-
-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Signature is not LTV enabled" #21
Comments
Have you added the revocation status of the certificate and a time stamp from a TSA? |
@vanbroup Thanks! The revocation data is indeed missing. I just copied code from main.go :) which doesn't have them. I will try to read how to get the revocation data and what is it. |
TSA is there though; I have used ts.ssl.com which is free and it seems to show up correctly in acrobat, unlike freetsa.org |
How do I "add revocation status" with this library All I see is these 2 options...
I don't care about caching, or custom revocation lookup? |
Ah it's because I put empty certificate chains. I will try to edit that |
Ah, it seems certificate chains must be present and RevocationFunction must be set to |
However with our code, the OCSP shows "malformed" error. :( Will try to look deeper. |
Do you use a publicly trusted certificate? Have you tried uploading the certificate to https://certificate.revocationcheck.com/ |
The issue was that I have put "our cert - intermediate cert - root cert" to the "certificate chains" option. However, when doing OCSP on intermediate cert with root cert, the root cert OCSP returned error. (I am not sure why, why does intermediate cert OCSP return error when asked with the root cert issuer... maybe some issue on the side of the authority, I don't know.) However, looking around, I figured out that Acrobat has even the intermediate cert in its root store, not the cert authority root store. So doing only "our cert - intermediate cert" as certificate chain fixed the issue and we see "LTV enabled". What I think could be documented better is that the But I understand this is an open source project so, thanks for the library anyway :D and I might add a PR with the docs |
Interestingly - if I use "proCentrum SmartSign" - a different program to check PDF certificates - I get "Certificate is not issued by qualified distribution point". That's weird... that seems to have something to do with CLR. I have edited the function to add both OCSP and CLR even in the case OCSP request fails, and added that for all three certs in the chain... and still get this error. That is so strange... I will trust Acrobat more than "proCentrum SmartSign" though. |
The EU demo works https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/validation So I will discount the proCentrum thing. |
Closing this issue but I might update the docs later |
When I open PDF created by this tool in Acrobat, I see "Signature is not LTV enabled"
What does that mean, how to enable LTV?
The text was updated successfully, but these errors were encountered: