YubiKeys for Digital Signature in Adobe Acrobat Reader on Windows using PKCS#11


Introduction

The YubiKey’s PIV application can be leveraged to store a Private Key and corresponding x.509 certificate that can be used in Adobe Acrobat to digitally sign PDF documents. This article will document how to use the YubiKey for Document Signing in Adobe Acrobat Reader on Windows using PKCS#11.

 

For MacOS instructions, see SSL.com article  Configuring Your Business Identity Document Signing Certificate and YubiKey with Adobe Acrobat on macOS

 

Information

There are mainly two different ways to use key material stored on the YubiKey for document signing in Adobe Acrobat Reader:

  • Windows Digital ID
    Windows Digital ID refers to Windows native Cryptographic APIs and is able to communicate with the YubiKey through the native Smart Card tools in Windows. Elliptic keys (ECCP256/ECCP384) option requires that the YubiKey MiniDriver for Windows is installed  
    Private Key algorithm support: RSA1024-RSA4096, ECCP256,ECCP384
  • PKCS#11
    PKCS#11 is a standard for interaction with cryptographic tokens, such as Smart Cards and HSMs. This option requires that a PKCS#11 module is configured by the application and in the case of the YubiKey we offer the libykcs11.dll, which comes packaged with our YubiKey PIV Tool. 
    Private Key algorithm support: RSA1024-RSA4096

 

This article will focus on Document Signing through PKCS#11, for instructions on how to use Windows Digital ID - please see the corresponding guide for using Windows Digital ID

 

 

Prerequisites

  1. Install the latest version of the Yubico PIV Tool.
    1. Make sure to get the relevant version for your Adobe Acrobat installation (win32/win64).

  2. Follow the steps under the section YKCS11 on Windows, to configure the Windows system path.

  3. Plug in your YubiKey and make sure that both the Private Key and corresponding certificate are loaded into the same PIV slot. For instance PIV Slot 9c.

 

Configuration steps

  1. Disable Adobe Acrobat Reader Protected Mode at Startup, in order to be allowed to add a PKCS#11 module.
    1. Navigate to Menu > Preferences >Security (Enhanced) . Under “Sandbox Protections”: uncheck the box saying “Enable Protected mode at startup”.
    2. Restart Adobe Acrobat for this setting to be effective.

  2. Add the libykcs11.dll as a PKCS#11 module in Adobe Acrobat Reader 
    1. Open Acrobat Reader again
    2. Navigate to Menu > Preferences > Signatures > Identities & Trusted Certificates > More… > PKCS#11 Modules and Tokens and click Attach Module.
    3. Browse to C:\Program Files (x86)\Yubico\Yubico PIV Tool\bin (32-bit) or C:\Program Files\Yubico\Yubico PIV Tool\bin (64-bit), and select libykcs11.dll.

  3. Log in to the YubiKey in order to access it’s contents
    1. Expand the menu item PKCS#11 Modules and Tokens (Arrow >) and click the option directly beneath called PKCS#11 PIV Library (SP-800-73). You should see your YubiKey Listed as YubiKey PIV #0 with status Logged out
    2. Click Login and enter your PIV PIN into the field called “Password”. The status should now say “Logged in”.

  4. Select the Document Signing Certificate.
    1. Expand PKCS#11 PIV Library (SP-800-73) (on the left under PKCS#11 Modules and Tokens) and select YubiKey PIV #0. Select your certificate (on the right), click the pencil icon, and click Use for Signing.

Adobe Acrobat is now configured to use the signing certificate on your YubiKey for digital signature and will offer it for usage when you go to sign a document, just make sure that the YubiKey is plugged in when the signature is performed since it is the Private Key located on the YubiKey that performs the actual signature and not the Certificate itself.

 

 

Troubleshooting

  1. Error encountered while signing: Unsupported Algorithm
    1. Make sure that the private key is supported by Adobe Acrobat Reader.

This message appears when you have selected to generate a Signature with a private key that is Elliptic; for instance ECCP256 or ECCP384.
Please use the Windows Digital ID method for using Elliptic keys instead of PKCS#11, when performing signatures in Adobe Acrobat Reader with a YubiKey.