Certificates get corrupted after updating Acrobat or Acrobat Reader Trusted Certificate Store

Last updated on 30 September 2022 | Also applies to Acrobat Reader

Problem description

In Acrobat or Acrobat Reader Trusted Certificate Store, the certificates containing hexadecimal sequence “FE FF” in their X.509 data get corrupted after updating AATL (Adobe Approved Trust List) or EUTL (European Union Trust List).

Corruption occurs when the Trusted Certificate Store is rewritten or optimized, for example when updating AATL/EUTL or when manually importing a certificate into the Trusted Certificate Store.

As a result:

Any signature whose trust anchor is one of the corrupted certificates is reported as invalid upon signature validation.
Updating AATL/EUTL repetitively, the signature may appear as valid and invalid alternatively.
On multiple updates of AATL/EUTL, duplicated corrupt certificates get added to the user’s trust list.

Affected platforms

Windows, OS X (macOS)

Affected products

	Acrobat	Reader
DC Continuous / Subscription	Win: 18.011.20035 Mac: 18.011.20035	Win: 18.011.20036 Mac: 18.011.20036
DC Classic 2015	Win: 15.006.30413 (2015.006.30413) Mac:15.006.30416 (2015.006.30416)	Win: 15.006.30413 (2015.006.30413) Mac:15.006.30416 (2015.006.30416)
Acrobat 2017 / Acrobat Reader 2017	Win: 17.011.30078 (2017.011.30078) Mac:17.011.30078 (2017.011.30078)	Win: 17.011.30078 (2017.011.30078) Mac:17.011.30078 (2017.011.30078)

Solution

Update to the latest version of Acrobat and Reader, and then update AATL and EUTL so that corrupt certificates are replaced with correct certificates in the Trusted Certificate Store.

Update to the latest version: In Acrobat or Reader, go to Help > Check for Updates, and then the follow onscreen instructions.
Update AATL/EUTL: In Acrobat or Reader, go to Edit > Preferences and then do the following:
- For AATL: Under Categories, select Trust Manager and then select the Load trusted certificates from an Adobe AATL server check box and click Update Now.
- For EUTL: Under Categories, select Trust Manager and then select the Load trusted certificates from an Adobe EUTL server check box and click Update Now.

If you manually trusted a certificate outside AATL or EUTL, and are seeing signatures being reported as invalid for the manually trusted certificate, do the following:

Update to the latest version: In Acrobat or Reader, go to Help > Check for Updates, and then the follow onscreen instructions.
Close Acrobat or Reader if it's running.
Delete the trust list by deleting the following file:

C:\Users\[UserName]\AppData\Roaming\Acrobat\<product version, for example, DC, 2015, or 2017>\Security\addressbook.acrodata
Re-create trust list file ( addressbook .acrodata) by updating AATL, EUTL as described above - step 2 in the previous procedure.
Manually add the certificate that you want to trust to the Trust Identities.

To add a certificate manually to the Trusted Identities:
1. Go to Edit > Preferences.
2. Under Categories, select Signatures.
3. For Identities & Trusted Certificates, click More.
4. Select Digital IDs on the left.
5. To import an ID, click the Add ID button, and then follow the onscreen instructions.

Additional information

The problem is fixed in the following builds/versions of Acrobat/Reader:

DC Continuous / Subscription version: 18.011.20038.267465
DC Classic 2015 version: 15.006.30417.267543
Acrobat 2017 / Acrobat Reader 2017 version: 17.011.30079.267470

Get help faster and easier

New user?