Information Regarding Adobe Reader & Acrobat and the Removal of DigiNotar from the Adobe Approved Trust List

The Archives

In the past two weeks, it has come to light that Dutch certificate authority DigiNotar suffered a serious security breach in which a hacker generated more than 500 rogue SSL certificates and had access to DigiNotar’s services, including many that were relied upon specifically by the Dutch government for key citizen and commercial services.  The full extent of the attack is still not clear.

Last week, many of the major browser vendors removed DigiNotar certificates from their list of trusted certificates, and in turn, the Dutch government renounced trust in DigiNotar and took over certificate operations at the company.

What Does This Mean for Adobe Customers?

The DigiNotar Qualified CA root certificate is part of the Adobe Approved Trust List (AATL) program, which we have mentioned in this space on multiple occasions.  The AATL is designed to make it easier for authors to create digitally signed PDF files that are trusted automatically by Adobe Reader and Acrobat versions 9 and above, and includes many certificates from around the world.

While Adobe is not aware of any evidence at this time of rogue certificates being issued directly from the DigiNotar Qualified CA root in particular, an official report by Dutch security consultancy Fox-IT stated that there was evidence of the hacker having access to this CA, thus possibly compromising its security.  (The rogue certificates known today are SSL certificates originating from the DigiNotar Public CA.)

Adobe takes the security and trust of our users very seriously. Based on the nature of the breach, Adobe is now taking the action to remove the DigiNotar Qualified CA from the Adobe Approved Trust List. This update will be published next Tuesday, September 13, 2011 for Adobe Reader and Acrobat X. We have delayed the removal of this certificate until next Tuesday at the explicit request of the Dutch government, while they explore the implications of this action and prepare their systems for the change.

The latest releases of Adobe Reader and Acrobat X (version 10.x) include a trust list that Adobe can dynamically manage without requiring a product update/patch.  A future product update of Adobe Reader and Acrobat version 9.x will also enable dynamic updates of the AATL.  In the meantime, users of Adobe Reader and Acrobat 9 and X can manually remove the DigiNotar Qualified CA using one of several methods described below.

With all of the enhancements in Adobe Reader and Acrobat X, including new features and security capabilities, Adobe recommends customers migrate to these latest releases–especially for the free Adobe Reader.

To be sure your copy of Adobe Reader or Acrobat will get the update, you can force a download of the AATL.  Go to Preferences->Trust Manager->Automatic Updates and click the Update Now button.  Also, be sure the “Load trusted root certificates from an Adobe server” option is checked.

We are also in discussions with the Dutch government about the status of the DigiNotar intermediate certificates under the “Staat der Nederlanden” roots, which are included in the AATL.  We will continue to update you on the latest developments regarding these other certificates via this “Security Matters” blog and the Adobe Product Security Incident Response Team (PSIRT) blog.

Finally, Adobe will be proactively implementing a number of changes to the policies, terms and Technical Requirements for our AATL program in light of the DigiNotar breach and will communicate these changes within the next few weeks.

How to Remove the DigiNotar Qualified CA Certificate

If you would like to remove the DigiNotar Qualified CA certificate manually from Adobe Reader and/or Acrobat, versions 9 or X, we describe below two ways to do so.  Note that if you are operating a version of Adobe Reader and/or Acrobat prior to version 9, you do not need to take any action. Also, if you are an enterprise operating Adobe Reader and/or Acrobat, you should consult the Acrobat security and administration documentation located  here for information about removing this certificate.

Method One – Security Settings File

1) Download this ZIP file, and extract the RemoveDigiNotar.acrobatsecuritysettings file inside it.

2) Open Adobe Reader and/or Acrobat.

3) In Adobe Reader/Acrobat 9, open the Advanced menu (Document menu in Reader)->Security->Import Security Settings. In Adobe Reader/Acrobat X, open the Edit Menu->Protection->Import Security Settings.

4) Browse to the file you just downloaded, select it, and click Open.

5) Click Import.

6) If the certificate was found on your machine, it will be removed.

 

Method Two – Manual Removal – Adobe Reader 9

1)   Open Adobe Reader.

2)   Open the Document Menu and choose Manage Trusted Identities.

3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’

4)   Select the DigiNotar Qualified CA.

5)   Click Delete, and then confirm the deletion by clicking OK.

 

Method Two – Manual Removal – Adobe Acrobat 9

1)   Open Adobe Acrobat.

2)   Open the Advanced Menu and choose Manage Trusted Identities.

3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’

4)   Select the DigiNotar Qualified CA.

