Introduction
The YubiKey’s PIV application can be leveraged to store a Private Key and corresponding x.509 certificate that can be used in Adobe Acrobat to digitally sign PDF documents. This article will document how to use the YubiKey for Document Signing in Adobe Acrobat Reader on Windows using PKCS#11.
For MacOS instructions, see SSL.com article Configuring Your Business Identity Document Signing Certificate and YubiKey with Adobe Acrobat on macOS.
Information
There are mainly two different ways to use key material stored on the YubiKey for document signing in Adobe Acrobat Reader:
-
Windows Digital ID
Windows Digital ID refers to Windows native Cryptographic APIs and is able to communicate with the YubiKey through the native Smart Card tools in Windows. Elliptic keys (ECCP256/ECCP384) and large RSA keys requires that the YubiKey MiniDriver for Windows is installed
Private Key algorithm support: RSA1024-RSA4096, ECCP256,ECCP384
-
PKCS#11
PKCS#11 is a standard for interaction with cryptographic tokens, such as Smart Cards and HSMs. This option requires that a PKCS#11 module is configured by the application and in the case of the YubiKey we offer the libykcs11.dll, which comes packaged with our YubiKey PIV Tool.
Private Key algorithm support: RSA1024-RSA4096
This article will focus on Document Signing through Windows Digital ID, for instructions on how to use PKCS#11 - please see the corresponding guide for using Windows Digital ID
Prerequisites
- Install the latest version of the YubiKey Minidriver for Windows. (Not needed for RSA keys <=RSA2048)
- Plug in your YubiKey and make sure that both the Private Key and corresponding certificate are loaded into the same PIV slot. For instance PIV Slot 9c.
Configuration steps
- Select the Certificate you want to use for Document signing
- Navigate to Menu > Preferences > Signatures > Identities & Trusted Certificates > More… > click the option Windows Digital IDs
- Select your certificate (on the right), click the pencil icon, and click Use for Signing.
Adobe Acrobat is now configured to use the signing certificate on your YubiKey for digital signature and will offer it for usage when you go to sign a document, just make sure that the YubiKey is plugged in when the signature is performed since it is the Private Key located on the YubiKey that performs the actual signature and not the Certificate itself.
Troubleshooting
-
I cannot see the certificate on my YubiKey in the list in step 1b.
- The Windows Digital ID shows the certificates that are located in your user’s local certificates store. The certificates that are loaded on the YubiKey will be read and propagated to this store when the YubiKey is plugged in to a USB port, granted that the Smart Card Service is running.
- The Windows Digital ID shows the certificates that are located in your user’s local certificates store. The certificates that are loaded on the YubiKey will be read and propagated to this store when the YubiKey is plugged in to a USB port, granted that the Smart Card Service is running.
-
Identity Device (NIST SP 800-73[PIV])
The smart card cannot perform the requested operation or the operation requires a different smart card.- This message indicates that you are trying to sign with an Elliptic Key, but the YubiKey MiniDriver for Windows is not properly installed or loaded.
- This message indicates that you are trying to sign with an Elliptic Key, but the YubiKey MiniDriver for Windows is not properly installed or loaded.
-
Error encountered while signing:
The Windows Cryptographic Service Provider reported an error: One or more of the supplied parameters could not be properly interpreted.
Error Code: 214853228- This error message indicates that you are trying to sign with an RSA key that is larger than RSA2048, but the YubiKey MiniDriver is not properly installed or loaded.