identity Manager.
Note : Acrobat 9.0 users who configure a 3rd party security handler plugin may find that their non-default choice does not stick if the plugin calls PSUNregisterHandler(). That is, each time Acrobat restarts, the non-default security handler choice is lost. To fix the problem, change the plugin code to not call PSUNregisterHandler().

Summary table
ACs Contains a set of attribute certificates as binary data.
CertSHA1 Identifies the default signing digital ID by its SHA1 hash of the public key.
CertSHA1 Identifies the default encryption digital ID by its SHA1 hash of the public key.
CredProvider Identifies credential service provider interface for the default signing digital ID.
CredProvider Identifies credential service provider interface for the ASPKI provider which exposes this digital ID.
CustomPrefsCreated Indicates whether a custom certificate specific preference (e.g. Identrus) has already been created and written to the registry.
DefDirectory Default directory to use when searching for digital IDs.
DefEnrollmentURL The destination URL when the user selects <b>Enroll at an online CA</b> while adding a new digital ID.
DigitalIDFiles Contains an array of subcabs for all application-known digital ID files.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 7.x+
User Path Security\PubSec
Lock Path Not lockable
Summary The destination URL when the user selects <b>Enroll at an online CA</b> while adding a new digital ID.
GUI mapping Enroll at an online CA in the New Digital ID workflow
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default null
Version # 7.x+
User Path Security\PPKHandler
Lock Path Not lockable
Summary Contains an array of subcabs for all application-known digital ID files.
Details The format is as follows:
  • cPath: The path of to the digital ID file.
  • cCredentials: An array of certificates that have corresponding private keys in the file.
  • cCertificates: An array of certificates that are in the file but do not have an associated private key (usually CA certs). Certificates are stored as binary data.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default null
Version # 7.x+
User Path Security\PPKHandler
Lock Path Not lockable
Summary Contains a set of attribute certificates as binary data.
Details Each certificate is indexed with an integer 0 to N. The value is only set when a user imports attribute certificates.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 7.x+
User Path Security\PPKHandler\CredSign
Lock Path Not lockable
Summary Identifies credential service provider interface for the default signing digital ID.
Details The value is set when a user opens the Security Settings Console and specifies a default signing ID. The value depends on the type of selected ID. For example, setting a self signed digital ID would result in a value of Adobe_FileCredentialProvider. See also xCertSHA1.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 7.x+
User Path Security\PPKHandler\CredSign
Lock Path Not lockable
Summary Identifies the default signing digital ID by its SHA1 hash of the public key.
Details The value is set when a user opens the Security Settings Console and specifies a default signing ID. See also tCredProvider .
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 7.x+
User Path Security\PPKHandler\CredCrypt
Lock Path Not lockable
Summary Identifies credential service provider interface for the ASPKI provider which exposes this digital ID.
Details The value is set when a user opens the Security Settings Console and specifies a default signing ID. The value depends on the type of selected ID. For example, setting a self signed digital ID would result in a value of Adobe_FileCredentialProvider . See also xCertSHA1.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 7.x+
User Path Security\PPKHandler\CredCrypt
Lock Path Not lockable
Summary Identifies the default encryption digital ID by its SHA1 hash of the public key.
Details The value is set when a user opens the Security Settings Console and specifies a encryption signing ID. See also tCredProvider.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7.x+
User Path Security\PPKHandler
Lock Path Not lockable
Summary Indicates whether a custom certificate specific preference (e.g. Identrus) has already been created and written to the registry.
Details If true, it doesn't get created again. Deleting or setting this key to 0 forces Acrobat to recreate custom certificate preferences after which it will reset this key to 1.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 2 (atom)
Default Adobe.PPKMS.ADSI.dir0
Version # 7.x+
User Path Security\PPKHandler
Lock Path Not lockable
Summary Default directory to use when searching for digital IDs.
Details On Windows, the Adobe.PPKMS security handler provides access through the Microsoft Active Directory Script Interface (ADSI) to all the directories the user created in the Security Settings Console. These directories are named in the format of (directory handler) + (index). For example, Adobe.PPKMS.ADSI.dir0, Adobe.PPKMS.ADSI.dir1, and so on. Unsupported for Linux and Macintosh.
GUI mapping Setting a default search directory affects the UI in two places: A star appears next to the default directory in the Security Settings Console and the directory is moved to the top of the directories' drop down list in the Trusted Identities Manager's Search for Recipients dialog.

Digital ID File Import and Export

The digital ID default path preferences point to the application security folder. For example, C:\Documents and Settings\(user name)\Application Data\Adobe\Acrobat\8.0\Security. The path is used when the user imports or exports an ID from the Security Settings Console. Since the application remembers the last accessed directory, if a user chooses a different directory, that action will overwrite the preconfigured value an administrator might provide.

The following options are available:

  • Specifying a default path for exporting and importing digital ID certificates (does not include private keys).
  • Specifying a default path for saving newly created digital ID files.

Summary table
EmbeddedFilePath The path last chosen for extracting an embedded file from a WebBuy FDF.
ExportPath Default path for exporting credentials.
ImportPath Default path for importing credentials.
ProfilePath Default path for storing profile files such as PKCS#12 files.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default See description below.
Version # 7.x+
User Path Security\PubSec
Lock Path Not lockable
Summary Default path for exporting credentials.
Details Used by all security plugins. The default value is the application security folder. For example, C:\Documents and Settings\<user name>\Application Data\Adobe\Acrobat\8.0\Security.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default See the description.
Version # 7.x+
User Path Security\PubSec
Lock Path Not lockable
Summary Default path for importing credentials.
Details Used by all security plugins. The default value is the application security folder. For example, C:\Documents and Settings\<user name>\Application Data\Adobe\Acrobat\8.0\Security.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default See description below.
Version # 6.0-8.0
User Path Security\PubSec
Lock Path Not lockable
Summary The path last chosen for extracting an embedded file from a WebBuy FDF.
Details The first time an embedded file is extracted from an FDF the user is asked where to save it.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default See the description.
Version # 7.x+
User Path Security\PubSec
Lock Path Not lockable
Summary Default path for storing profile files such as PKCS#12 files.
Details This is used both when creating new digital ID files and when browsing for existing files. Used by all security plugins.
GUI mapping N/A

Adobe Acrobat Trust List

The Adobe Approved Trust List (AATL) program allows signers to automatically trust digital signatures chain to the trustworthy AATL certificates. By default, both Acrobat and Reader download a list of "trusted" root digital certificates automatically. 9.x products download every 90 days while 10.x and later products download every 30 days.

To assure that downloaded (as well as any other) trust anchors have not been revoked, configure bRevCheckTrust.For more about the AATL program, see the AATL pageand this blog.

Summary table
AskBeforeInstalling Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0.
CheckEvery The value in seconds that the application should check for new certificates to download from Adobe.
data Binary data used for internal purposes.
LoadSettingsFromURL Specifies whether or not trust anchors should be periodically downloaded from Adobe.
ResourceID An internally used number created by Acrobat when it first sets up the resource pointed to by the URL.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 9.0+
User Path Security\DigSig\AdobeDownload
Lock Path Not lockable
Summary Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0.
Details
  • 0: Enable and install silently
  • 1: Enable and ask before installing
GUI mapping Preferences > Trust Manager > Adobe certificate settings panel > Ask before installing checkbox
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 9.x and earlier: 0; 10: 1
Version # 9.0+
User Path Security\DigSig\AdobeDownload
Lock Path Not lockable
Summary Specifies whether or not trust anchors should be periodically downloaded from Adobe.
Details
  • 0: Don't load settings from an URL.
  • 1: Do load settings from an URL.
GUI mapping Preferences > Trust Manager > Adobe certificate settings panel > Load security settings from a server
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 604800
Version # 9.0+
User Path Security\DigSig\AdobeDownload
Lock Path Not lockable
Summary The value in seconds that the application should check for new certificates to download from Adobe.
Details If this preference exists, the default is one week. Set this to 0 if you'd like the application to check on startup.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default varies
Version # 9.0+
User Path Security\DigSig\AdobeDownload
Lock Path Not lockable
Summary An internally used number created by Acrobat when it first sets up the resource pointed to by the URL.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 9.0+
User Path Security\DigSig\AdobeDownload\LastChecked\
Lock Path Not lockable
Summary Binary data used for internal purposes.
GUI mapping N/A

European Union Trust List

Like the AATL program, the European Union Trust List (EUTL) program allows signers to automitically trust digital signatures that chain to trustworthy EUTL certificates. While the feature was introduced with 11.0.06, the first EUTL trust lists were made available with the October 13, 2015 release.

To assure that downloaded (as well as any other) trust anchors have not been revoked, configure bRevCheckTrust.

Note that both the AATL and EUTL features load certificates into the user's Acrobat Address Book (Acrobat Trust Store). The addition of the EUTL certificates increases the size of the address book and can affect the performance of signature validation in versions 11.0.06 to 11.0.10. Later product versions should validate in about 1/2 second. If you experience performance issues, update to the latest product. Alternatively, you can remove the EUTL preference (not recommended).

For more about the EUTL program, see the blog.

Summary table
AskBeforeInstalling Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0.
CheckEvery The value in seconds that the application should check for new certificates to download from Adobe.
data Binary data used for internal purposes.
LoadSettingsFromURL Specifies whether or not trust anchors should be periodically downloaded from Adobe.
ResourceID An internally used number created by Acrobat when it first sets up the resource pointed to by the URL.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 11.0.06+
User Path Security\DigSig\EUTLDownload
Lock Path Not lockable
Summary Specifies whether these types of trust anchors should be imported silently or Acrobat should ask permission from the user. To disable this feature, set tLoadSettingsFromURL to 0.
Details
  • 0: Enable and install silently
  • 1: Enable and ask before installing
GUI mapping Preferences > Trust Manager > European Union certificate settings panel > Ask before installing checkbox
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 11.0.06+
User Path Security\DigSig\EUTLDownload
Lock Path Not lockable
Summary Specifies whether or not trust anchors should be periodically downloaded from Adobe.
Details
  • 0: Don't load settings from an URL.
  • 1: Do load settings from an URL.
GUI mapping Preferences > Trust Manager > European Union certificate settings panel > Load security settings from a server
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 604800
Version # 11.0.06+
User Path Security\DigSig\EUTLDownload
Lock Path Not lockable
Summary The value in seconds that the application should check for new certificates to download from Adobe.
Details If this preference exists, the default is one week. Set this to 0 if you'd like the application to check on every startup.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default varies
Version # 11.0.06+
User Path Security\DigSig\EUTLDownload
Lock Path Not lockable
Summary An internally used number created by Acrobat when it first sets up the resource pointed to by the URL.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 11.0.06+
User Path Security\DigSig\EUTLDownload\LastChecked\
Lock Path Not lockable
Summary Binary data used for internal purposes.
GUI mapping N/A

Windows Integration

While Acrobat has its own store, the Windows store may already contain needed certificates or your enterprise may simply be a Windows shop. Windows integration allows end users to search for and use certificates in the Windows Certificate Store.

