Securing PDFs with certificates

Note:

For a full list of articles about security, see Overview of security in Acrobat and PDF content.

Certificate security

Use certificates to encrypt documents and to verify a digital signature. A digital signature assures recipients that the document came from you. Encryption ensures that only the intended recipient can view the contents. A certificate stores the public key component of a digital ID. For more information about digital IDs, see Digital IDs.

When you secure a PDF using a certificate, you specify the recipients and define the file access level for each recipient or group. For example, you can allow one group to sign and fill forms and another to edit text or remove pages. You can choose certificates from your list of trusted identities, files on disk, LDAP server, or the Windows certificate store (Windows only). Always include your certificate in the recipient list so that you can open the document later.

Note:

If possible, encrypt documents using certificates from third-party digital IDs. If the certificate is lost or stolen, the issuing authority can replace it. If a self-signed digital ID is deleted, all PDFs that were encrypted using the certificate from that ID are inaccessible forever.

Encrypt a PDF or PDF Portfolio with a certificate

To encrypt many PDFs, use Action Wizard in Acrobat Pro (Tools > Action Wizard) to apply a predefined sequence. Alternatively, edit a sequence to add the security features you want. You can also save your certificate settings as a security policy and reuse it to encrypt PDFs.

Note:

For PDF Portfolios, Action Wizard applies security to the component PDFs but not to the PDF Portfolio itself. To secure the entire PDF Portfolio, apply security to the portfolio’s cover sheet.

  1. For a single PDF or a component PDF in a PDF Portfolio, open the PDF. For a PDF Portfolio, open the PDF Portfolio and choose View > Portfolio > Cover Sheet.

  2. Choose Tools > Protect > More Options > Encrypt with Certificate. If you don’t see the Protection panel, see the instructions for adding panels at Task panes.

  3. At the prompt, click Yes.

  4. In the Certificate Security Settings dialog box, select the document components to encrypt.
  5. From the Encryption Algorithm menu, choose a rate of encryption, and then click Next.

    The encryption algorithm and key size are version-specific. Recipients must have the corresponding version (or later) of Acrobat or Reader to decrypt and read the document.

    • If you select 128-bit AES, recipients must have Acrobat 7 or later or Reader 7 or later to open the document.

    • If you select 256-bit AES, Adobe Acrobat 9 or later or Adobe Reader 9 or later is required to open the document.

  6. Create a recipient list for the encrypted PDF. Always include your own certificate in the recipient list so that you are able to open the document later.
    • Click Search to locate identities in a directory server or in your list of trusted identities.

    • Click Browse to locate the file that contains certificates of trusted identities.

    • To set printing and editing restrictions for the document, select recipients from the list, and then click Permissions.

  7. Click Next to review your settings, and then click Finish.

    When a recipient opens the PDF or PDF Portfolio, the security settings you specified for that person are used.

Change encryption settings

  1. Do one of the following:
    • For a single PDF or a component PDF in a PDF Portfolio, open the PDF.

    • For a PDF Portfolio, open the PDF Portfolio and choose View > Portfolio > Cover Sheet.

  2. Select Tools > Protect > More Options > Security Properties. If you don’t see the Protection panel, see the instructions for adding panels at Task panes.

  3. Click Change Settings.
  4. Do any of the following, and then click Next.
    • To encrypt different document components, select that option.

    • To change the encryption algorithm, choose it from the menu.

  5. Do any of the following:
    • To check a trusted identity, select the recipient, and then click Details.

    • To remove recipients, select one or more recipients, and then click Remove. Do not remove your own certificate unless you do not want access to the file using that certificate.

    • To change permissions of recipients, select one or more recipients, and then click Permissions.

  6. Click Next, and then click Finish. Click OK to close the Document Properties dialog box, and save the document to apply your changes.

Remove encryption settings

  1. Do one of the following:
    • For a single PDF or a component PDF in a PDF Portfolio, open the PDF.

    • For a PDF Portfolio, open the PDF Portfolio and choose View > Portfolio > Cover Sheet.

  2. Select Tools > Protect > More Options > Remove Security. If you don’t see the Protection panel, see the instructions for adding panels at Task panes.

  3. If prompted, type the permissions password. If you don’t know the permissions password, contact the author of the PDF.

Sharing certificates with others

Businesses that use certificates for secure workflows often store certificates on a directory server that participants can search to expand their list of trusted identities.

