In Acrobat or Acrobat Reader Trusted Certificate Store, the certificates containing hexadecimal sequence “FE FF” in their X.509 data get corrupted after updating AATL (Adobe Approved Trust List) or EUTL (European Union Trust List).
Corruption occurs when the Trusted Certificate Store is rewritten or optimized, for example when updating AATL/EUTL or when manually importing a certificate into the Trusted Certificate Store.
As a result:
- Any signature whose trust anchor is one of the corrupted certificates is reported as invalid upon signature validation.
- Updating AATL/EUTL repetitively, the signature may appear as valid and invalid alternatively.
- On multiple updates of AATL/EUTL, duplicated corrupt certificates get added to the user’s trust list.
Acrobat | Reader | |
DC Continuous / Subscription | Win: 18.011.20035 Mac: 18.011.20035 |
Win: 18.011.20036 Mac: 18.011.20036 |
DC Classic 2015 | Win: 15.006.30413 (2015.006.30413) Mac:15.006.30416 (2015.006.30416) |
Win: 15.006.30413 (2015.006.30413) Mac:15.006.30416 (2015.006.30416) |
Acrobat 2017 / Acrobat Reader 2017 | Win: 17.011.30078 (2017.011.30078) Mac:17.011.30078 (2017.011.30078) |
Win: 17.011.30078 (2017.011.30078) Mac:17.011.30078 (2017.011.30078) |
Update to the latest version of Acrobat and Reader, and then update AATL and EUTL so that corrupt certificates are replaced with correct certificates in the Trusted Certificate Store.
-
Update AATL/EUTL: In Acrobat or Reader, go to Edit > Preferences and then do the following:
- For AATL: Under Categories, select Trust Manager and then select the Load trusted certificates from an Adobe AATL server check box and click Update Now.
- For EUTL: Under Categories, select Trust Manager and then select the Load trusted certificates from an Adobe EUTL server check box and click Update Now.
If you manually trusted a certificate outside AATL or EUTL, and are seeing signatures being reported as invalid for the manually trusted certificate, do the following:
-
Manually add the certificate that you want to trust to the Trust Identities.
To add a certificate manually to the Trusted Identities:
1. Go to Edit > Preferences.
2. Under Categories, select Signatures.
3. For Identities & Trusted Certificates, click More.
4. Select Digital IDs on the left.
5. To import an ID, click the Add ID button, and then follow the onscreen instructions.