Entrust Certificate Services
Entrust Certificate Services for
Adobe CDS
Getting Started Guide
Entrust SafeNet Authentication Client: 8.3
Date of issue: July 2015
Copyright © 2014-2015 Entrust. All rights reserved. Entrust is a trademark or a registered trademark of Entrust, Inc. in certain countries. All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. in certain countries. All other company and product names and logos are trademarks or registered trademarks
Revisions
Issue and date Section Revision
3.0 July 2015
All sections Updated screenshots and instructions where required.
Updated Adobe Acrobat instructions using Adobe Acrobat Pro XI.
2.0 December 2014 “Before you start” on page 12) “Picking up your Entrust certificate” on page 25
References to SafeNet 4000 changed to SafeNet 5100
CSP changed to eToken Base Cryptographic Provider
TOC
TOC
About this guide . . . .5
Supported operating systems . . . 5
Supported Versions of Adobe Acrobat . . . 6
Documentation conventions . . . 7
Note and Attention text . . . 7
Obtaining technical assistance . . . 9
Technical support . . . 9
Telephone numbers . . . 9
Email address . . . 9
Related documentation . . . 10
Documentation feedback . . . 10
Installing your Entrust certificate on a token . . . .11
Before you start . . . 12
Downloading and installing the token software . . . 13
Initializing your token . . . 20
Picking up your Entrust certificate . . . 25
Changing the password for your token . . . 29
Recovering a certificate . . . 33
Signing and certifying PDF documents with your certificate . . . .35
Signing and certifying a PDF document . . . 36
About
About this guide
This guide describes how to store an Entrust certificate on an iKey 5100 token. This includes:
• installing your token (drivers and software) • initializing your token
• accessing the Entrust Certificate Retrieval Web pages to store the certificate on your token
This guide also provides basic instructions about how to sign and/or certify a PDF file or form and how to set signature validation preferences. For more advanced features, see the Adobe documentation.
Note
:To navigate through this PDF, you can use the arrow buttons in the menu bar of Adobe Reader.
Supported operating systems
The following operating systems are supported:
Supported Versions of Adobe Acrobat
The following versions of Adobe Acrobat are supported: • Adobe Acrobat XI Standard
Documentation conventions
The following documentation conventions are used in Entrust guides:
Note and Attention text
Throughout this guide, paragraphs are set off by ruled lines above and below. They provide key information with two levels of importance, as shown below.
Note
:Information to help you maximize the benefits of your Entrust product.
Table 1: Typographic conventions
Convention Purpose Example
Bold text
(other than headings)
Indicates graphical user interface elements and wizards.
Click Next.
Italicized text Used for book or document titles.
Entrust Certificate Services Enrollment Guide
Blue text Used for hyperlinks to other sections in the document.
Entrust TruePass supports the use of many types of digital ID.
Underlined blue
text
Used for Web links. For more information, visit our Web site at
www.entrust.net.
Courier type Indicates installation
paths, file names, Windows registry keys, commands, and text you must enter.
Use the entrust-configuration.xml file to
change certain options for Verification Server.
Angle brackets < >
Indicates variables (text you must replace with your organization’s correct values).
Attention
:Obtaining technical assistance
Entrust recognizes the importance of providing quick and easy access to our support resources. The following subsections provide details about the technical support and information available to you.
Technical support
For Entrust technical support services, visit our Web site at:
http://www.entrust.net/ssl-technical/index.htm
For technical resources including a comprehensive Knowledge Base visit:
http://www.entrust.net/knowledge-base/index.cfm
Telephone numbers
For support assistance by telephone call one of the numbers below: • 1 (866) 267-9297 (toll free within North America)
• 1 (613) 270-2680 (outside North America)
Email address
The email address for Customer Support is:
Related documentation
This section describes related reading material that may be used in conjunction with this guide.
• Entrust Certificate Services Adobe CDS Individual Enrollment Guide • Entrust Certificate Services Adobe CDS Group Enrollment Guide • Token software information (http://www.safenet-inc.com)
Documentation feedback
You can rate and provide feedback about Entrust product documentation by completing the online feedback form. Any information that you provide goes directly to the documentation team and is used to improve and correct the information in our guides. You can access this form by:
• clicking the Report any errors or omissions link located in the footer of Entrust’s PDF documents (see bottom of this page).
1
Installing your Entrust certificate on
a token
This chapter describes how to enroll your token and install your Entrust certificate on your token. This guide assumes that you have already purchased a CDS signing certificate.
This chapter includes the following sections: • “Before you start” on page 12
• “Downloading and installing the token software” on page 13
• “Initializing your token” on page 20
• “Picking up your Entrust certificate” on page 25
• “Changing the password for your token” on page 29
Before you start
To install and use the your Entrust certificate you require: • a supported browser with Internet access
• a supported operating system (see “Supported operating systems” on page 5)
• an iKey 5100 token (provided by Entrust)
• the email message sent to you by Entrust after purchasing the certificate— this message contains a link to a Web page where you can download the required software and certificate
Downloading and installing the token software
In order to manage your token, including tasks such as logging in, initializing, and resetting your password, you must download and install the token software provided by Entrust.
