Adobe reader downloads a CRL file when digital signing with Cacert certificate

tekimmo

18-11-2016

It seems impossible to sign a pdf document with a Cacert client certificate.

When signing or reading an already signed document, Adobe Reader downloads the CRL file (Certificate Revocation List) from the Cacert site (http://crl.cacert.org). This download has to be aborted because it takes too much time.

How to solve this problem ?

The first method of authentication, OCSP, seems unsuccessful so the program downloads the CRL.

Below is a log of Adobe reader, which shows the OSCP check and after that the CRL check :

20161117160149Z:

20161117160149Z: Validating cert graph with 1 chains

20161117160149Z: Validating chain: CertChain_07924A16ED09F5502CC7A8C633D4FE3_1 Length = 2

   20161117160149Z: ----ChainBuilder----

      20161117160151Z: Processing Certificate: DN: email=support@cacert.org, cn=CA Cert Signing Authority, ou=http://www.cacert.org, o=Root CA Serial: 00

Issued by: email=support@cacert.org, cn=CA Cert Signing Authority, ou=http://www.cacert.org, o=Root CA

      20161117160151Z: verification time = 20161117143010+0100

      20161117160151Z: Processing Certificate: DN: email=xxxxx@xxxxx.xxx, cn=CAcert WoT User Serial: 1280F9

Issued by: email=support@cacert.org, cn=CA Cert Signing Authority, ou=http://www.cacert.org, o=Root CA

      20161117160151Z: verification time = 20161117143010+0100

   20161117160151Z: Finished Chain Validation.  TroubleFlags: 0

20161117160151Z:

20161117160151Z: Checking revocation on chain: CertChain_07924A16ED09F5502CC7A8C633D4FE3_1 Length = 2

   20161117160151Z: ----OCSPRevChecker----

      20161117160151Z: OCSP: Processing Certificate: "DN: email=xxxxx@xxxxx.xxx, cn=CAcert WoT User Serial: 1280F9

Issued by: email=support@cacert.org, cn=CA Cert Signing Authority, ou=http://www.cacert.org, o=Root CA" issued by: "DN: email=support@cacert.org, cn=CA Cert Signing Authority, ou=http://www.cacert.org, o=Root CA Serial: 00

Issued by: email=support@cacert.org, cn=CA Cert Signing Authority, ou=http://www.cacert.org, o=Root CA"

   20161117160151Z: Finished OCSP revocation checking on a chain

   20161117160151Z: ----CRLRevChecker----

      20161117160151Z: CRL: Processing Certificate: "DN: email=xxxxx@xxxxx.xxx, cn=CAcert WoT User Serial: 1280F9

Issued by: email=support@cacert.org, cn=CA Cert Signing Authority, ou=http://www.cacert.org, o=Root CA" issued by: "DN: email=support@cacert.org, cn=CA Cert Signing Authority, ou=http://www.cacert.org, o=Root CA Serial: 00

Issued by: email=support@cacert.org, cn=CA Cert Signing Authority, ou=http://www.cacert.org, o=Root CA"

      20161117160151Z: VRIEnumerator: looking for matching URI in evidence: http://crl.cacert.org/revoke.crl

      20161117160151Z: VRIEnumerator: Looking for matching DN in evidence

      20161117160151Z: EvidenceEnumerator: looking for matching URI in evidence: http://crl.cacert.org/revoke.crl

      20161117160151Z: EvidenceEnumerator: Looking for matching DN in evidence

      20161117160151Z: DSSEnumerator: looking for matching URI in evidence: http://crl.cacert.org/revoke.crl

      20161117160151Z: DSSEnumerator: Looking for matching DN in evidence

      20161117160151Z: CRLEnumerator: looking for matching URI in cache: http://crl.cacert.org/revoke.crl

      20161117160154Z: CRLEnumerator: looking for matching DN in cache.

      20161117160154Z: CRL: Revocation Status: Trouble

   20161117160154Z: Finished CRL Revocation checking on a chain

Accepted Solutions (0)

Answers (1)

Answers (1)

vkneswaran

09-09-2017

Any update on this. I need to view a signed pdf document but i do not have internet to download the CA certs.

Any other way to manually inject this certificates?