End users can configure their application for Windows integration through the application's Preference panel. Configuration options allow users to search the Windows store from the Trusted Identity Manager (through the Search button), set trust levels for any found certificate, and choose which certificates to use for encryption (once the certificate is located and added to the Trusted Identity Manager). If a user has a personal ID in the Windows store, it appears in the Security Settings Console automatically without any special configuration.

Administrators can control whether clients can access MSCAPI through Acrobat so that users can find, use, and set trust levels for Windows certificates.

The following options are available:

  • Adding the Windows Certificate Store as a searchable repository with bCertStoreImportEnable.
  • Setting separate trust levels for approval and certification signatures.
  • Preventing end user modification of certificate trust levels.
  • Tuning the service provider interface for:
    • Certificate Providers (for Signing and Decryption)
    • Revocation Checker Providers
    • Signature Validation Directory Providers

Summary table
CertStoreImportEnable If true, then users can import from MSCAPI certificate stores into their Trusted Identity Manager.
MSStoreTrusted Controls whether or not certificates in the Windows Certificate Store are trusted for signing and certifying.
MSStoreTrusted Locks the UI so that end users cannot change the value set by iMSStoreTrusted
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 0x00
Version # 7.0+
User Path Security\ASPKI\MSCAPI_DirectoryProvider
Lock Path Not lockable
Summary Controls whether or not certificates in the Windows Certificate Store are trusted for signing and certifying.
Details To lock this setting, use bMSStoreTrusted. Allowable values include:
  • 0x00: No checkbox selected.
  • 0x60: Validating Signatures.
  • 0x62: Validating Certified Documents and Signatures. Note that this setting disables the Validating Signatures checkbox because it also controls non-certified signatures and users should not be able to uncheck that checkbox.
GUI mapping Preferences > Security > Advanced Preferences > Windows Integration > (both Windows settings: Validating Signatures and Validating Certified Documents.)
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default null
Version # 7.0+
Lock Path FeatureLockDown\Security\ASPKI\MSCAPI_DirectoryProvider
Summary Locks the UI so that end users cannot change the value set by iMSStoreTrusted
Details Set iMSStoreTrusted first, then use this preference to lock it. Allowable values include:
  • 0: Lock the UI.
  • 1: Same as null. Don't lock the UI.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7.x+
User Path Security\PPKHandler
Lock Path Not lockable
Summary If true, then users can import from MSCAPI certificate stores into their Trusted Identity Manager.
GUI mapping Preferences > Security > Advanced Preferences > Windows Integration tab > Enable searching the Windows Certificate Store for certificates other than yours

Trusted Identity List Configuration

The trusted identity list contains all of a users imported certificates that they use for validating someone else's signature or encrypting a document for them. The list is maintained and managed via the Trusted Identity Manager; however, administrators can preconfigure applications to use non-default list files, add certificates from the Windows, store, and so on.

The following options are available:

  • Creating a custom filename/file for the trusted identity list.
  • Specifying a non-default security handler to control Trusted Identity Manager functions. For details, see aAddressBook.
  • Adding the Windows Certificate Store as a searchable repository with bCertStoreImportEnable.
  • Turning off and on the ability to automatically download certificates sent by Adobe to users over the internet via bLoadSettingsFromURL.

Summary table
AddressBook The filename the Trusted Identity Manager uses to read and write addressbook data.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default addressbook.acrodata
Version # 7.x+
User Path Security\PubSec
Lock Path Not lockable
Summary The filename the Trusted Identity Manager uses to read and write addressbook data.
GUI mapping N/A

Signature Validation Directory Providers

The directory provider SPI provides access to trust anchors and intermediate CAs used for signature validation. By default, certificates in all of the supported locations are used.

The following options are available:

  • Preventing or allowing access to certificates in P12 files. End users must also be logged in to the file.
  • Preventing or allowing access to certificates in the Trusted Identity Manager.
  • Preventing or allowing access to certificates in the Window Certificate Store.
  • Preventing or allowing access to self-signed certificates created by an Adobe application.

Summary table
DirectoryProvider Specifies a directory provider for signature validation.
DirectoryProvider An array of text entries (t0-tn) containing the name of a registered provider.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 2
Version # 7+
User Path Security\ASPKI\SPIs
Lock Path Not lockable
Summary Specifies a directory provider for signature validation.
Details
  • 0: Use none of the registered providers.
  • 1: Use first registered provider.
  • 2: Use all registered providers.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default All of the available values. See the description.
Version # 7+
User Path Security\ASPKI\SPIs
Lock Path Not lockable
Summary An array of text entries (t0-tn) containing the name of a registered provider.
Details
  • Adobe_FileCredentialDirectoryProvider: Provides access to PKCS#12 files.
  • AAB_DirectoryProvider: Provides access to the Trusted Identity Manager.
  • MSCAPI_DirectoryProvider: Provides access to the Windows Certificate Store.
  • Adobe_SelfSignedCredDirectoryProvider: Provides access to self signed certificates created by Acrobat.
GUI mapping N/A

Signature Validation (Main Settings)

While users can configure these general signature validation preferences via the GUI, admins usually preconfigure the application.

The following options are available:

  • Controlling whether all signatures are validated when a document opens.
  • Specifying which time to use when validating a signature.
  • Specifying when to do revocation checking as well as the affect of a failed or bad response.
  • Using expired timestamps.
  • Showing timestamp warnings in the Document Message Bar.

Summary table
enableCTK Controls support for CryptoTokenKit-based smart cards on Mac
ReqRevCheck Specifies whether revocation checks are required to succeed.
ReqRevCheck Locks Security\cASPKI\cASPKI\cVerify\iReqRevCheck and disables the user interface item.
ShowSignerWarnings Specifies whether to show a warning that there is a greater forgery risk when revocation information is embedded in the signature.
ShowTSWarnsInDMB Specifies whether to show timestamp warnings in the Document Message Bar.
SigVerificationTime Indicates the time at which signature validation should occur.
ValidateOnOpen Specifies whether to automatically validate all signatures on document open.
Supported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 2019.012.20036, 2017.011.30144 (both tracks)
User Path Security\ASPKI\ASPKI\enableCTK
Lock Path Not lockable
Summary Controls support for CryptoTokenKit-based smart cards on Mac
Details Possible values include:
  • 0: Don't allow CryptoTokenKit-based smart cards.
  • 1: Use CryptoTokenKit-based smart cards for signing.
GUI mapping Preferences > Signatures > Creation and Appearance > More > Enable CryptoTokenKit framework support
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 7.0+
User Path Security\DigSig
Lock Path FeatureLockDown\Security\DigSig
Summary Specifies whether to automatically validate all signatures on document open.
Details Note that the lockable setting does not configure the feature; instead, it locks what is set in HKCU and the user interface.
  • 0: Don't validate signatures on document open.
  • 1: Validate signatures on document open.
GUI mapping Preferences > Security > Verify signatures when the document is opened
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 9.4.6+
User Path Security\PPKHandler
Lock Path Not lockable
Summary Specifies whether to show a warning that there is a greater forgery risk when revocation information is embedded in the signature.
Details Because this warning was removed from 10.x products, this preference is only applicable to 9.4.6 and later products in the 9.x line. Possible values include:
  • 0: Don't show the warnings.
  • 1: Do show the warnings.
GUI mapping The Signer tab in the Signature Properties dialog.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 1 (9.1 and later: 2)
Version # 7.0+
User Path Security\PPKHandler
Lock Path Not lockable
Summary Indicates the time at which signature validation should occur.
Details Possible values include:
  • 0: Always carry out the verification at current time
  • 1: Use the signing time if it's secure (e.g. timestamped), else use current time
  • 2: Always use signing time
GUI mapping Preferences > Security > Advanced Preferences > Verification tab
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 9.1-10.0
User Path Security\DigSig
Lock Path Not lockable
Summary Specifies whether to show timestamp warnings in the Document Message Bar.
Details For 9.1, a bug prevented this feature from working.
  • 0: Warnings do not appear in the DMB.
  • 1: Warnings appear in the DMB.
GUI mapping Preferences > Security > Advanced Preferences > Verification tab > Show timestamp warnings in Document Message Bar
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 2
Version # 7.0+
User Path Security\ASPKI\ASPKI\Verify
Lock Path Not lockable
Summary Specifies whether revocation checks are required to succeed.
Details The user interface exposes this preference as a binary value to simplify the end user experience. A checked checkbox translates to 2 (RequiredIfInfoAvailable). An unchecked checkbox translates to 0 (No checks). This check doesn't affect ubiquity signature verification where the value is always 1. Interacts with other iReqRevCheck settings. Possible values include the following:
  • 0: Don't do revocation checks.
  • 1: Do a check IF CRLDp or AIA information resides in the certificate or registry; don't fail if the check fails.
  • 2: Do a check IF CRLDp or AIA information resides in the certificate or registry; all checks must succeed if there is data and a check occurs.
  • 3: Require a check; it must succeed under all circumstances.
Note: Lockable via bReqRevCheck
GUI mapping Preferences > Security > Advanced Preferences > Verification tab > Require certificate revocation checking to succeed. . .
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 8.0+
Lock Path FeatureLockDown\Security\ASPKI\ASPKI\Verify
Summary Locks Security\cASPKI\cASPKI\cVerify\iReqRevCheck and disables the user interface item.
GUI mapping Preferences > Security > Advanced Preferences > Verification tab > Require certificate revocation checking to succeed . . .

Signature Validation Status Icons

By default, when an application validates a signature it displays a signature status icon in the Signature Properties dialog, and in the Signatures Pane. You can customize status icon behavior for a particular enterprise requirement. For example, a blue i appears on a signature status icon based on certain rules when a document is changed after it was signed.

The following options are available:

  • Turning on the icon for signature appearances with bSigAPStatusIconDisable. This is off by default because displaying the signature status within the document represents a security vulnerability.
  • Turning off the icon for signature appearances AND remove the Hide signature field validity icon when signature is valid from the user interface so the user cannot change the setting with iDisplayValidIcon.
  • Turning on the icon for valid signatures only with iDisplayValidIcon.
  • Turning off the blue i in the Signature Properties dialog, and Signatures Pane with bShowWarningForChanges.