Complete the following procedure to obtain and install the token software.
Attention
:Do not plug your token into your computer until you have completed this procedure.
To obtain and install the token software
1 In the notification email sent to you by Entrust, click the link to the Entrust Certificate Retrieval Web pages.
The Entrust Certificate Retrieval login page appears.
2 In the text field, enter the passphrase issued to you by Entrust.
4 Download the appropriate 32-bit or 64-bit software package, depending on your operating system (see “Supported operating systems” on page 5).
Optionally, use the MD5 Checksum hash to insure that the file is correct and was not corrupted during the download. (Using the MD5 Checksum hash requires the Microsoft Checksum Integrity Verifier or a similar utility).
5 Save the software to your computer.
6 Double-click the installer file (EntrustSACInstaller_<number>.msi) to begin installing your software.
7 Click Next.
8 Select the language to use for the installation.
9 Click Next to continue.
The License Agreement page appears.
10 Accept the license agreement by clicking I accept the license agreement. You
must accept the license agreement to proceed with the installation.
11 Click Next to continue.
12 Select Standard. 13 Click Next to continue.
14 Either keep the default installation folder, or click Browse to select a new
installation folder.
15 Click Next to continue.
16 You may be asked to allow the installer to make changes to the hard drive of the
17 The Updating System page appears. The page displays the progress of the
installation. When the installation is complete, a success message appears.
18 Click Finish.
Initializing your token
You must initialize the new token before it can store your Adobe signing certificate.
Note
:If this is not a new token, be aware that initializing the token deletes any information already stored on it.
Complete the following procedure to enroll your token.
To enroll your token
1 Insert your token into a USB slot on your computer.
If the token is not recognized by the computer, the SafeNet icon in the system tray is grayed-out:
• On Microsoft Windows Server 2012 R2 or Windows 8.1, select Start, then click the down arrow to access Apps, then click SafeNet Authentication
Client Tools. (When listed by name or category, SafeNet Authentication Client Tools is listed under SafeNet.)
The SafeNet Authentication Client Tools dialog box appears.
3 If you are using a new token, select View Token Info. If you are reinitializing a previously-used token, select the Advanced view icon.
4 In the tree view, expand SafeNet Authentication Client Tools > Tokens.
5 Under Tokens:
• If you are using a new token, right-click the blank entry and select Initialize
Token.
• If you are reinitializing a previously-used token, right-click the name of the token you want to reinitialize and select Initialize Token.
6 In the Token Name field, enter a name for the token.
9 Click OK.
10 A status bar appears, indicating the progress of the initialization. When the
initialization is complete, a success message appears.
Picking up your Entrust certificate
When your certificate is ready, Entrust sends you an email containing a link to the Certificate Retrieval Web pages. You are also provided with a passphrase that allows you to log into the Entrust Certificate Retrieval Web pages and obtain the Entrust certificate.
When you pick up the certificate, the page is able to store it directly on your token.
Note
:If you are picking up a PDF signing certificate for the first time, be sure that you have already completed the following procedures:
- downloaded and installed the token software as described in “Downloading and installing the token software” on page 13
- initialized the token as described in “Initializing your token” on page 20
Complete the following procedure to obtain your Entrust certificate.
To obtain your Entrust certificate 1 Insert your token into a USB port.
2 In the notification email sent to you by Entrust, click the link to the Entrust Certificate Retrieval Web pages.
5 Read the software subscription agreement.
6 If you agree to all terms and conditions of the subscription agreement, click
Accept. You must accept the subscription agreement to retrieve the certificate
and install it on the token.
9 In the Token Password field, enter the password that you created for your token. This is the password you created specifically for the token during SafeNet token initialization. This is not the passphrase you used to log in to the Entrust Web site. A Web Access Confirmation dialog box appears.
Your certificate is now ready for use.
Changing the password for your token
Complete the following procedure when you need to change the password for your token.
Attention
:If you forget your password, you must initialize your token. Initializing your token deletes its contents including certificates and keys. For more information, see
“Recovering a certificate” on page 33.
To change your token password
1 Insert your token into a USB slot on your computer.
2 From the desktop system tray, right-click the SafeNet icon and then select Tools. If you do not see the icon in the system tray:
• On Microsoft Windows Server 2008 or Windows 7, select Start > All
Programs > SafeNet > SafeNet Authentication Client > SafeNet Authentication Client Tools.
• On Microsoft Windows Server 2012 R2 or Windows 8.1, select Start, then click the down arrow to access Apps, then click SafeNet Authentication
Client Tools. (When listed by name or category, SafeNet Authentication Client Tools is listed under SafeNet.)
4 In the tree view, expand SafeNet Authentication Client Tools > Tokens.
5 Under Tokens, right-click on the entry for your token and select Change
Password.
6 In the Current Token Password field, enter the current token password.
7 In the New Token Password and Confirm Password fields, enter and confirm a new token password.
The new password must comply with the password settings defined on the token. Strong passwords contain at least eight characters, and include at least one uppercase character, one lowercase character, one number, and one non-alphanumeric character. Easily-guessed passwords are not secure.
