Introduction
The YubiKey’s PIV application can be leveraged to store a private key and corresponding x.509 certificate that can be used in Adobe Acrobat to digitally sign PDF documents. This article will document how to use the YubiKey for document signing in Adobe Acrobat Reader on Windows using PKCS#11.
For macOS instructions, refer to the SSL.com article Configuring Your Business Identity Document Signing Certificate and YubiKey with Adobe Acrobat on macOS.
Information
There are mainly two different ways to use key material stored on the YubiKey for document signing in Adobe Acrobat Reader:
-
Windows Digital ID
Windows Digital ID refers to Windows native cryptographic APIs and is able to communicate with the YubiKey through the native smart card tools in Windows. Use of elliptic curve keys (ECCP256/ECCP384) and large RSA keys (> RSA2048) requires that the YubiKey Smart Card Minidriver for Windows is installed.
Private Key algorithm support: RSA1024-RSA4096, ECCP256, ECCP384 -
PKCS#11
PKCS#11 is a standard for interaction with cryptographic tokens, such as smart cards and HSMs. This option requires that a PKCS#11 module is configured by the application and in the case of the YubiKey, libykcs11.dll comes packaged with Yubico PIV Tool.
Private Key algorithm support: RSA1024-RSA4096
This article focuses on document signing through PKCS#11. For instructions on how to use Windows Digital ID, refer to YubiKeys for digital signature in Adobe Acrobat Reader on Windows using Windows Digital ID.
Prerequisites
- Install the latest version of Yubico PIV Tool. Ensure you install the relevant version for your Adobe Acrobat installation (win32/win64).
- Follow the steps under the section YKCS11 on Windows, to configure the Windows system path.
- Plug in your YubiKey and make sure that both the private key and corresponding certificate are loaded into the same PIV slot, for example PIV Slot 9c for digital signature.
Configuration steps
- Disable Adobe Acrobat Reader Protected Mode at Startup, in order to be allowed to add a PKCS#11 module.
- Navigate to Menu > Preferences >Security (Enhanced) . Under Sandbox Protections, uncheck the box saying Enable Protected Mode At Startup.
- Restart Adobe Acrobat for this setting to take effect.
- Add the libykcs11.dll as a PKCS#11 module in Adobe Acrobat Reader
- Open Acrobat Reader again
- Navigate to Menu > Preferences > Signatures > Identities & Trusted Certificates > More… > PKCS#11 Modules and Tokens and click Attach Module.
- Browse to C:\Program Files (x86)\Yubico\Yubico PIV Tool\bin (32-bit) or C:\Program Files\Yubico\Yubico PIV Tool\bin (64-bit) depending on the installation you chose, and select libykcs11.dll.
- Unlock the YubiKey in order to access it’s contents
- Expand the menu item PKCS#11 Modules and Tokens (Arrow >) and click the option directly beneath called PKCS#11 PIV Library (SP-800-73). You should see your YubiKey Listed as YubiKey PIV #0 with status Logged out
- Click Login and enter your PIV PIN into the Password field. The status should now show Logged in.
- Select the document signing certificate.
- Expand PKCS#11 PIV Library (SP-800-73) (on the left under PKCS#11 Modules and Tokens) and select YubiKey PIV #0. Select your certificate (on the right), click the pencil icon, and then click Use for Signing.
Adobe Acrobat is now configured to use the signing certificate on your YubiKey for digital signature and will offer it for usage when you attempt to sign a document. Ensure that the YubiKey is plugged in when the signature is performed since it is the private key stored on the YubiKey that performs the actual signature and not the certificate itself.
Troubleshooting
-
Error encountered while signing: Unsupported Algorithm
- Ensure that the private key is supported by Adobe Acrobat Reader.
This message appears when you have selected to generate a signature with a private key that is elliptic curve; for instance ECCP256 or ECCP384. Instead, use the Windows Digital ID method for using elliptic keys instead of PKCS#11, when performing signatures in Adobe Acrobat Reader with a YubiKey.