Summary table
DisplayValidIcon Determines when the signature status icon is displayed in a signature appearance.
ShowWarningForChanges Determines whether or not to show a blue i on validated signature(s) if the document changes after it was signed.
SigAPStatusIconDisable Controls whether the signature status icon is displayed in the signature appearance on the document.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7.0+
User Path Security\DigSig
Lock Path Not lockable
Summary Controls whether the signature status icon is displayed in the signature appearance on the document.
Details If true, status icon is not displayed regardless of signature status. This setting overrides iDisplayValidIcon and bShowWarningForChanges.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default null for 9.0 and later; 0 for pre 9.
Version # 7.0+
User Path Security\PubSec
Lock Path Not lockable
Summary Determines when the signature status icon is displayed in a signature appearance.
Details Possible values include:
  • 0: Always.
  • 1: Display except when the signature is valid.
  • 2: Never. This value disables bShowWarningForChanges and removes the Hide signature field validity icon option from the GUI. This setting does not affect the icons in the Signatures Pane or in the Signature Properties dialog
Note: This UI item was removed from versions 9.x and later because signature status was moved to the Document Message Bar.
GUI mapping Versions prior to 9.x only: Preferences > Security > Advanced Preferences > Verification tab > Hide signature field validity icon when signature is valid.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 7.0+
User Path Security\PubSec
Lock Path Not lockable
Summary Determines whether or not to show a blue i on validated signature(s) if the document changes after it was signed.
Details If true, a document change results in a blue i status icon appearing for validated approval signatures. Use this setting when users need to know a document has changed after it was signed.

If false, the status icon remains a green check and pen even if a document changes after it is signed. The setting provides a method for administrators to turn off the blue i in workflows where documents can be changed or signed multiple times.

This setting does not affect certification signatures. The warning icon never appears for valid certification or approval signatures in certified documents if the signatures were allowed by the certifier.

Interacts with iDisplayValidIcon which cannot be set to 2, or the icons will not appear regardless of how bShowWarningForChanges is set.
GUI mapping N/A

Signature Validation Logging

Versions 8.x and later enable logging certificate validation and revocation checking information. You can set both the logging level and log location. The path must already exist for logging to take place. Note that when Protected Mode is enabled, the log file path must be one that Protected Mode permits.

The following options are available:

  • Specifying a logging path and filename.
  • Setting a logging level.
Chain building log file settings
[HKEY_CURRENT_USER\Software\Adobe\Adobe
Acrobat\8.0\Security\cASPKI\cAdobe_ChainBuilder]
"iLogLevel"=dword:00000008
"sLogFilePath"=(BINARYpathtoexistingdirectoryforlogfile)
Log file for troubleshooting certificate validation
20070207000213Z:---------------------------
20070207000213Z:Chainbuilder:Startingchainvalidation.Chainlength=
3
20070207000213Z:ProcessingCertificate:DN:ou=VeriSignTrust
Network,ou=(c)1998VeriSign,Inc.-Forauthorizeduseonly,ou=Class2
PublicPrimaryCertificationAuthority-G2,o=VeriSign,Inc.,c=USSerial:
00B92F60CC889FA17A4609B85B706C8AAF
20070207000213Z:verificationtime=20070207000213Z
20070207000213Z:ProcessingCertificate:DN:cn=EnterpriseServices
CA,ou=Class2OnSiteIndividualSubscriberCA,ou=Termsofuseat
https://www.verisign.com/rpa(c)01,ou=VeriSignTrustNetwork,o=AdobeSystems
IncorporatedSerial:0C0DB7043D0427BEB15AECA02DC95903
20070207000213Z:verificationtime=20070207000213Z
20070207000213Z:ProcessingCertificate:DN:email=example@adobe.com,
cn=BenWriter,ou=AdobeCPS-http://www.adobe.com/misc/CPS.html,
ou=www.verisign.com/repository/CPSIncorp.byRef.,LIAB.LTD(c)99Serial:
5C41B5256825491A4981D4FABFCCA044
20070207000213Z:verificationtime=20070207000213Z
20070207000213Z:FinishedChainValidation.TroubleFlags:0

Summary table
LogFilePath Specifies the full path of the text log file; for example: C:\ASPKI.log.
LogLevel Specifies the log level during chain building and validation.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 8.0+
User Path Security\ASPKI\Adobe_ChainBuilder
Lock Path Not lockable
Summary Specifies the full path of the text log file; for example: C:\ASPKI.log.
Details You must use in hexadecimal formatting. The file must already exist. When Protected Mode is enabled, the log file path must be one that Protected Mode permits such as sandbox's Temp directory or the product AppData directory. Alternatively, enable bUseWhitelistConfigFile, and specify a custom location.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default null
Version # 8.0+
User Path Security\ASPKI\Adobe_ChainBuilder
Lock Path Not lockable
Summary Specifies the log level during chain building and validation.
Details The supported levels include:
  • 1: fatal errors
  • 2: possible errors
  • 4: informational messages
  • 8: verbose information
  • 0xFFFFFFFF: all messages
GUI mapping N/A

Signature Validation Rev Check Constraints



The following options are available:

  • Requiring signature property verification such as timestamps. Signatures will not be valid if this key is true and timestamp verification does not succeed.
  • Limiting the number of nested verification sessions to prevent looping.
  • Limiting the amount of time the signing time can be after the validation time.
  • Forcing revocation checks on intermediate and self-signed trust anchors (those which aren't roots).

Summary table
MaxClockSkew The maximum difference in minutes the signing time is allowed to be after the validation time for the signature to be valid.
MaxVerifySession Specifies the maximum number of nested verification sessions allowed.
ReqSigPropVerification Specifies whether signature property verification must succeed for a signature to be valid.
RevCheckTrust Specifies whether to perform revocation checks on intermediate trust anchors (those which aren't roots).
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 10.1.2 and 9.5+
User Path ASPKI\ASPKI\Verify
Lock Path Not lockable
Summary Specifies whether to perform revocation checks on intermediate trust anchors (those which aren't roots).
Details In previous versions, the application did not perform revocation checks on any intermediate trust anchors since it was assumed they were self-signed. With 10.1.2 and 9.5, this setting enables revocation checking on intermediate trust anchors if such information is available.

Trust anchors from 3rd parties are often installed locally to facilitate signature validation. Since it is possible that the trust anchors could become compromised and thereby open the host machine to malicious attack, those 3rd party providers in such cases would revoke their certificates. This preference enables detecting that revocation by forcing a revocation check on any intermediate trust anchors. Root and self-signed certificates are exempt from checking. Possible values include:
  • 0: Don't perform a revocation check on intermediate trust anchors.
  • 1: Perform a revocation check on intermediate trust anchors.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7.0+
User Path Security\ASPKI\ASPKI\Verify
Lock Path Not lockable
Summary Specifies whether signature property verification must succeed for a signature to be valid.
Details As of 8.0, the only property used is the timestamp URL.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 5
Version # 8.0+
User Path Security\ASPKI\ASPKI\Verify
Lock Path Not lockable
Summary Specifies the maximum number of nested verification sessions allowed.
Details This is used to prevent the application from going into infinite loop verifying the OCSP and/or CRL signer certificates caused by incorrect OCSP and/or CRL certificate setup.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 65 (minutes)
Version # 8.0+
User Path Security\PubSec
Lock Path Not lockable
Summary The maximum difference in minutes the signing time is allowed to be after the validation time for the signature to be valid.
Details PubSec verifies that a document is not signed in the future by looking at the verifier's system time and the time embedded in the signature dictionary. Whenever time comes into the picture, there is always the possibility that the signer and verifier's times are out of sync. MaxClockSkew accommodates such differences.
GUI mapping N/A

Signature Validation Rev Check (OCSP)

OCSP revocation checking can occur both during signature creation and signature validation on both the signing certificate as well as for the certificates associated with any revocation check responses. It is possible to require certain features for certificates used to sign OCSP requests and responses. If either does not meet the specified parameters, it is considered invalid and the signature status may be Unknown or Invalid. See RFC 2560 for details.

Prior to 10.1, OCSP responses without nextUpdate were never embedded in a signature. For 10.1 and later, OCSP responses are always embedded irrespective of the presence of nextUpdate; however, whether they are used for signature validation depends on certain conditions:

  • Validation time is greater than thisUpdate minus the value of iMaxClockSkew (the default is 5 minutes). This test is always performed.
  • When nextUpdate is present and the validation time is less than the nextUpdate time plus the value of iMaxClockSkew.
  • When nextUpdate is not present and the validation time is less than the thisUpdate time or the producedAt time (whichever is greater) plus the value of iMaxClockSkew.
If you need a relaxed security environment (for example, when the responder is caching OCSP responses), bIgnoreNextUpdate can be set to 1 to ignore the last test. In this case, embedded responses without nextUpdate are always used for signature validation provided that they pass first test.

This behavior is designed to support the long term validation feature and allows validating a signature with embedded responses that were valid at signing time. The following options are available:
  • Specifying when to do revocation checking as well as the effect of a failed or bad response.
  • Specifying when and where to go online to get a response.
  • Specifying whether to include a nonce. Nonces are random generated numbers that are sent with a request and matched by a response. They improve security by assuring communication with an active, non-spoofed server.
  • Using or ignoring a response's thisUpdate and nextUpdate times to control its validity.
  • Setting a limit on the amount of time difference between the local time and response's publish time.
  • Allowing or disallowing the OCSPNoCheck extension.
  • Requiring the presence of a public key hash extension (bRequireOCSPCertHash).
  • Specifying whether OCSP requests should by signed (bSignRequest).
  • Requiring the presence of a particular OID in a request (sSignCertOID).
It is possible to require certain features for certificates used to sign OCSP responses. If a response does not meet the specified parameters, it is considered invalid and the signature status may be Unknown or Invalid. The following options are available:
  • Allowing or disallowing the OCSPNoCheck extension.
  • Requiring the presence of a public key hash extension via bRequireOCSPCertHash.

