Time Stamp Server

Integration Guide for Adobe Acrobat Pro and

Reader

www.thales-esecurity.com
 Version: 3.0
Date: 14 March 2012

Copyright 2012 Thales e-Security Limited. All rights reserved.

Copyright in this document is the property of Thales e-Security Limited. It is not to be reproduced, modified,
adapted, published, translated in any material form (including storage in any medium by electronic means
whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior
written permission of Thales e-Security Limited neither shall it be used otherwise than for the purpose for which
it is supplied.
CodeSafe, KeySafe, nCipher, nFast, nForce, nShield, payShield, and Ultrasign are registered trademarks of
Thales e-Security Limited.
CipherTools, CryptoStor, CryptoStor Tape, keyAuthority, KeyVault, nCore, netHSM, nFast Ultra, nForce Ultra,
nShield Connect, nToken, SafeBuilder, SEE, and Trust Appliance are trademarks of Thales e-Security Limited.
All other trademarks are the property of the respective trademark holders.
Information in this document is subject to change without notice.
Thales e-Security Limited makes no warranty of any kind with regard to this information, including, but not limited
to, the implied warranties of merchantability and fitness for a particular purpose. Thales e-Security Limited shall
not be liable for errors contained herein or for incidental or consequential damages concerned with the
furnishing, performance or use of this material.
These installation instructions are intended to provide step-by-step instructions for installing Thales software
with third-party software. These instructions do not cover all situations and are intended as a supplement to the
documentation provided with Thales products. Disclaimer: Thales e-Security Limited disclaims all liabilities
regarding third-party products and only provides warranties and liabilities with its own products as addressed
in the Terms and Conditions for Sale.

Template: nShiMar12

Version: 3.0
Date: 14 March 2012
2012

Time Stamp Server: Integration Guide for Adobe Acrobat Pro and Reader 2
 Contents

Chapter 1: Introduction 4
Requirements 5

Chapter 2: Procedures 6
Adding the TSS as the default time stamp server 6
Importing the root CA certificate used by the TSS 7

Chapter 3: Troubleshooting 9

Addresses 10

Time Stamp Server: Integration Guide for Adobe Acrobat Pro and Reader 3
 Chapter 1: Introduction

Adobe Acrobat Pro permits users to create, control, and secure Portable Document Format (PDF)
documents. It also permits users to collectively review and edit documents, and convert
documents from other formats to PDF.

You can integrate Adobe Acrobat Pro or Adobe Reader with a Thales Time Stamp Server
(referred to in this guide as TSS) to permit the use of time stamping to seal documents.

The TSS is a time stamp appliance. It uses the industry-standard IETF RFC 3161 protocol to
provide time stamps. The TSS also provides a secure auditable trail of time for the purposes of
non-repudiation. Adobe Acrobat Pro natively supports the RFC3161 time stamp service provided
by the TSS. In this way, you can time stamp a PDF document to validate that document’s
authenticity at the time it was time stamped.

The benefits of Adobe Acrobat Pro include:

• Support for the ubiquitous PDF format.

• RFC3161-compliant time stamping.

• Digital signing of documents.

• 128-bit encryption and password protection.

• Review and editing tools.

• Ability to create PDF documents from within other applications (for example, the Microsoft
Office suite).

• Ability to integrate with Adobe server products.

The benefits of TSS include:

• Centrally managed and secured time stamp appliance.

• FIPS 140-2 level 3 validated hardware.

• Secure and audited link to a master time source.

Time Stamp Server: Integration Guide for Adobe Acrobat Pro and Reader 4
 Requirements

This document explains how to set up and configure Adobe Acrobat Pro or Adobe Reader to
integrate with a TSS. The instructions in this document have been thoroughly tested and provide
a straightforward integration process. There may be other untested ways to achieve
interoperability.

The integration between TSS and Adobe Acrobat Pro or Adobe Reader has been successfully
tested in the following configurations:

Windows Server operating Adobe Acrobat Pro and Reader Thales TSS version
system version version
Windows Server 2008 R2 SP1 X 5.10
Windows Server 2008 R2 SP1 9.0 5.10
Windows Server 2003 9.0 5.0
Windows Server 2000 9.0 5.0

This document may not cover every step in the process of setting up all the software. It assumes
that:

• You have read your TSS documentation and have installed the TSS product.

• You are familiar with the Adobe Acrobat Pro or Adobe Reader documentation and have
installed Adobe Acrobat Pro or Adobe Reader.

Additional documentation produced to support your Thales product can be found in the
document directory of the CD-ROM or DVD-ROM for that product.

For information about OS support, contact your Adobe sales representative or Thales Support.
For more information about contacting Thales, see Addresses at the end of this guide.

Requirements
Before setting up the time stamping functionality, ensure that:

• Adobe Acrobat Pro or Adobe Reader is installed.

• The TSS appliance is installed, operational, and ready for time stamping.

• You have the root CA certificate used by the TSS stored on the computer on which Adobe
Acrobat Pro or Adobe Reader is installed.

• There is a working network connection between the TSS appliance and the computer on
which Adobe Acrobat Pro or Adobe Reader is installed.

We recommend that you familiarize yourself with the Adobe Acrobat Pro or Adobe Reader
documentation and Thales TSS documentation.

Time Stamp Server: Integration Guide for Adobe Acrobat Pro and Reader 5
 Chapter 2: Procedures

To set up time stamping functionality, allowing Adobe Acrobat Pro or Adobe Reader to use a
specified TSS for its default time stamp service:

• Add the TSS as the default time stamp server.

• Import the root CA certificate used by the TSS.

These procedures are described in the following sections.

Adding the TSS as the default time stamp server

To add the TSS as the default time stamp server:

1 In the Adobe Acrobat Pro or Adobe Reader application, open the Security Settings dialog:

- Adobe Acrobat X Pro: Select Tools > Sign and Certify > More Sign & Certify > Security
Settings.

- Adobe Reader X: Select Edit > Protection > Security Settings.

- Adobe Acrobat 9.0 Pro: Select Advanced > Security Settings.

- Adobe Reader 9.0: Select Document > Security Settings.

The Security Settings dialog appears.

2 Select Time Stamp Servers (in the left-hand pane), and then click New.

The Edit Time Stamp Server dialog appears.

3 In Name and Server URL, specify the name and URL path of the TSS.

Note For test purposes, Thales provides a publicly available TSS located at:
http://dse200.ncipher.com/TSS/HttpTspServer

Time Stamp Server: Integration Guide for Adobe Acrobat Pro and Reader 6
 Importing the root CA certificate used by the TSS

4 Click OK.

The name and URL of the TSS appears in the Security Settings dialog.

5 Select the name of the TSS and click Set default.

6 In the message that appears, click OK to confirm the use of the TSS as the default time stamp
server.

A star appears next to the name of the TSS in the Security Settings dialog.

7 Close the Security Settings dialog.

Importing the root CA certificate used by the TSS

To import the root CA certificate used by the TSS:

1 In the Adobe Acrobat Pro or Adobe Reader application, open the Manage Trusted Identities
dialog:

- Adobe Acrobat Pro 9.0: Select Advanced > Manage Trusted Identities.

- Adobe Reader 9.0: Select Document > Manage Trusted Identities.

- Adobe Acrobat X Pro: Select Tools > Sign and Certify > More Sign & Certify > Manage
Trusted Identities.

- Adobe Reader X: Select Edit > Protection > Manage Trusted Identities.

The Manage Trusted Identities dialog appears.

2 In Display, select Certificates.

The list of certificates is displayed.

3 Click Add Contacts.

The Choose Contacts to Import dialog appears.

4 Click Browse. Locate and select the root CA certificate used by the TSS, and click Open.

The certificate appears in the Contacts box.

5 Click Import.

Time Stamp Server: Integration Guide for Adobe Acrobat Pro and Reader 7
 Importing the root CA certificate used by the TSS

6 The Import Complete dialog appears, confirming that the certificate is imported. Close the
dialog.

The imported certificate is now included in the list of certificates in the Manage Trusted
Identities dialog.

7 Select the imported certificate in the list of certificates, and click Edit Trust.

The Edit Certificate Trust dialog appears.

8 Select the Trust tab. Select Use this certificate as a trusted root and click OK.

9 Close the Manage Trusted Identities dialog.

Adobe Acrobat Pro or Adobe Reader is now configured to use the specified TSS for its default
time stamp service.

Time Stamp Server: Integration Guide for Adobe Acrobat Pro and Reader 8
 Chapter 3: Troubleshooting

The following table provides troubleshooting guidelines.

Error message when signing Resolution

Signature is timestamped but
the timestamp could not be
verified.
Signature date/time are from
the clock on the signer’s
computer.
Check that the TSS time stamping certificate has been added to
the The Manage Trusted Identities dialog and Use this certificate
as a trusted root is selected.
Resolution 1: Check that the TSS details in the Security Settings
dialog has Set default enabled.
Resolution 2: The time stamping feature must be marked as
critical when creating the certificate to be used for
timestamping. If the feature is present in the certificate but not
marked as critical, the error message above occurs.

Time Stamp Server: Integration Guide for Adobe Acrobat Pro and Reader 9
 Addresses

Americas
2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USA
Tel: +1 888 744 4976 or + 1 954 888 6200
sales@thalesesec.com

Europe, Middle East, Africa

Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ, UK
Tel: + 44 (0)1844 201800
emea.sales@thales-esecurity.com

Asia Pacific
Units 4101, 41/F. 248 Queen’s Road East, Wanchai, Hong Kong, PRC
Tel: + 852 2815 8633
asia.sales@thales-esecurity.com

Internet addresses
Web site:
Support:
Online documentation:
International sales offices:
www.thales-esecurity.com
www.thales-esecurity.com/en/Support.aspx
www.thales-esecurity.com/Resources.aspx
www.thales-esecurity.com/en/Company/Contact%20Us.aspx