8 Click OK.
Recovering a certificate
If you need to recover your certificate—for example, because you forgot the password—you have the following options:
• If you need to recover your certificate within 30 days of purchasing it, Entrust Certificate Services will reissue it once for free. After the 30 day period, or if you need to recover the certificate more than once, you must purchase a new certificate.
• If the certificate is from a single certificate order and you forget the password before the certificate is generated, Entrust Certificate Services support will reset the password for you.
• If your certificates are managed using Entrust SSL Enterprise, your SSL Enterprise Administrator can reset your password without intervention by Entrust support.
2
Signing and certifying PDF
documents with your certificate
This chapter provides basic information about how to sign and certify a PDF file, how to add a signer to the trusted list, and how to set signature preferences.
For more advanced tasks, see the Adobe documentation.
Note
:Procedures in this chapter are based on Adobe Acrobat Pro XI. The instructions may be different for other versions of Adobe Acrobat.
You may need to register your certificate with Adobe Acrobat before you can sign a PDF. See the Adobe documentation for more information about registering your certificate.
This chapter contains the following sections:
• “Signing and certifying a PDF document” on page 36
Signing and certifying a PDF document
You can add one or more digital signatures to a PDF file or form using Adobe Acrobat Professional. A digital signature enables recipients to verify that the document came from you.
The signature displays one or more signature fields directly on the PDF for easy viewing. The field contains details about the certificate and the signature name. You can certify a PDF document as well as adding your signature. Certify a document to let recipients know that you approve the contents of the PDF. This prevents content tampering, since any modification of the document after certification causes the PDF to lose its certified status.
To allow the recipient to make modifications to specific areas of the document (such as adding values to a form), the certification process allows you to specify the permitted modifications. You can certify a document with a visible signature or an invisible signature.
Complete the following procedures as required:
• “To add a signature to a PDF document” on page 36
• “To sign and certify a PDF document with a visible signature” on page 39
• “To sign and certify a PDF file without a visible signature” on page 43
To add a signature to a PDF document 1 Open Adobe Acrobat.
2 Open the PDF document.
3 From the tasks toolbar, click Fill & Sign > Work with Certificates > Sign with
Certificate.
b (Optional.) To never show the message again, select Do not show this
message again.
c Click Drag New Signature Rectangle.
5 In your PDF, click and drag your mouse to create a signature field. The Sign Document dialog box appears.
7 (Optional.) You can view your certificate, change or create a new appearance for your digital signature, and lock your document after signing (PDF file only). For more information about these options, see the Adobe documentation.
8 Click Sign.
The Save As dialog box appears.
9 Enter a file name for the PDF document.
If you want to keep the original unsigned version of the PDF document, save the PDF document under a new file name. To overwrite the original unsigned PDF document, keep the same file name.
10 Click Save to save your signed PDF document.
The Token Login dialog box appears.
Your signature appears in the field you created in the PDF. For example:
You successfully signed a PDF document.
To sign and certify a PDF document with a visible signature 1 Open Adobe Acrobat.
2 Open the PDF document.
3 From the tasks toolbar, click Fill & Sign > Work with Certificates > Certify
(Visible).
5 The Save as Certified Document may appear. It describes how to apply the signature to your document.
a Read the instructions.
b (Optional.) To never show the message again, select Don’t show again.
6 The Certify Document dialog box appears.
certifying. For more information about these options, see the Adobe documentation.
c Click Sign.
The Save As dialog box appears.
7 Enter a file name for the PDF document.
If you want to keep the original unsigned and uncertified version of the PDF document, save the PDF document under a new file name. To overwrite the original unsigned and uncertified PDF document, keep the same file name.
8 Click Save to save your signed PDF document. The Token Login dialog box appears.
9 In the Token Password field, enter the token passphrase.
10 Click OK.
If the signer identity is on your list of Trusted Identities, a blue ribbon in the document message bar indicates the file’s certified status.
You have successfully signed and certified a PDF document.
To sign and certify a PDF file without a visible signature 1 Open Adobe Acrobat.
2 Open the PDF document.
3 From the tasks toolbar, click Fill & Sign > Work with Certificates > Certify (Not
Visible).
4 The Save as Certified Document may appear. It describes how to apply the signature to your document.
a Read the instructions.
5 The Certify Document dialog box appears.
a From the Sign As drop-down list, select your Entrust certificate used for signing PDFs.
Note
:If your certificate is unrecognized, remove your token from the USB port, reinsert the token back into the USB port, and then log back in.
If the signer identity is on your list of Trusted Identities, a blue ribbon in the document message bar indicates the file’s certified status.
Setting signature verification preferences
Adobe Acrobat Pro allows you set specific signature preferences to verify digital signatures and document certifications.
To set signature verification preferences in Adobe Acrobat Pro XI 1 Open Adobe Acrobat Pro.
2 Select Edit > Preferences.
5 Select Verify signatures when the document is opened.
