Problem description
In Acrobat or Acrobat Reader Trusted Certificate Store, the certificates containing hexadecimal sequence “FE FF” in their X.509 data get corrupted after updating AATL (Adobe Approved Trust List) or EUTL (European Union Trust List).
Corruption occurs when the Trusted Certificate Store is rewritten or optimized, for example when updating AATL/EUTL or when manually importing a certificate into the Trusted Certificate Store.
As a result:
- Any signature whose trust anchor is one of the corrupted certificates is reported as invalid upon signature validation.
- Updating AATL/EUTL repetitively, the signature may appear as valid and invalid alternatively.
- On multiple updates of AATL/EUTL, duplicated corrupt certificates get added to the user’s trust list.
Affected platforms
Windows, OS X (macOS)
Affected products
|
Acrobat |
Reader |
---|---|---|
DC Continuous / Subscription |
Win: 18.011.20035 |
Win: 18.011.20036 |
DC Classic 2015 |
Win: 15.006.30413 (2015.006.30413) |
Win: 15.006.30413 (2015.006.30413) |
Acrobat 2017 / Acrobat Reader 2017 |
Win: 17.011.30078 (2017.011.30078) |
Win: 17.011.30078 (2017.011.30078) |
Solution
Update to the latest version of Acrobat and Reader, and then update AATL and EUTL so that corrupt certificates are replaced with correct certificates in the Trusted Certificate Store.
-
Update to the latest version: In Acrobat or Reader, go to Help > Check for Updates, and then the follow onscreen instructions.
-
Update AATL/EUTL: In Acrobat or Reader, go to Edit > Preferences and then do the following:
- For AATL: Under Categories, select Trust Manager and then select the Load trusted certificates from an Adobe AATL server check box and click Update Now.
- For EUTL: Under Categories, select Trust Manager and then select the Load trusted certificates from an Adobe EUTL server check box and click Update Now.
If you manually trusted a certificate outside AATL or EUTL, and are seeing signatures being reported as invalid for the manually trusted certificate, do the following:
-
Update to the latest version: In Acrobat or Reader, go to Help > Check for Updates, and then the follow onscreen instructions.
-
Close Acrobat or Reader if it's running.
-
Delete the trust list by deleting the following file:
C:\Users\[UserName]\AppData\Roaming\Acrobat\<product version, for example, DC, 2015, or 2017>\Security\addressbook.acrodata
-
Re-create trust list file ( addressbook .acrodata) by updating AATL, EUTL as described above - step 2 in the previous procedure.
-
Manually add the certificate that you want to trust to the Trust Identities.
To add a certificate manually to the Trusted Identities:
1. Go to Edit > Preferences.
2. Under Categories, select Signatures.
3. For Identities & Trusted Certificates, click More.
4. Select Digital IDs on the left.
5. To import an ID, click the Add ID button, and then follow the onscreen instructions.
Additional information
The problem is fixed in the following builds/versions of Acrobat/Reader:
- DC Continuous / Subscription version: 18.011.20038.267465
- DC Classic 2015 version: 15.006.30417.267543
- Acrobat 2017 / Acrobat Reader 2017 version: 17.011.30079.267470