5)   Click Delete, and then confirm the deletion by clicking OK.

 

Method Two – Manual Removal – Adobe Reader X (Win/Mac) and Acrobat X (Mac)

1)   Open Adobe Reader or Acrobat.

2)   Open the Edit Menu->Protection->Manage Trusted Identities.

3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’

4)   Select the DigiNotar Qualified CA.

5)   Click Delete, and then confirm the deletion by clicking OK.

 

 

Method Two – Manual Removal – Adobe  Acrobat X (Win)

 

1)   Open Adobe Reader or Acrobat.

 

2)   Open the View Menu->Tools->Sign & Certify.  In the right-hand sidebar, click on More Sign & Certify->Manage Trusted Identities.

 

3)   Drop down the ‘Display’ box that reads ‘Contacts’ and choose ‘Certificates.’

 

 

4)   Select the DigiNotar Qualified CA.

 

 

5)   Click Delete, and then confirm the deletion by clicking OK.

 

 

This posting is provided “AS IS” with no warranties and confers no rights.

 

 

 

 

 

 


The Archives

Posted on 09-09-2011


Comments

  • […] An update on the removal of the DigiNotar Qualified CA certificate from the Adobe Approved Trust List (AATL) following the recent DigiNotar breach has been posted on the Security Matters blog. […]

  • […] Read what this means for Adobe customers at the Security Matters blog […]

  • By Steve Walker - 11:44 AM on September 11, 2011  

    The instructions for Acrobat X are incorrect. You must go to View >> Tools >> Sign and Certify. When the panel open choose More Sign & Certify >>Manage Trusted Identities. This will only be listed if you have run the “Load Trusted Root Certificates…” under Preferences >>Trust Manager. I just did a clean install and the Adobe server is still sending out DigiNotar as a trusted Identity (please remove it).

    • By John B Harris - 4:01 PM on September 11, 2011  

      [UPDATED – 9:44PM] Actually, Steve I stand corrected. The instructions were correct for Adobe Reader X on Windows and Mac OS, as well as Acrobat on Mac OS…but not on Windows. I have updated the blog post to reflect this inaccuracy. The instructions you cite are correct.

      And in regards to your comments on the DigiNotar root still being delivered: you’re correct, it is. It won’t be removed until Tuesday, September 13th. This is specifically stated in blog post above:

      “Adobe is now taking the action to remove the DigiNotar Qualified CA from the Adobe Approved Trust List. This update will be published next Tuesday, September 13, 2011 for Adobe Reader and Acrobat X. We have delayed the removal of this certificate until next Tuesday at the explicit request of the Dutch government, while they explore the implications of this action and prepare their systems for the change.”

      • By Steve Walker - 12:40 PM on September 12, 2011  

        Thanks for the follow up. Guess I missed the Sep 13 comment.

  • […] Acrobat update stems from a hacked Dutch certificate authority. Adobe did its best to explain the very arcane issue; you will be happy to know that Adobe is “in discussions with the Dutch government about the […]

  • […] and Acrobat users manual instructions on removing the certificate themselves. Adobe provided a further update on Friday, saying that a security update for Reader and Acrobat will be published September […]

  • […] discussed on the Security Matters blog, the Adobe Approved Trust List (AATL) has been updated to remove the certificate authority […]

  • […] As discussed earlier on this blog, the Adobe Approved Trust List (AATL) has been updated to remove the DigiNotar Qualified CA root certificate. Users of Adobe Reader and Acrobat X (version 10.x) will be automatically updated to this list. […]

  • […] Wednesday that the Adobe Approved Trust List (AATL) had been updated in Tuesday’s patch to remove fraudulent DigiNotar SSL certificates , which included protections for Adobe Reader and Acrobat X users. Adobe said that a future update […]

  • […] Der Update für Version 10.x entfernt auch die gefälschten SSL-Zertifikate von DigiNotar. Für die älteren Versionen wird empfohlen, sie manuell zu löschen. Wie man sie von der Liste der Trust List bekommt, erläutert Adobe in seinem Blog. […]

  • […] Simultaneously Adobe removed the DigiNotar root certificate from its trust list: Adobe takes the security and trust of our users very seriously. Based on the nature of the breach, Adobe is now taking the action to remove the DigiNotar Qualified CA from the Adobe Approved Trust List. […]

  • By Adobe closes 14 holes in Reader and Acrobat | FromTheBeanBag - 11:07 AM on September 21, 2011  

    […] in future versions. Until then, users are advised to manually delete the certificates – Adobe has released instructions on how to do […]