Summary table
AllowOCSPNoCheck Specifies whether the OCSPNoCheck extension is allowed in the response signing certificate.
ExpiredCertGoOnline Specifies whether to go online to get the revocation information for an expired certificate.
GoOnline Specifies whether to go online to do revocation checking.
IgnoreNextUpdate Specifies whether to use embedded OCSP responses when nextUpdate is not present and the validation time is less than the greater of thisUpdate or producedAt time plus the value of iMaxClockSkew.
IgnoreValidityDates Specifies whether to ignore the response's thisUpdate and nextUpdate times, thereby preventing any negative effect of these times on response validity.
MaxClockSkew The number of minutes the local machine time can vary from the response's published time to account for a network delay, time synchronization issues, and so on.
ReqRevCheck Indicates whether revocation checks are required to succeed on the OCSP response.
RequireOCSPCertHash Specifies whether a certificate public key hash extension must be present in OCSP responses.
ResponseFreshness Specifies the amount of time in minutes after the response's published thisUpdate time for which the response will be valid.
SendNonce Specifies signature validation behavior with respect to nonces.
SendNonce Specifies signature validation behavior with respect to nonces.
SignRequest Specifies whether the OCSP request should be signed.
URL The URL used to fetch OCSP responses.
URLToConsult Specifies how the revocation checker chooses which responder to use.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 9.0+
User Path Security\ASPKI\Adobe_OCSPRevChecker
Lock Path Not lockable
Summary Specifies whether the OCSP request should be signed.
Details Some OCSP providers require that OCSP requests are signed (e.g IdenTrust).
  • 0: Don't sign the OCSP request.
  • 1: Force Acrobat to sign OCSP requests prior to sending.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 8.0+
User Path Security\ASPKI\Adobe_OCSPRevChecker
Lock Path Not lockable
Summary Specifies whether the OCSPNoCheck extension is allowed in the response signing certificate.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 8.0+
User Path Security\ASPKI\Adobe_OCSPRevChecker
Lock Path Not lockable
Summary Specifies whether a certificate public key hash extension must be present in OCSP responses.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 2
Version # 7.0+
User Path Security\ASPKI\Adobe_OCSPRevChecker
Lock Path Not lockable
Summary Indicates whether revocation checks are required to succeed on the OCSP response.
Details Interacts with other iReqRevCheck settings. Possible values include:
  • 0: Don't do revocation checks.
  • 1: Do a check IF certificate has AIA extension or responder info is in registry; don't fail if the check fails.
  • 2: Do a check IF certificate has AIA extension or responder info is in registry; all checks must succeed if there is data and a check occurs.
  • 3: Require a check; it must succeed under all circumstances.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 0
Version # 7.0+
User Path Security\ASPKI\Adobe_OCSPRevChecker
Lock Path Not lockable
Summary Specifies how the revocation checker chooses which responder to use.
Details Possible values include:
  • 0: Use the AIA extension in the certificate.
  • 1: Use the URL key in sURL.
  • 2: Use the AIA extension in the certificate. If it is not present, use the URL key in sURL.
  • 3: Use the OCSP request signer's certificate AIA extension. Relevant only if SignRequest is 0.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 7.0+
User Path Security\ASPKI\Adobe_OCSPRevChecker
Lock Path Not lockable
Summary The URL used to fetch OCSP responses.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 7.0+
User Path Security\ASPKI\Adobe_OCSPRevChecker
Lock Path Not lockable
Summary Specifies whether to go online to do revocation checking.
Details Never used for Reader enabled signatures (UR3).
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 7.0 < 10.0
User Path Security\ASPKI\Adobe_OCSPRevChecker
Lock Path Not lockable
Summary Specifies signature validation behavior with respect to nonces.
Details Deprecated with 10.0. If true, nonces are included in the OCSP request and expected to be present in the response and should match the request's nonce. If false, nonces are not sent.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 2
Version # 10.0+
User Path Security\ASPKI\Adobe_OCSPRevChecker
Lock Path Not lockable
Summary Specifies signature validation behavior with respect to nonces.
Details With 10.0, this preference replaces bSendNonce. Possible values include:
  • 0: No nonces are sent.
  • 1: Nonces are included in the OCSP request and expected to be present in the response and should match the request's nonce.
  • 2: Nonces are included in the OCSP request, but if none are present in the response, their abscence is ignored.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 525600 (1 year)
Version # 7.0+
User Path Security\ASPKI\Adobe_OCSPRevChecker
Lock Path Not lockable
Summary Specifies the amount of time in minutes after the response's published thisUpdate time for which the response will be valid.
Details After that time, the response will be invalid.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7.0+
User Path Security\ASPKI\Adobe_OCSPRevChecker
Lock Path Not lockable
Summary Specifies whether to ignore the response's thisUpdate and nextUpdate times, thereby preventing any negative effect of these times on response validity.
Details The value is set to true for ubiquity signatures created by enabling usage rights for Adobe Reader.

Note: With 11.0.16, this preference interacts with bExpiredCertGoOnline.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 11.0.16+
User Path Security\ASPKI\cASPKI
Lock Path Not lockable
Summary Specifies whether to go online to get the revocation information for an expired certificate.
Details 11.0.16 introduced a signature validation change so that signatures are invalid if they are based on expired certificates and there is no embedded revocation information even if bIgnoreValidityDates is 1. For previous product versions, the signature would be valid. Now, to be standard's compliant, if a certificate has expired, the client should not check for the revocation information online. bExpiredCertGoOnline set to 1 re-enables the pre-11.0.16 behavior.
  • 0: Do not go online for revocation even if bIgnoreValidityDates = 1
  • 1: Do go online.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 5 minutes
Version # 10.1+
User Path Security\ASPKI\Adobe_OCSPRevChecker
Lock Path Not lockable
Summary The number of minutes the local machine time can vary from the response's published time to account for a network delay, time synchronization issues, and so on.
Details For 10.1 and later, this preference is used along with bIgnoreNextUpdate to determine whether or not embedded OCSP responses are actually used for signature validation. For details, see the subfeature description above.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7.0+
User Path Security\ASPKI\Adobe_OCSPRevChecker
Lock Path Not lockable
Summary Specifies whether to use embedded OCSP responses when nextUpdate is not present and the validation time is less than the greater of thisUpdate or producedAt time plus the value of iMaxClockSkew.
Details For 10.1 and later, this preference is used along with iMaxClockSkew to determine whether or not embedded OCSP responses are actually used for signature validation. For details, see the subfeature description above. This behavior is designed to support Acrobat's long term validation feature and allows validating a signature with embedded responses that were valid at signing time.Possible values include:
  • 0: iMaxClockSkew is applied to thisUpdate on both sides of the validation time, i.e. thisUpdate - iMaxClockSkew < validation time < checkTime + iMaxClockSkew where checkTime is the later of the producedAt and thisUpdate. When true, iMaxClockSkew is applied to thisUpdate only before the validation time: thisUpdate - iMaxClockSkew < validation time.
  • 1: If there is no nextUpdate, then we accept the OCSP response indefinitely (we do not check for if the validation time is too late) and don't check whether validation time is < than checkTime)
GUI mapping N/A

Signature Validation Rev Check (CRL)

CRL revocation checking can occur both during signature creation and signature validation on both the signing certificate as well as for the certificates associated with any revocation check responses.

The following options are available:

  • Specifying when to do revocation checking as well as the effect of a failed or bad response.
  • Specifying when and where to go online to get a response.
  • Setting a time limit for caching a response after which the application must get a new response.
  • Specifying a LDAP server to query for CRLs. Querying an LDAP server can result in poor application performance depending on the quality of the network connection and the number of directories to search.
  • Specifying whether to ignore the response certificate's times in the thisUpdate and nextUpdate extensions.
  • Requiring the presence of the Authority Key Identifier extension.
It is possible to require certain features for certificates used to sign CRL responses. If a response does not meet the specified parameters, the response will be considered invalid and the signature status may be Unknown or Invalid.

The following options are available:
  • Specifying whether to ignore the response certificate's times in the thisUpdate and nextUpdate extensions.
  • Requiring the presence of the Authority Key Identifier extension.

Summary table
AlwaysConsult Determines when the URL is used for an additional URL CRL distribution point.
GoOnline Indicates whether it's acceptable to go online to fetch a CRL.
IgnoreValidityDates Specifies whether to ignore the response's thisUpdate and nextUpdate times, thereby preventing any negative effect of these times on response validity.
LDAP The LDAP server to get CRLs from in the form www.ldap.com.
MaxRevokeInfoCacheLifetime Maximum lifetime in hours the cached CRL is used for revocation checking.
ReqRevCheck Indicates whether revocation checks are required to succeed on the CRL response.
RequireAKI Specifies whether the Authority Key Identifier extension must be present in a CRL.
RevokeInfoCacheLifeTime Specifies the length of time to cache the CRL.
URL The URL used to fetch CRL responses for an additional URL CRL Distribution point.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7.0+
User Path Security\ASPKI\Adobe_CRLRevChecker
Lock Path Not lockable
Summary Specifies whether to ignore the response's thisUpdate and nextUpdate times, thereby preventing any negative effect of these times on response validity.
Details The value is set to true for ubiquity signatures created by enabling usage rights for Adobe Reader.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 8.0+
User Path Security\ASPKI\Adobe_CRLRevChecker
Lock Path Not lockable
Summary Specifies whether the Authority Key Identifier extension must be present in a CRL.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 1
Version # 7.0+
User Path Security\ASPKI\Adobe_CRLRevChecker
Lock Path Not lockable
Summary Indicates whether revocation checks are required to succeed on the CRL response.
Details Interacts with other iReqRevCheck settings. Values include:
  • 0: Don't do revocation checks.
  • 1: Do a check IF responder details are in CRLDp certificate extension or the registry; don't fail if the check fails.
  • 2: Do a check IF responder details are in CRLDp certificate extension or the registry; all checks must succeed if there is data and a check occurs.
  • 3: Require a check; it must succeed under all circumstances.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 7.0+
User Path Security\ASPKI\Adobe_CRLRevChecker\URLDP
Lock Path Not lockable
Summary The URL used to fetch CRL responses for an additional URL CRL Distribution point.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7.0+
User Path Security\ASPKI\Adobe_CRLRevChecker\URLDP
Lock Path Not lockable
Summary Determines when the URL is used for an additional URL CRL distribution point.
Details If false, the URL is only used when the certificate does not have a CRLDp extension.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 7.0+
User Path Security\ASPKI\Adobe_CRLRevChecker
Lock Path Not lockable
Summary Indicates whether it's acceptable to go online to fetch a CRL.
Details If false, only cached CRLs (on local disk or ones embedded with signature) are consulted. Internally set to false for ubiquity signatures in Reader enabled documents.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default Null
Version # 7.0+
User Path Security\ASPKI\Adobe_CRLRevChecker
Lock Path Not lockable
Summary The LDAP server to get CRLs from in the form www.ldap.com.
Details Without the protocol prefix, as LDAP is assumed. All DN-based queries for CRLs will be directed to this server.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 24
Version # 7.0+
User Path Security\PubSec
Lock Path Not lockable
Summary Maximum lifetime in hours the cached CRL is used for revocation checking.
Details iMaxRevokeInfoCacheLifetime is only used if the validation method is set to "current time". Possible values include:
  • The number of hours for which the cached CRL is valid.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default null
Version # Oct. 2018 (both tracks)
User Path Security\cASPKI\cASPKI\
Lock Path Not lockable
Summary Specifies the length of time to cache the CRL.
Details CRLs often have a lifespan determined by fields such as nextUpdate. This preference determines the validity in seconds of a cached CRL file calculated from its download time. A fresh CRL is downloaded if the signature validation occurs after the number of seconds specified by iRevokeInfoCacheLifeTime passes from the time of the last cached CRL download OR if it occurs after the time provided in its NextUpdate field. Possible values include:
  • The number of seconds for which the cached CRL is valid from its last modification time. There is no max second limit.
GUI mapping N/A

Signature Validation Cert. Chain Building

The revocation checking process includes building the certificate chain so that each discovered certificate can be analyzed and processed as specified by other application preferences. Administrators do have some control over what certificates are used to build a chain.

