Problem description

In Acrobat or Acrobat Reader Trusted Certificate Store, the certificates containing hexadecimal sequence “FE FF” in their X.509 data get corrupted after updating AATL (Adobe Approved Trust List) or EUTL (European Union Trust List).

Corruption occurs when the Trusted Certificate Store is rewritten or optimized, for example when updating AATL/EUTL or when manually importing a certificate into the Trusted Certificate Store.

As a result:

  • Any signature whose trust anchor is one of the corrupted certificates is reported as invalid upon signature validation.
  • Updating AATL/EUTL repetitively, the signature may appear as valid and invalid alternatively.
  • On multiple updates of AATL/EUTL, duplicated corrupt certificates get added to the user’s trust list.

Affected platforms

Windows, OS X (macOS)

Affected products

  Acrobat Reader
DC Continuous / Subscription Win: 18.011.20035
Mac: 18.011.20035
Win: 18.011.20036
Mac: 18.011.20036
DC Classic 2015 Win: 15.006.30413 (2015.006.30413)
Mac:15.006.30416 (2015.006.30416)
Win: 15.006.30413 (2015.006.30413)
Mac:15.006.30416 (2015.006.30416)
Acrobat 2017 / Acrobat Reader 2017 Win: 17.011.30078 (2017.011.30078)
Mac:17.011.30078 (2017.011.30078)
Win: 17.011.30078 (2017.011.30078)
Mac:17.011.30078 (2017.011.30078)

Solution

Update to the latest version of Acrobat and Reader, and then update AATL and EUTL so that corrupt certificates are replaced with correct certificates in the Trusted Certificate Store.

  1. Update to the latest version: In Acrobat or Reader, go to Help > Check for Updates, and then the follow onscreen instructions.

  2. Update AATL/EUTL: In Acrobat or Reader, go to Edit > Preferences and then do the following:

    • For AATL: Under Categories, select Trust Manager and then select the Load trusted certificates from an Adobe AATL server check box and click Update Now.
    • For EUTL: Under Categories, select Trust Manager and then select the Load trusted certificates from an Adobe EUTL server check box and click Update Now.
    Update AATL or EUTL

If you manually trusted a certificate outside AATL or EUTL, and are seeing signatures being reported as invalid for the manually trusted certificate, do the following:

  1. Update to the latest version: In Acrobat or Reader, go to Help > Check for Updates, and then the follow onscreen instructions.

  2. Close Acrobat or Reader if it's running.

  3. Delete the trust list by deleting the following file:

    C:\Users\[UserName]\AppData\Roaming\Acrobat\<product version, for example, DC, 2015, or 2017>\Security\addressbook.acrodata

  4. Re-create trust list file (addressbook.acrodata) by updating AATL, EUTL as described above - step 2 in the previous procedure.

  5. Manually add the certificate that you want to trust to the Trust Identities.

    To add a certificate manually to the Trusted Identities:
    1. Go to Edit > Preferences.
    2. Under Categories, select Signatures.
    3. For Identities & Trusted Certificates, click More.
    4. Select Digital IDs on the left.
    5. To import an ID, click the Add ID button, and then follow the onscreen instructions.

Additional information

The problem is fixed in the following builds/versions of Acrobat/Reader:

  • DC Continuous / Subscription version: 18.011.20038.267465
  • DC Classic 2015 version: 15.006.30417.267543
  • Acrobat 2017 / Acrobat Reader 2017 version: 17.011.30079.267470

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy