Certum Digital Identification CA SHA2
Adobe AATL contains the certificate of Certum Digital Identification CA SHA2 (Serial: 66 DA EF 03 DB 84 61 91 6B 25 BA 83 FB 17 4E 13)
However, due to an error in the policy constraint of the CA certificate, all certificates issued by this certificate is not valid.
The current Certificate policies contain: 1.2.616.1.1135220.127.116.11.6.11
However, all end entity certificates contain: (either) 1.2.616.1.113518.104.22.168.6.11 | 1.2.616.1.113522.214.171.124.6.12 1.2.616.1.1135126.96.36.199.6.13 | 1.2.616.1.1135188.8.131.52.6.14
The three missed policy constraint created the error of
"Invalid Policy Constraint"
This error was initially reported by myself on May 24th, 2018 at Twitter direct message.
Steven Zhu commented
Yes, there's a solution to this.
Most of you guys probably won't realize, Adobe AATL is strict, which means browser downloaded certificates won't qualify for their security standard, which means all certificates downloaded directly from the browser (compare to USB token etc.) can't be included in AATL.
In Certum's case, the serial number Adobe included in the policy constraint list is their Qualified Certificate Authority (QCA) product, which is indeed based on hardware tokens. And other CAs' AATL-enabled certificates were based on hardware devices (like USB token, Smart card, etc.).
So, in short: Adobe AATL-enabled certificates are expensive and are hardware-based. So don't be a fool like me, thinking a cheap "Browser download" certificate can be used in the Adobe signing process.
Paul Crozer commented
Hello - Is there a resolution to this? I just purchased a Certum certificate which appears to have policy 1.2.616.1.1135184.108.40.206.6.12 -- and so is not showing as valid, because the CA policy is only 1.2.616.1.1135220.127.116.11.6.11