The following options are available:

  • Controlling whether AIA extensions are followed.
  • Requiring the use of valid RSA signatures on all certificates in a chain.
  • Requiring the presence of specific policy OIDs in the specified chain scope for it to be valid.
  • Pointing to an LDAP server for path discovery purposes. Querying an LDAP server can result in poor application performance depending on the quality of the network connection and the number of directories to search.

Summary table
FollowURIsFromAIA Specifies whether to allow the chain builder to follow URIs in AIA certificate extensions so that certificates can be downloaded if they are not available locally.
LDAP Specifies the URL of an LDAP server to be used for path discovery.
RequireValidSigForChaining Specifies whether to allow the chain builder to build chains with invalid RSA signatures on certificates.
ValidityModel Specifies the validity model for validating signatures and certificates.
Value An array of strings c0-cN containing the required certificate policy OIDs.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 0
Version # 8.0+
User Path Security\ASPKI\Adobe_Validation
Lock Path Not lockable
Summary Specifies the validity model for validating signatures and certificates.
Details The application uses shell validation by default, but chain validation may be used when required. Compliance with the German signature law requires chain validation. Allowabled values include:
  • 0: PKIX shell model
  • 1: Chain validity model.
Chain validation is used to validate all or part of a certificate chain when any certificate chaining up to a CA certificate containing the qualified certificate policy extension (OID 1.3.36.8.1.1) or the validity model certificate extension OID (1.3.6.1.4.1.8301.3.5) with the value set to the chain model OID (1.3.6.1.4.1.8301.3.5.1).
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 7.0+
User Path Security\ASPKI\Adobe_ChainBuilder
Lock Path Not lockable
Summary Specifies the URL of an LDAP server to be used for path discovery.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7.0+
User Path Security\ASPKI\Adobe_ChainBuilder
Lock Path Not lockable
Summary Specifies whether to allow the chain builder to follow URIs in AIA certificate extensions so that certificates can be downloaded if they are not available locally.
Details The default does not allow phone-home capability. CRLdps and OCSP AIA extensions do allow following URIs because they require that the certificate chain up to a trust anchor.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 8.0+
User Path Security\ASPKI\Adobe_ChainBuilder
Lock Path Not lockable
Summary Specifies whether to allow the chain builder to build chains with invalid RSA signatures on certificates.
Details Consider chain CA > ICA > EE where the CA's signature on an ICA is invalid. If this setting is true, the chain building will stop at the ICA and the CA will not be included in the chain. If this preference is false, the full 3-certificate chain is produced. This setting does not affect DSA signatures.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type
Default null
Version # 7.0+
User Path Security\ASPKI\Adobe_ChainBuilder\AcceptablePolicyOIDs\c(index)
Lock Path Not lockable
Summary An array of strings c0-cN containing the required certificate policy OIDs.
Details Note that c(index) can be associated with a chain.
GUI mapping N/A

Signing: Rev Check

Applying a signature to a document involves both creating a signature and then validating it. Despite the fact that end users see only one step (the signature appears with a status icon), there are actually two phases which an administrator independently configure. Revocation checking can occur during the initial signing phase to control whether or not a signature is created.

The following option is available:

  • Specifying when to do revocation checking as well as the effect of a failed or bad response.
Note: Interacts with bIsEnabled. For more detail about how revocation checking affects signing and signature validation, see Certificate Processing.

Summary table
ReqRevCheck Indicates whether revocation checks are required to succeed to create the signature.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 0
Version # 7.0+
User Path Security\ASPKI\ASPKI\Sign
Lock Path Not lockable
Summary Indicates whether revocation checks are required to succeed to create the signature.
Details Interacts with other iReqRevCheck settings. Allowable values include:
  • 0: Dont do revocation checks.
  • 1: Do a check IF CRLDp or AIA information resides in the certificate or registry; dont fail if the check fails.
  • 2: Do a check IF CRLDp or AIA information resides in the certificate or registry; all checks must succeed if there is data and a check occurs.
  • 3: (New in 10.1.5 and 11.0) Require a check; it must succeed under all circumstances.
GUI mapping N/A

Signing: Long Term Validation

Whether revocation checking information is stored in a signature varies by version. Storing such data in a signature enables offline revocation checking and a determination of whether the signing certificate was valid at the time of signing.

Setting bIsEnabled to 1 via the GUI or registry automatically sets cSign\iReqRevCheck to 2. The rationale is that if you choose to embed the revocation status you probably want a status to embed. A consequence of this choice is that you must do a check and retrieve a good result; otherwise, no signature is created. In other words, signing with a revoked certificate is prevented when this setting is on.

The following options are available:

  • Embedding revocation status in a signature.
  • Specifying the embedded data cache size to limit the amount of cached data.
  • Specifying when archived revocation data is used for revocation checking.
  • Controlling whether or not revocation data is stored in a JavaScript object.
Note: If you are setting up a signing workflow for both signers and signature validators, you may want to set iUseArchivedRevInfo so that document recipients can validate signatures based on a signer's bIsEnabled setting.

Summary table
AutoAddLTV Specifies whether LTV information should be automatically added to all signatures.
IsEnabled Specifies whether the signature revocation status is included in the signature.
MaxRevInfoArchiveSize The maximum size of the revocation archival information in kilobytes.
ReturnRevInfoToUser If true, the revocation information is maintained within the SignatureInfo object and can be retrieved through JavaScript.
UseArchivedRevInfo Indicates whether the revocation information archived with the signature is used for revocation checking.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 2
Version # 7.0+
User Path Security\ASPKI\Adobe_LTVProvider
Lock Path Not lockable
Summary Indicates whether the revocation information archived with the signature is used for revocation checking.
Details Allowable values include:
  • 0: Never (always require fresh revocation information to be successfully downloaded).
  • 1: Deprecated. Do not use.
  • 2: Always use (if embedded revocation information is available do not download fresh revocation information).
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7.0+
User Path Security\PPKHandler
Lock Path Not lockable
Summary If true, the revocation information is maintained within the SignatureInfo object and can be retrieved through JavaScript.
Details For more information, see the Acrobat JavaScript Reference.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default Pre 9.1 0; 9.1 and later: 1
Version # 8.0+
User Path Security\ASPKI\Adobe_LTVProvider
Lock Path Not lockable
Summary Specifies whether the signature revocation status is included in the signature.
Details Possible values include:
  • 0: Don't enable LTV and inlcude the signature revocation status information in the signature.
  • 1: Do enable LTV.
GUI mapping Include signatures revocation status when signing
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 1500Kb
Version # 7.0+
User Path Security\ASPKI\Adobe_LTVProvider
Lock Path Not lockable
Summary The maximum size of the revocation archival information in kilobytes.
Details An attempt is made to store as much revocation information as possible without exceeding the limit. Note that older product versions may have a smaller supported size limit.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 1
Version # 11.0+
User Path Security\ASPKI\Adobe_LTVProvider
Lock Path Not lockable
Summary Specifies whether LTV information should be automatically added to all signatures.
Details Possible values include:
  • 0: Never add LTV information.
  • 1: (default) Ask whether LTV information should be added if it is too big.
  • 2: Always add LTV information.
When the cumulative size of the LTV data is greater than the sum of 10% of the PDF file size plus 10KB and Automatically add verification information on Save is set to "Ask..." a dialog appears asking the user if they would like to continue embedding the LTV information. Note that in workflows where the dialog appears asking whether to enable LTV, if the user selects the "Do not show this message again" checkbox, AND click the No button, then this preference is set to zero.
GUI mapping Preferences > Signatures > Verification panel (More) > Verification Information > Automatically add verification information when saving signed PDF.

Signature Validation Rev Check (Providers)

The revocation checker provider provides revocation checking services. You can specify one or more revocation checking methods and choose whether to use the default methods or some MSCAPI-specific method.

The following options are available:

  • Use one or both of Adobe's revocation checking methods (CRL and OCSP).
  • Use of the MSCAPI revocation checking plugin model as an alternative to Adobe mechanisms. For example, administrators may have standardized on MSCAPI or might prefer the MSCAPI method of using a CRL registry cache (Acrobat has its own cache).
Note : Acrobat's default CRL cache location is C:\Documents and Settings\(user)\Application Data\Adobe\(application)\(version)\Security\CRLCache

Summary table
RevocationChecker Specifies a provider for revocation checking.
RevocationChecker An array of text entries (t0-tn) containing the name of a registered provider.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 2
Version # 7+
User Path Security\ASPKI\SPIs
Lock Path Not lockable
Summary Specifies a provider for revocation checking.
Details
  • 0: Use none of the registered providers.
  • 1: Use first registered provider.
  • 2: Use all registered providers.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default Adobe_OCSPRevChecker, Adobe_CRLRevChecker
Version # 7+
User Path Security\ASPKI\SPIs
Lock Path Not lockable
Summary An array of text entries (t0-tn) containing the name of a registered provider.
Details
  • Adobe_OCSPRevChecker: Adobe's default OCSP method.
  • Adobe_CRLRevChecker: Adobe's default CRL method.
  • MSCAPI_RevocationChecker: Accesses MSCAP revocation checking plugin framework.
The rules of operation are as follows:
  • If cRevocationChecker is empty, the default OCSP and CRL methods are used.
  • If cRevocationChecker is not empty, then only the methods listed are used.
  • Regardless of the order in which the validators are listed, the validators are always called in the following order: OCSP, CRL, MSCAPI.
  • The first validator present that produces a result is the only one used.
GUI mapping N/A

Signing: Preview Mode

Preview mode turns off (suppresses) rich content and dynamic document behavior that could prevent the signer from seeing what they are signing. While the use of preview mode adds an extra step in the signing workflow, it turns off potentially bad content, checks the document for the presence of any PDF constructs that may cause problems with signature integrity and provides a report about any found problems.

The following option is available:

  • Force the use of preview mode during signing.