When you receive a certificate from someone, you can add it to your list of trusted identities. You can set your trust settings to trust all digital signatures and certified documents created with a specific certificate. You can also import certificates from a certificate store, such as the Windows certificate store. A certificate store often contains numerous certificates issued by different certification authorities.

For complete information on sharing certificates, see the Digital Signatures Guide (PDF) at www.adobe.com/go/learn_acr_security_en.

Note:

Third-party security providers usually validate identities by using proprietary methods. Or, they integrate their validation methods with Acrobat. If you use a third-party security provider, see the documentation for the third-party provider.

Get certificates from other users

Certificates that you receive from others are stored in a list of trusted identities. This list resembles an address book and enables you to validate the signatures of these users on any documents you receive from them.

Add a certificate from email

When a contact sends a certificate to you in email, it is displayed as an import/export methodology file attachment.

  1. Double-click the email attachment, then click Set Contact Trust in the dialog box that appears.
  2. Select the contact and click Import.
  3. Supply any password required and click Next. Click OK to view the import details, and then click OK again.
  4. Choose the location and click Next. Then click Finish.
  5. Click Set Contact Trust again to see that the contact has been added to Certificates. Select the certificate to view Details and Trust information.
    • For Trust, select the options desired.

    • Use This Certificate As A Trusted Root only if it is required to validate a digital signature. Once you make a certificate a trust anchor, you prevent revocation checking on it (or any certificate in the chain).

    • To allow actions that can be a security risk, click Certified Documents, and then select the options you want to allow:

      Dynamic Content

      Includes FLV files, SWF files, and external links.

       

      Embedded High Privilege JavaScript

      Trusts embedded scripts.

       

      Privileged System Operations

      Includes networking, printing, and file access

       

Add a certificate from a digital signature in a PDF

You can safely add a certificate to your trusted identities from a signed PDF by first verifying the fingerprint with the originator or the certificate.

A self-signed certificate

  1. Open the PDF containing the signature.
  2. Open the Signatures panel, and select the signature.
  3. On the Options menu, click Show Signature Properties, and then click Show Signer’s Certificate.
  4. If the certificate is self-signed, contact the originator of the certificate to confirm that the fingerprint values on the Details tab are correct. Trust the certificate only if the values match the values of the originator.
  5. Click the Trust tab, click Add To Trusted Certificates, and click OK.
  6. In the Import Contact Settings dialog box, specify trust options, and click OK.

Set up Acrobat to search the Windows certificate store (Windows only)

  1. Select Preferences > Signatures. For Verification, click More.
  2. Select the desired options under Windows Integration, and click OK twice.

Trusting certificates from the Windows certificate store is not recommended.

Import certificates using the Windows Certificate Wizard (Windows only)

If you use the Windows certificate store to organize your certificates, you can import certificates using a wizard in Windows Explorer. To import certificates, identify the file that contains the certificates, and determine the file location.

  1. In Windows Explorer, right-click the certificate file and choose Install PFX.
  2. Follow the onscreen instructions to add the certificate to the Windows certificate store.
  3. If you are prompted to validate the certificate before installing it, note the MD5 digest and SHA1 digest values (fingerprint). Contact the originator of the certificate to confirm that the values are correct before you trust the certificate. Click OK.

Verify information on a certificate

The Certificate Viewer dialog box provides user attributes and other information about a certificate. When others import your certificate, they often want to check your fingerprint information against the information they receive with the certificate. (The fingerprint refers to the MD5 digest and SHA1 digest values.) You can check certificate information for your digital ID files or the ID files that you import.

For more information about verifying certificates, see the Digital Signatures User Guide (PDF) at www.adobe.com/go/learn_acr_security_en.

The Certificate Viewer dialog box provides the following information:

  • Certificate validation period

  • Intended use of the certificate

  • Certificate data, such as the serial number and public key method

You can also check if the certificate authority has revoked the certificate. Certificates are usually revoked when an employee leaves the company or when security is compromised in some way.

Verify your own certificate

  1. Select Preferences > Signatures. In Identities & Trusted Certificates, and click More.
  2. Select your digital ID, and then click Certificate Details  .

Verify information on the certificate of a contact

  1. Select the Signatures pane and choose. In the Options menu, select Show Signature Properties.
  2. Select Show Signer’s Certificate to see details of the certificate.

Delete a certificate from trusted identities

  1. Select Preferences > Signatures. In Identities & Trusted Certificates, and click More.
  2. Select the certificate, and click Remove ID.

Get help faster and easier

New user?