Signature service settings

Transport Options
Path Validation Options
Timestamp Provider Options
Certificate Revocation List Options
Online Certificate Status Protocol Options
Error Handling Options for Debugging

The Signature service (SignatureService) enables your organization to protect the security and privacy of Adobe PDF documents that it distributes and receives. This service uses digital signatures and certification to ensure that documents are not altered. Altering a document breaks its signature. Because security features are applied to the document itself, the document remains secure and controlled for its entire life cycle; beyond the firewall, when it is downloaded offline, and when it is submitted back to your organization.

The following settings are available for the Signature service. For details on how to configure these settings, see Configure service settings.

Name Of The Remote HSM SPI Service:: This option is for use when the HSM is installed on a remote computer. Specify this option when LiveCycle is installed on a 64-bit Windows and you are using HSM devices for signing.
URL Of The Remote HSM Web Service:: Specify this option when LiveCycle is installed on 64-bit Windows and you are using HSM devices for signing.
Certification To Include Form Load Changes:: When this option is selected, the XFA Form State is certified in addition to the XFA template. Note that enabling this option may have a negative impact on performance. The default value is true.
Execute Document JavaScript scripts:: Specifies whether to execute Document JavaScript scripts during signature operations. The default value is false.
Process documents with Acrobat 9 compatibility:: Specifies whether to enable Acrobat 9 compatibility. For example, when this option is selected, Visible Certification in Dynamic PDFs is enabled. The default value is false.
Embed Revocation Info While Signing:: Specifies whether revocation information is embedded while signing the PDF document. The default value is false.
Embed Revocation Info While Certifying:: Specifies whether the revocation information is embedded while certifying the PDF document. The default value is false.
Enforce Embedding of Revocation Info For All Certificates During Signing/Certification:: Specifies whether a signing or certification operation fails if valid revocation information for all certificates is not embedded. Note that if a certificate does not contain any CRL or OCSP information, it is considered valid, even if no revocation information is retrieved. The default value is false.
Revocation Check Order:: Specifies the order of revocation checking when checking is possible through both Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) mechanisms. The default value is OCSPFirst.
Maximum Size Of Revocation Archival Info:: The maximum size of the revocation archival info in kilobytes. LiveCycle attempts to store as much revocation information as possible without exceeding the limit. The default value is 10 KB.
Support Signatures Created From PreRelease Builds Of Adobe Products:: When this option is selected, signature created using pre-release version of Adobe products will validate correctly. The default value is false.
Verification Time Option:: Specifies the time of verification of a signer's certificate. The default value is Secure Time Else Current Time.
Use Revocation Information Archived in Signature during Validation:: Specifies whether the revocation information that is archived with the signature is used for revocation checking. The default value is true.
Use Validation Information Stored In The Document For Validation Of Signatures:: When this option is selected, validation information (including revocation and timestamp information) embedded in the doument is used to validate signatures. The default value is true.
Maximum Nested Verification Sessions Allowed:: The maximum number of nested verification sessions that are allowed. LiveCycle uses this value to prevent an infinite loop when verifying the OCSP or CRL signer certificates when the OCSP or CRL certificate is not set up correctly. The default value is 10.
Maximum Clock Skew for Verification:: The maximum time, in minutes, that the signing time can be after the validation time. If the clock skew is greater than this value, the signature will not be valid. The default value is 65 minutes.
Certificate Lifetime Cache:: The lifetime of a certificate, retrieved online or through other means, in the cache. The default value is 1 day.

Transport Options

Proxy Host:: The URL of the proxy host. Used only if some valid value is provided. No default value.
Proxy Port:: The proxy port. Type any valid port number from 0 to 65535. The default value is 80.
Proxy Login Username:: The proxy login user name. Used only if some valid value is provided for proxy host and proxy port. No default value.
Proxy Login Password:: The proxy login password. Used only if some valid value is provided for proxy host, proxy port, and proxy login user name. No default value.
Maximum Download Limit:: The maximum amount of data, in MBs, that can be received per connection. The minimum value is 1 MB and the maximum value is 1024 MB. The default value is 16 MB.
Connection Time Out:: The maximum time to wait, in seconds, for establishing a new connection. The minimum value is 1 and the maximum value is 300. The default value is 5.
Socket Time Out:: The maximum time to wait, in seconds, before a socket time-out (while waiting for data transfer) occurs. The minimum value is 1 and the maximum value is 3600. The default value is 30.

Path Validation Options

Require Explicit Policy:: Specifies whether the path must be valid for at least one of the certificate policies that is associated with the trust anchor of the signer certificate. The default value is false.
Inhibit ANY Policy:: Specifies whether the policy object identifier (OID) should be processed if it is included in a certificate. The default value is false.
Inhibit Policy Mapping:: Specifies whether policy mapping is allowed in the certification path. The default value is false.
Check All Paths:: Specifies whether all paths should be validated or whether validation should stop after finding the first valid path. Select true or false. The default value is false.
LDAP Server:: The LDAP Server used to look up certificates for path validation. No default value.
Follow URIs in Certificate AIA:: Specifies whether Uniform Resource Identifiers (URIs) in Certificate AIA are processed during path discovery. The default value is false.
Basic Constraints Extension required in CA Certificates:: Specifies whether the certificate authority (CA) Basic Constraints certificate extension must be present for CA certificates. Some early German certified root certificates (7 and earlier) are not compliant to RFC 3280 and do not contain the basic constraint extension. If it is known that a user's EE certificate chains up to such a German root, deselect this check box. The default value is true.
Require Valid Certificate Signature During Chain Building:: Specifies whether the chain builder requires valid signatures on certificates used to build chains. When this check box is selected, the chain builder will not build chains with invalid RSA signatures on certificates. Consider chain CA > ICA > EE where the CA's signature on an ICA is not valid. If this setting is true, the chain building will stop at the ICA, and the CA will not be included in the chain. If this setting is false, the full 3-certificate chain is produced. This setting does not affect DSA signatures. The default value is false.