Summary table
PreviewModeBeforeSigning Specifies whether a signer is forced to use preview mode during signing.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7.0+
User Path Security\DigSig
Lock Path Not lockable
Summary Specifies whether a signer is forced to use preview mode during signing.
Details If true, preview mode is automatically invoked on a sign action. Users should read the document message bar text, view a report about any warnings, and then choose Sign Document.
GUI mapping Preferences > Security > View documents in preview mode when signing

Signing: Appearances

The application remembers what signature appearance a signer used and stores its index number in iAPIndex. Because an end user's appearance selection will overwrite any custom value here, customization by an administrator would serve no useful purpose.

Summary table
APIndex Remembers the last used signature appearance index.
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default null
Version # 7.0+
User Path Security\PubSec
Lock Path Not lockable
Summary Remembers the last used signature appearance index.
GUI mapping N/A

Signing: Signer Details

The signing dialog has the capability of showing a location and contact information fields during a signing workflow. Field fill-in is optional. By default, the option is off, but end users and administrators can turn this option on. The location will appear in the Signature Properties dialog and in the Signature's pane and may optionally appear in the signature appearance.

The following options are available:

  • Showing or not showing the Contact and Location fields in the signing dialog.
  • Setting default contact information.
  • Setting default location information.
Note: If the end user changes the field data in the signing dialog, those values will overwrite the registry-specified values.

Summary table
AllowOtherInfoWhenSigning Specifies whether the location and contact information UI will appear during signing.
ContactInfo When bAllowOtherInfoWhenSigning is true (on), the signing dialog displays a location and contact field.
Location Stores the location information of the signer.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 8.0+
User Path Security\PubSec
Lock Path Not lockable
Summary Specifies whether the location and contact information UI will appear during signing.
GUI mapping Preferences > Security > Advanced Preferences > Creation tab > Show location and contact information when signing
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 7.0+
User Path Security\PubSec
Lock Path Not lockable
Summary When bAllowOtherInfoWhenSigning is true (on), the signing dialog displays a location and contact field.
Details User data is saved and reused during subsequent signing events.
GUI mapping Contact field in the Sign dialog.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 8.0+
User Path Security\PubSec
Lock Path Not lockable
Summary Stores the location information of the signer.
Details When bAllowOtherInfoWhenSigning is true (on), the signing dialog displays a location and contact field. User data is saved and reused during subsequent signing events.
GUI mapping Location field in the Sign dialog

Signing: Reasons

The signing dialog has the capability of showing a signing reasons drop down list during a signing workflow. By default, the option is off, but end users and administrators can turn this option on. If a reason is used, it appears in the signature appearance, the Signature Properties dialog, and in the Signatures pane.

The following options are available:

  • Showing or not showing the Reasons field in the signing dialog.
  • Changing the default reasons. Administrators can add, delete, and modify the reason list.
  • Locking the reason list so that it can't be modified by end users.

Summary table
AllowReasonWhenSigning Specifies whether the reason UI will appear during signing.
Reasons Stores a list of signing reasons.
Reasons Prevents users from modifying reason's settings.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 8.0+
User Path Security\PubSec
Lock Path FeatureLockDown\Security\PubSec
Summary Specifies whether the reason UI will appear during signing.
Details The preference can be overridden by a document seed value set on a field. For 8.1 and later, if cReasons is locked and is empty, bAllowSigningReasons is 0 and read only (The UI is turned off). If cReasons is locked and has values, then bAllowSigningReasons is true and read only.
GUI mapping Preferences > Security > Advanced Preferences > Creation tab > Show reasons when signing
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default See details.
Version # 7.0+
User Path Security\PubSec
Lock Path Not lockable
Summary Stores a list of signing reasons.
Details Entries in this folder are named t0, t1, etc. Subject to override by the document seed value: reasons.

The default reasons are:
  • t0: I am the author of this document
  • t1: I have reviewed this document
  • t2: I am approving this document
  • t3: I attest to the accuracy and integrity of this document
  • t4: I agree to the terms defined by the placement of my signature on this document
  • t5: I agree to specified portions of this document
GUI mapping Reasons drop down list in signing dialog
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default null
Version # 8.1+
Lock Path FeatureLockDown\Security\PubSec
Summary Prevents users from modifying reason's settings.
Details v8.1: If locked and cReasons if empty, bAllowSigningReasons is 0 and read only. If locked and cReasons has values, then bAllowSigningReasons is true and read only.
GUI mapping N/A

Signing: Certification

A "certification signature" is simply the first signature in a document where the user has indicated via a user interface choice to "certify" the document. These preferences only control certification signature behavior and have no effect on approval signature behavior.

In addition to the general signature preferences described elsewhere in this document, the following options are available:

  • Preventing invisible signatures: By default, users can sign with a visible or invisible signature. Prohibit invisible certification signatures by setting bAllowInvisibleSig to 0.
  • Legal attestations (warning comments): When certifying a document that contains dynamic content, a signer can choose a default warning comment from a list or create a custom one. You can prepopulate this list with custom comments with cAttest.
  • (Pre v. 8.0) Control certification based on document content: For versions prior to 8.0, you can control certification rights based on the nature of the document content and whether it generates LegalPDF warnings. These preferences are deprecated in 8.0.
  • 11.0: Elevating certified documents to a privileged location so that they are trusted for operations that would otherwise be restricted (See TrustManager).
  • 11.0.04: Showing the document's certification status in the Protected View document message bar (See FeatureLockDown).

Summary table
AllowCertNonGreen Specifies whether a certification signature may be applied to a document containing Legal PDF warnings.
AllowInvisibleSig Specifies whether to allow invisible certification signatures.
AllowSigCertGreenOnly Specifies whether any subsequent signers can sign a certified document that does not contain LegalPDF warnings with additional approval signatures.
AllowSigCertOnly Specifies whether any subsequent signers can sign a certified document containing LegalPDF warnings with additional approval signatures.
Attest Stores a list of the most recently used attestations regarding LegalPDF warnings in a document.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 7.0+
User Path Security\DigSig
Lock Path FeatureLockDown\Security\DigSig
Summary Specifies whether to allow invisible certification signatures.
Details False disables the menu option, prevents signing and certifying with invisible signatures, and limits JavaScript support by signature fields.
GUI mapping Certify with Invisible Signature
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type
Default null
Version # 7.0+
User Path Security\DigSig
Lock Path Not lockable
Summary Stores a list of the most recently used attestations regarding LegalPDF warnings in a document.
Details Entries in this folder are named t0, t1, etc. The application may have one or more default strings such as "I have included this content to make the document more interactive."
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 7.0 ONLY+
User Path Security\DigSig
Lock Path Not lockable
Summary Specifies whether a certification signature may be applied to a document containing Legal PDF warnings.
Details If false, then its not allowed and the author is informed of the reason.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 7.0 ONLY+
User Path Security\DigSig
Lock Path Not lockable
Summary Specifies whether any subsequent signers can sign a certified document containing LegalPDF warnings with additional approval signatures.
Details In other words, the presence of any LegalPDF warning prevent any additonal signatures.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7.0 ONLY+
User Path Security\DigSig
Lock Path Not lockable
Summary Specifies whether any subsequent signers can sign a certified document that does not contain LegalPDF warnings with additional approval signatures.
Details In other words, the presence of any LegalPDF warning does not prevent any additonal signatures.
GUI mapping N/A

Signing: User interface

Summary table
EnableCEFBasedUI Specifies whether to enable the CEF-based, modern UI for digital signature workflows.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default null
Version # June, 2016: Both tracks
User Path Security\cPubSec
Lock Path Security\PubSec
Summary Specifies whether to enable the CEF-based, modern UI for digital signature workflows.
Details The newer UI streamlines the user interface. All values also disable the UI option to change the preference. Note that for products released after June 2016, disabling a user's ability to create a self-signed digital ID requires setting both bSelfSignCertGen and bEnableCEFBasedUI to 0. Possible values include:
  • 0: Disable the modern UI and shows the legacy UI.
  • 1: Enable the Modern UI.
GUI mapping Preferences > Signatures > Creation and Appearance > More > Use modern user interface for signing and Digital ID configuration

Signing: Document Warnings

The Sign dialog is capable of showing a Review button. The button invokes the PDF Signature Report which analyzes the document for the presence of any dynamic content that could adversely affect the integrity of signing workflows. If none is found, a dialog appears indicating that there are no problems. If content such as a comment or JavaScript is discovered, the PDF Signature Report appears with a list of any PDF constructs that may cause problems with signature integrity.

The following options are available:

  • Never showing or allowing the review of document warnings.
  • Limiting warning review to certification workflows.
  • Requiring warning review prior to applying an approval and/or certification signature.
  • Always requiring review of warnings for every signature.

Summary table
RequireReviewWarnings Specifies whether the user is required to review document warnings before signing via the signing dialog.
ShowDocumentWarnings Specifies whether a button to allow reviewing document warnings shows up on the signing dialog.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 1; 11.0 = 0; 11.0.01 = 1
Version # 8.0+
User Path Security\PubSec
Lock Path Not lockable
Summary Specifies whether a button to allow reviewing document warnings shows up on the signing dialog.
Details Interacts with iRequireDocumentWarnings. The possible values include:
  • 0: Never
  • 1: Show when certifying only
  • 2: Always
GUI mapping Preferences > Security > Advanced Preferences > Creation tab > Enable reviewing of document warnings
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 0
Version # 8.0+
User Path Security\DigSig
Lock Path Not lockable
Summary Specifies whether the user is required to review document warnings before signing via the signing dialog.
Details Interacts with iShowDocumentWarnings. The possible values include:
  • 0: Never
  • 1: Show when certifying only
  • 2: Always
GUI mapping Preferences > Security > Advanced Preferences > Creation tab > Prevent signing until document warnings are reviewed

Signing: Font Warnings

LegalPDF warnings have been replaced by PDF Signature Report errors in versions 8.0 and later. Both mechanisms provide similar warnings. The following option is available:

  • Toggling warnings for true type and non-embedded fonts on and off.

Summary table
EnNonEmbFontLegPDFWarn Turns on and off warnings about non-embedded fonts.
TrueTypeFontPDFSigQWarn Turns on and off warnings about True Type fonts.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 7.0+
User Path Security\DigSig
Lock Path Not lockable
Summary Turns on and off warnings about non-embedded fonts.
Details A warning appears when the LegalPDF dictionary NonEmbeddedFonts attribute has a non zero value. Turning this value on causes a warning to appear in the PDF Signature Report which indicates the document contains unembedded fonts.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 7.0+
User Path Security\DigSig
Lock Path Not lockable
Summary Turns on and off warnings about True Type fonts.
GUI mapping N/A

Signing: Hash Algorithm

The default algorithm used to create a message digest (document hash) during signing can be customized. In some enterprise situations, such as when FIPS compliance is required, you may need a more secure algorithm. Alternate hashing algorithms can be specified by name or OID as shown below. The algorithm that is used is displayed in the Hash Algorithm field of the Signature Properties dialog's Document tab. Usage rules:

  • MSCAPI supports different algorithms across versions. For example, early XP versions only supported SHA1 and MD5. The use of other algorithms will require that the signer use a digital ID that resides in a .pfx/.p12 file in the Acrobat cache.
  • With XP SP3, MSCAPI supports SHA256 on certificates and some token devices.
  • Pre 9.1: Acrobat uses SHA1 as the default.
  • 9.1 and later: Acrobat uses SHA256 as the default, but will use SHA1 if the token does not support SHA256. If using FIPS mode, do not use MD5 or RIPEMD160.
The following options are available:
  • Specifying an alternate algorithm.

Summary table
SignHash The hashing algorithm to use while signing.
SignHash A text entry that contains the OID of the hashing algorithm.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default SHA1 for 9.0 and earlier; SHA256 for 9.1 and later
Version # 7.0+
User Path Security\PubSec
Lock Path Not lockable
Summary The hashing algorithm to use while signing.
Details For an alternative, see tSignHash. NOTE : The data type prefix is incorrect, as the key is not an atom. The entry is binary. You can manually create the binary value by right clicking in the preference area and choosing New Binary Value. Right click on your new preference and choose Modify Binary Data. When the Edit Binary Value dialog appears, click in the right-hand side of the Value data field and type the name of a supported algorithm. As you type the string, the binary value appears on the left-hand side of the dialog. For example, type SHA384. Once done, click in the binary field and add a zero the end and press Enter. The null terminator is required (the registry editor will change it to 00).
  • MD5
  • SHA1
  • SHA256 (v. 7.0)
  • RIPEMD160 (v. 8.0)
  • SHA384 (v. 8.0)
  • SHA512 (v. 8.0)
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default SHA1 for 9.0 and earlier; SHA256 for 9.1 and later
Version # 7.0+
User Path Security\PubSec
Lock Path Not lockable
Summary A text entry that contains the OID of the hashing algorithm.
Details For an alternative, see aSignHash. Allowable values include:
  • 1.2.840.113549.2.5: MD5
  • 1.3.14.3.2.26: SHA1
  • 2.16.840.1.101.3.4.2.1: SHA256 (v. 7.0)
  • 1.3.36.3.2.1: RIPEMD160 (v. 8.0)
  • 2.16.840.1.101.3.4.2.2: SHA384 (v. 8.0)
  • 2.16.840.1.101.3.4.2.3: SHA512 (v. 8.0)
GUI mapping N/A

Signing: Format

The default format for creating the signature object that is embedded in a signed document is PKCS#7. The object contains the encrypted message digest, certificates, timestamps, and other information. It does not include the signature appearance and data outside of Contents in the signature dictionary. Format choices are limited so that a signature encoded by one handler can be unencoded (validated) by another handler. Providing a value for aSignFormat writes that value to the signature dictionary's SubFilter object. For details, see "Signature Interoperability" in the PDF Reference.

  • PKCS#1 : For signing PDF files using PKCS#1, the only recommended value of SubFilter is adbe.x509.rsa_sha1, which uses the RSA encryption algorithm and SHA-1 digest method. The certificate chain of the signer is stored in the Cert entry.
  • PKCS#7 : The value of Contents is a DER-encoded PKCS#7 binary data object containing the signature. The PKCS#7 object must conform to the PKCS#7 specification in Internet RFC 2315, PKCS #7: Cryptographic Message Syntax, Version 1.5. SubFilter can take one of the following values:
    • adbe.pkcs7.detached : No data is encapsulated in the PKCS#7 signed-data field.
    • adbe.pkcs7.sha1 : The SHA1 digest of the byte range is encapsulated in the PKCS#7 signed-data field with ContentInfo of type Data.
    • ETSI.CAdES.detached : Supports long term validation of signatures even when the signing certificate is revoked; this is part of the feature which allows adding an invisible timestamp signature to a document.

Summary table
SignFormat The format to use when signing a document using public key cryptography when a format is not specified by a seed value, javascript parameter, or the PubSec Handler.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 2 (atom)
Default adbe.pkcs7.detached
Version # 7.0+
User Path Security\PubSec
Lock Path FeatureLockDown\Security\PubSec
Summary The format to use when signing a document using public key cryptography when a format is not specified by a seed value, javascript parameter, or the PubSec Handler.
Details Allowable values include:
  • adbe.pkcs7.detached
  • adbe.pkcs7.sha1
  • adbe.x509.rsa_sha1
  • ETSI.CAdES.detached
GUI mapping 10.0 and later: Preferences > Security > Advanced Preferences > Creation tab > Default Signature Signing Format

Signing: Digest Comparison

When signing a PDF document, a message digest is created for the document and sent to the cryptographic module that performs the signing operation. Setting the registry entry bEnforceSecureChannel to 1 ensures the message digest sent to the cryptographic module is checked against the signed message digest that it returns. This flag ensures that intermediate layers of software between Acrobat and the cryptographic module do not tamper with the signing operation.

The following rules apply:

  • When using a certificate that includes a DSA public key with omitted parameters, the test to detect signature validity is not performed. In these cases, setting bEnforceSecureChannel has no effect.
  • When this preference is turned on, a digest mismatch results in a warning dialog. The signature is removed from the document and the signing application aborts the signing process.

Summary table
EnforceSecureChannel Specifies whether to prevent signing when the original message digest and the signed message digest do not match.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 8.0+
User Path Security\PubSec
Lock Path Not lockable
Summary Specifies whether to prevent signing when the original message digest and the signed message digest do not match.
Details When set to 1, the user sees a warning dialog when the digest mismatch occurs. This error can be caused by a modification of the original message digest, a modification of the signed message digest, or a mismatch between the private and public key used for signing.

When using a certificate that doesn't include a public key (such as a DSA certificate with an omitted public key), the test to detect signature validity is not performed. Do not turn this setting on if such certificates are used.
GUI mapping N/A

Signature Clearing

Summary table
EnableSignatureClear Specifies whether to disable and lock the ability for a signer to clear their own signature.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default null
Version # 11.0+
Lock Path FeatureLockDown\Security\DigSig
Summary Specifies whether to disable and lock the ability for a signer to clear their own signature.
Details Possible values include:
  • 0: Disable signature clearing.
  • 1: Enable signature clearing.
GUI mapping The Clear Signature menu item which appears when a user right clicks on a signature.

Timestamp Server: Usage

Summary table
ReqSigPropRetrieval Indicates whether retrieving a signature property must succeed.
UseExpiredTimestamps Specifies whether expired timestamps should be used.
UseTSAsSigningTime Specifies whether the timestamp time should be displayed in the signature appearance.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 7.0+
User Path Security\ASPKI\ASPKI\Sign
Lock Path Not lockable
Summary Indicates whether retrieving a signature property must succeed.
Details Acrobat currently provides a signature property for timestamps. By default, retrieving a valid and trusted timestamp is not required, and property retrieval failure only results in creating a signature which uses the local time. When property retrieval is required during signature creation and fetching a timestamp fails for any reason (bad URL, no network connection, etc.) the signature creation process is aborted, no signature is created, and an error appears.
  • 0: Make best effort, but success is not required. A signature is created.
  • 1: Property retrieval must succeed. On failure, a signature is not created and an error dialog appears.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 9.1+
User Path Security\Adobe_TSPProvider
Lock Path Not lockable
Summary Specifies whether expired timestamps should be used.
Details If true, an expired timestamp will not invalidate a signature.
GUI mapping Preferences > Security > Advanced Preferences > Verification tab > Use expired timestamps
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 0
Version # 11.0+
Lock Path Not lockable
Summary Specifies whether the timestamp time should be displayed in the signature appearance.
Details By default, the signature appearance displays the signing time from the signer's computer clock. To display the timestamp server time in a signature appearance:
  1. Go to HKLM\SOFTWARE\WOW6432Node\Policies\Adobe\(product)\(version)\FeatureLockDown\cSecurity\cPubSec\
  2. Create the new DWORD bUseTSAsSigningTime and set it to 1.
  3. Go to HKCU\Software\Adobe\(product)\(version)\Security\cASPKI\cASPKI\cSign.
  4. Set bReqSigPropRetrieval to 1. Create the preference if it does not exist.
  5. Verify the computer time does not vary from the signature validation revocation check response time specified by HKCU\Software\Adobe\(product)\(version)\Security\cPubSec\iMaxClockSkew . The default is 65 minutes. iMaxClockSkew allows admins to account for a network delay, time synchronization issues, and so on without invalidation signatures.
Possible values include:
  • 0: Don't show the timestamp time.
  • 1: Do show the timestamp time.
GUI mapping N/A

Timestamp Server: List

Timestamp servers are automatically used during signing only if a timestamp server has been configured and selected as a default. The full list of available servers appears under cPPKHandler.

The default server is identified by a star in the Security Settings Console, and that information is also written to sURL and bAuthReqd under cAdobe_TSPProvider. End users can overwrite these preference values by changing them in the Security Settings Console. The following options are available:

  • Specifying a list of servers that will appear in the Security Settings Console. Preferences are represented as a list c0-cN and contain the server name, URL, and whether the authentication is required.
  • Specifying when to do revocation checking as well as the effect of a failed or bad response.
  • Increasing security by choosing a more robust hashing algorithm. The algorithm must be supported by the timestamp server.
  • Requiring signature property retrieval (a valid and trusted server URL) in order to create a signature.

Summary table
AuthReqd This is an internal copy of bAuthReqd that cannot be modified.
AuthRequired Specifies whether or not the timestamp server requires authentication.
LockboxId If a timestamp server requires authentication, the authentication data is stored in a secure store such as Microsafe and is identified by this ID.
Name The user-defined server name.
Server The server URL.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 8 (cab)
Default null
Version # 7.0+
User Path Security\PPKHandler\TimeStampServers\(index)
Lock Path Not lockable
Summary The server URL.
GUI mapping Security Settings Console > Timestamp Servers > configuration details
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 7.0+
User Path Security\PPKHandler\TimeStampServers\(index)
Lock Path Not lockable
Summary The user-defined server name.
Details This can be Unicode.
GUI mapping Security Settings Console > Timestamp Servers > configuration details
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default null
Version # 7.0+
User Path Security\PPKHandler\TimeStampServers\(index)
Lock Path Not lockable
Summary Specifies whether or not the timestamp server requires authentication.
Details If a timestamp server requires authentication, the authentication data is stored in a secure store such as Microsafe and is identified by this ID. The service provider needs to know what type of secure store the identifier names. Only used when ASPKI is running within the Acrobat environment.
GUI mapping Security Settings Console > Timestamp Servers > Configuration panel > This server requires me to log on
Not modifiableSupported on WindowsSupported on MacSupported by Acrobat
Data type 0 (bool)
Default null
Version # 9.0+
User Path Security\PPKHandler\TimeStampServers\(index)
Lock Path Not lockable
Summary This is an internal copy of bAuthReqd that cannot be modified.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 7.0+
User Path Security\PPKHandler\TimeStampServers\(index)
Lock Path Not lockable
Summary If a timestamp server requires authentication, the authentication data is stored in a secure store such as Microsafe and is identified by this ID.
Details The service provider needs to know what type of secure store the identifier names. Only used when ASPKI is running within the Acrobat environment.
GUI mapping The preference is populated when the user checks This server requires me to log on and then enters a username and password.