Timestamp Provider Options

TSP Server URL:: The URL of the default timestamp provider. Used only if some valid value is provided. No default value.
TSP Server Username:: The user name if required by the timestamp provider. Used only if some valid value is provided for the URL. No default value.
TSP Server Password:: The password for the above user name if required by the timestamp provider. Used only if some valid value is provided for the URL and the user name. No default value.
Request Hash Algorithm:: Specifies the hashing algorithm to be used while creating the request for the timestamp provider. The default value is SHA1.
Revocation Check Style:: Specifies the revocation checking style used for determining the trust status of the timestamp provider's certificate from its observed revocation status. The default value is BestEffort.
Send Nonce:: Specifies whether a nonce is sent with the timestamp provider request. A nonce can be a timestamp, a visit counter on a web page, or a special marker that is intended to limit or prevent the unauthorized replay or reproduction of a file. The default value is true.
Use Expired Timestamps During Validation:: When this option is selected, expired timestamps can be used to retrieve validation times of signatures. The default value is true.
TSP Response Size:: Estimated size, in bytes, of the TSP response. This value should represent the maximum size of the timestamp response that the configured timestamp provider could return. Do not change this unless you are absolutely sure. The minimum value is 60B and the maximum value is 10240B. The default value is 4096B.

Certificate Revocation List Options

Consult Local URI First:: Specifies whether the CRL location that is provided in Local URI or CRL Lookup should be given preference over any location specified within a certificate for the purpose of revocation checking. The default value is false.
Local URI for CRL Lookup:: URL of the local CRL provider. This value is consulted only if the Consult Local URI First setting is set to true. No default value.
Revocation Check Style:: Specifies the revocation checking style used for determining the trust status of the CRL provider's certificate from its observed revocation status. The default value is BestEffort.
LDAP Server for CRL Lookup:: The LDAP Server used to get the CRLs (as www.ldap.com). All DN-based queries for CRLs will be directed to this server. No default value.
Go Online:: Specifies whether to go online to fetch a CRL. If false, only cached CRLs (on local disk or those embedded with signature) are consulted. The default value is true.
Ignore Validity Dates:: Specifies whether to ignore the response's thisUpdate and nextUpdate times, which prevents these times from having a negative effect on response validity. The default value is false.
Require AKI extension in CRL:: Specifies whether the Authority Key Identifier extension must be included in a CRL. The default value is false.

Online Certificate Status Protocol Options

OCSP Server URL:: URL for the default OCSP server. Whether the OCSP server that is specified through this URL is used depends on the URL To Consult Option setting. No default value.
URL To Consult Option:: Controls the list and order of the OCSP servers that are used for performing the status check. The default value is UseAIAInCert.
Revocation Check Style:: Specifies the revocation checking style that is used while verifying the OCSP server's certificate. The default value is CheckIfAvailable.
Send Nonce:: Specifies whether a nonce is sent with the OCSP request. A nonce can be a timestamp, a visit counter on a web page, or a special marker that is intended to limit or prevent the unauthorized replay or reproduction of a file. The default value is true.
Max Clock Skew Time:: Maximum allowed skew, in minutes, between response time and local time. The minimum value is 0 and the maximum value is 2147483647m. The default value is 5m.
Response Freshness Time:: Maximum time, in minutes, for which a preconstructed OCSP response is considered valid. The minimum value is 1m and the maximum value allowed is 2147483647. The default value is 525600 (one year).
Sign OCSP Request:: Specifies whether the OCSP request should be signed. The default value is false.
Request Signer Credential Alias:: Specifies the credential alias to use for signing the OCSP request if signing is enabled. Used only if signing of OCSP request is enabled. No default value.
Go Online:: Specifies whether to go online to do revocation checking. The default value is true.
Ignore the response’s thisUpdate and nextUpdate times:: Specifies whether to ignore the response's thisUpdate and nextUpdate times, which prevents these times from having a negative effect on response validity. The default value is false.
Allow OCSPNoCheck extension:: Specifies whether the OCSPNoCheck extension is allowed in the response signing certificate. The default value is true.
Require OCSP ISIS-MTT CertHash Extension:: Specifies whether a certificate public key hash extension must be included in OCSP responses. The default value is false.

Error Handling Options for Debugging

Purge Certificate Cache on next API call:: Specifies whether to purge the Certificate Cache when the next Signature Service Operation is called. After the operation is called, this option is set back to false. The default value is false.
Purge CRL Cache on next API call:: Specifies whether to purge the CRL Cache when the next Signature Service Operation is called. After the operation is called, this option is set back to false. The default value is false.
Purge OCSP Cache on next API call:: Specifies whether to purge the OCSP Cache when the next Signature Service Operation is called. After the operation is called, this option is set back to false. The default value is false.