Timestamp Server: Default

Timestamp servers are automatically used during signing only if a timestamp server has been configured and selected as a default. The full list of available servers appears under cPPKHandler.

The default server is identified by a star in the Security Settings Console, and that information is also written to sURL and bAuthReqd under cAdobe_TSPProvider. End users can overwrite these preference values by changing them in the Security Settings Console. The following options are available:

  • Setting a default server.

Summary table
AuthRequired Specifies whether the timestamp server requires authentication.
HashAlgo Identifies the hashing algorithm used to hash the timestamped data.
HashAlgo The hashing algorithm OID used to hash the data to be timestamped.
LockboxId If a timestamp server requires authentication, the authentication data is stored in a secure store identified by this ID (e.g. Microsafe).
Password The server log in password.
ReqRevCheck Indicates whether revocation checks on timestamps are required to succeed before signing.
Size ASPKI requires the signature property to predict the size (in bytes) so that enough space can be set aside.
URL A timestamp server URL such as http://www.example.com/tsp.
User The server login username.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 2
Version # 7.0+
User Path Security\ASPKI\Adobe_TSPProvider
Lock Path Not lockable
Summary Indicates whether revocation checks on timestamps are required to succeed before signing.
Details Failure does not affect signature creation or validation, it only results in defaulting to the local, machine time. Interacts with other iReqRevCheck settings. The possible values include:
  • 0: Dont do revocation checks.
  • 1: Do a check IF CRLDp or AIA information resides in the certificate or registry; dont fail if the check fails.
  • 2: Do a check IF CRLDp or AIA information resides in the certificate or registry; all checks must succeed if there is data and a check occurs.
  • 3: Require a check; it must succeed under all circumstances.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 7.0+
User Path Security\ASPKI\Adobe_TSPProvider
Lock Path Not lockable
Summary A timestamp server URL such as http://www.example.com/tsp.
Details Because no default is specified, it must be configured for timestamping to work. Only the HTTP(s) protocol is supported.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default null
Version # 7.0+
User Path Security\ASPKI\Adobe_TSPProvider
Lock Path Not lockable
Summary Specifies whether the timestamp server requires authentication.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 7.0+
User Path Security\ASPKI\Adobe_TSPProvider
Lock Path Not lockable
Summary The server login username.
Details Relevant only if bAuthRequired is true. Only username and password-based authentication is supported.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 7.0+
User Path Security\ASPKI\Adobe_TSPProvider
Lock Path Not lockable
Summary The server log in password.
Details Relevant only if bAuthRequired is true.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default null
Version # 7.0+
User Path Security\ASPKI\Adobe_TSPProvider
Lock Path Not lockable
Summary If a timestamp server requires authentication, the authentication data is stored in a secure store identified by this ID (e.g. Microsafe).
Details The service provider needs know what type of secure store the identifier names. Only used when ASPKI is running within the Acrobat environment.
GUI mapping The preference is populated when the user checks This server requires me to log on and then enters a username and password.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 1
Version # 7.0+
User Path Security\ASPKI\Adobe_TSPProvider
Lock Path Not lockable
Summary Identifies the hashing algorithm used to hash the timestamped data.
Details The valid values are:
  • 0: MD5
  • 1: SHA1
  • 2: SHA256
For an alternative, see sHashAlgo which supports more options.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 4 (string)
Default SHA1
Version # 8.0+
User Path Security\ASPKI\Adobe_TSPProvider
Lock Path Not lockable
Summary The hashing algorithm OID used to hash the data to be timestamped.
Details The valid values are:
  • MD5: 1.2.840.113549.2.5
  • SHA1:1.3.14.3.2.26
  • SHA256: 2.16.840.1.101.3.4.2.1
  • SHA384: 2.16.840.1.101.3.4.2.2
  • SHA512: 2.16.840.1.101.3.4.2.3
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 1 (int)
Default 4096
Version # 7.0+
User Path Security\ASPKI\Adobe_TSPProvider
Lock Path Not lockable
Summary ASPKI requires the signature property to predict the size (in bytes) so that enough space can be set aside.
GUI mapping N/A

Security Envelopes

These keys appear after a user creates a security envelope to deliver one or more documents securely. The keys in cMain remember the user choices such as the last search path for finding attachments and so on. An administrator could set a default value, but these values would be changed by user actions.

Summary table
LastEnvelope The ASPath to the last envelope used for Secure PDF Delivery.
LastSearchPath The last path used for selecting files to include in an eEnvelope.
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type
Default null
Version # 7.0+
User Path Security\Main
Lock Path Not lockable
Summary The last path used for selecting files to include in an eEnvelope.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type
Default null
Version # 7.0+
User Path Security\Main
Lock Path Not lockable
Summary The ASPath to the last envelope used for Secure PDF Delivery.
GUI mapping N/A

LiveCycle Server Configuration

The preferences in EDC (a legacy name) define Adobe LiveCycle Right Management Server connections. Users can specify servers through the Security Settings Console. However, administrators can preconfigure user machines to control the end user experience.

The following options are available:

  • Setting a default server under cEDC. The default server appears with a star icon in the Security Settings Console.
  • Controlling whether to use HTTP or HTTPS with bAllowConnectViaHTTP.
  • Adding one or more servers in to the known server list cEDC\KnownServers. These server definitions will appear in the Security Settings Console's server list.
  • Locking down the settings so that the server configuration dialog will not appear in the user interface, thereby preventing end users from adding servers or changing server settings.

Summary table
AllowAPSConfig Prevents a LiveCycle Right Management Server from being configured by disabling the menu option in the Security Settings Console.
AllowConnectViaHTTP If true, the server connection URI uses the format http://server:port/path; otherwise, it uses the format https://server:port/path.
LastServerURL The last APS server used to open a document and the server used for off line key synchronization.
LockboxId Set if bSavePassword is not 0 to look up the password in a user's secure password cache.
Name The user defined name for this server.
SavePassword Indicates whether the password has been cached for this server.
Server The DNS server name (i.e. alrms.adobe.com).
ServerName The Adobe LiveCycle Rights Management Server selected by the user as the default.
ServerURL The default server URL.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default null
Version # 8.1+
User Path N/A
Lock Path FeatureLockDown\Security\EDC
Summary Prevents a LiveCycle Right Management Server from being configured by disabling the menu option in the Security Settings Console.
Details By default, configuration is allowed.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default 1
Version # 7.0+
User Path Security\EDC
Lock Path Not lockable
Summary If true, the server connection URI uses the format http://server:port/path; otherwise, it uses the format https://server:port/path.
Details In either case, if the connection fails, an error message appears. For more information, see Guidelines for Developing CSPs for Acrobat on Windows.
GUI mapping N/A
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 7.0+
User Path Security\EDC
Lock Path Not lockable
Summary The last APS server used to open a document and the server used for off line key synchronization.
Details It is set automatically when opening a document.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 7.0+
User Path Security\EDC
Lock Path Not lockable
Summary The Adobe LiveCycle Rights Management Server selected by the user as the default.
Details This is set via the user interface in the Security Settings Console either by creating a new server (the first one is the default) or by selecting an existing one.
GUI mapping See details.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 7.0+
User Path Security\EDC
Lock Path Not lockable
Summary The default server URL.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default null
Version # 7.0+
User Path Security\EDC\KnownServers
Lock Path Not lockable
Summary Indicates whether the password has been cached for this server.
GUI mapping ALRMS settings in the Security Settings Console
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 7.0+
User Path Security\EDC\KnownServers
Lock Path Not lockable
Summary The user defined name for this server.
GUI mapping ALRMS settings in the Security Settings Console
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 7.0+
User Path Security\EDC\KnownServers
Lock Path Not lockable
Summary The DNS server name (i.e. alrms.adobe.com).
Details There is no scheme specified.
GUI mapping ALRMS settings in the Security Settings Console
Not modifiableSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 7.0+
User Path Security\EDC\KnownServers
Lock Path Not lockable
Summary Set if bSavePassword is not 0 to look up the password in a user's secure password cache.
Details This is not directly exposed via the user interface.
GUI mapping N/A

Security Policy Favorites

The keys at Security\cPPKLite\cSP_Favorites contain an array of subkeys c0-cN where each index defines a favorite security policy. Both user and organizational policies can be favorites. Any policy marked as a favorite will appear in the user's favorite's list. End users make a policy a favorite by opening the Manage Security Policies dialog, highlighting the policy, and choosing Favorites. A star icon appears to the left of the policy name and the policy becomes available in the top level menu.

The following options are available:

  • Specifying an non-default handler for a policy.
  • Marking one or more policies as a favorite.
  • Specifying policy names.

Summary table
Handler An ASAtom specifying which PDCrypt handler knows how to handle this security policy.
Id A string containing the security-policy.acrodata file key used to reference the policy that is being applied.
IsFavorite Determines whether the referenced security policy is displayed as a favorite.
Name The security policy name.
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 2 (atom)
Default Null
Version # 7.0+
User Path Security\PPKLite\SP_Favorites\(index)\
Lock Path Not lockable
Summary An ASAtom specifying which PDCrypt handler knows how to handle this security policy.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default null
Version # 7.0+
User Path Security\PPKLite\SP_Favorites\(index)\
Lock Path Not lockable
Summary Determines whether the referenced security policy is displayed as a favorite.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 0 (bool)
Default null
Version # 7.0+
User Path Security\PPKLite\SP_Favorites\(index)\
Lock Path Not lockable
Summary A string containing the security-policy.acrodata file key used to reference the policy that is being applied.
GUI mapping N/A
Supported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type 5 (text)
Default null
Version # 7.0+
User Path Security\PPKLite\SP_Favorites\(index)\
Lock Path Not lockable
Summary The security policy name.
GUI mapping N/A