Version 3.8 Page 1 of 17
Document History Version Amendments Date Amended by 2.1 Corrected index numbering, revised Section 1.6 and references to 1.6; Corrected formatting 30-Jul-2014 Application Support 2.2 Added: 2.2 Document History, Footer and Intertek Logo 01-Aug-2014 Application Support 2.3 Changed document name 18-Aug-2014 Application Support 2.4 Updated section 1.6 regarding Windows XP 06-Jun-2016 Solutions Architect 3.0 Updated to meet the esignature 8.0 platform 29-Jun-2016 Solutions Architect 3.2 Final review completed for publication 30-Jun-2016 Solutions Architect 3.4 Updated to meet the esignature 8.01 platform 22-Aug-2016 Solutions Architect Page 2 of 17
Table of Contents Document History... 2 Table of Contents... 3 1. Customer Frequently-Asked Questions... 4 a. What is the purpose of esignature?... 4 c. Which Certificate Authority (CA) does Intertek use?... 4 d. What happens if a signing certificate expires?... 4 e. What steps should be taken if esignature validation fails?... 4 f. Can a PDF report s content be modified after it was signed (such as making comments)?... 5 g. What if the PDF Report was modified after it was signed?... 5 h. What is the official version/copy of an Intertek report?... 6 i. How much Internet bandwidth is required for esignature validation?... 7 j. What software is necessary for esignature validation?... 7 k. What versions of Acrobat Reader are supported?... 7 l. Can signed report content be copied after it was signed?... 7 2. Verifying Intertek-Signed Documents... 8 a. Verifying documents signed after September 2016... 8 b. Verifying documents signed before September 2016... 9 c. Viewing Certificate Details... 12 d. Valid Intertek Signing Certificates... 13 e. Checking the expiration date of a certificate... 15 3. Common Issues... 15 a. Error: At least one signature has problems on documents signed before September 2016)... 15 b. Error: Signed and all signatures are valid, but with unsigned changes after the last signature... 16 c. Error: At least one signature is invalid... 16 Page 3 of 17
1. Customer Frequently-Asked Questions The navigation shown in this document is based on Adobe Acrobat Reader DC; other versions of Acrobat Reader may be present in a different menu. a. What is the purpose of esignature? esignature, Intertek s digital signature platform, is used to ensure the integrity of an Intertek document or report. The esignature solution will prevent forged or modified PDF reports by verifying the authenticity of the document and logging any changes after it was signed. Digital signatures allow customers to validate the signature, confirm the time and date stamp, and view the log of modifications made after the document was digitally signed. An example of the validation message on a signed document will say Signed and all signatures are valid or Certified by NAME (email@intertek.com), Intertek Group plc, certificate issued by Intertek Document Signing Authority : - OR - b. Why do documents signed before September 2016 have a yellow exclamation? Prior to September 2016 Intertek utilized Comodo as a top-level certificate authority. The result of this was that documents signed using this set of certificates do not automatically verify when using Adobe Acrobat. To validate documents that were signed prior to September 2016, please use the Verifying documents signed before September 2016 section of this document. c. Which Certificate Authority (CA) does Intertek use? Intertek uses GlobalSign (http://www.globalsign.com) as a certificate authority who issues digital certificates. The CA is the highest-level authority who certifies that the digital signature chain is in fact valid and was signed by the person who says they signed. d. What happens if a signing certificate expires? A signing certificate is valid for a 1-year period, though the ability to verify the authenticity of the document will not be affected after expiration. Validation of authenticity is done at the time of signing, so signed documents will be valid even after the signing certificate has expired or been replaced. e. What steps should be taken if esignature validation fails? If the esignature of a PDF report is not validated, the information provided in either the certificate or the document may not be correct and Acrobat Reader will display the message At least one signature has problems or At least one signature is invalid. Page 4 of 17
A document may present a warning or failure if any of the following conditions exist: i. If your document was signed before September 2016 and is presenting a warning, double check your Windows and Acrobat settings. For details, please refer to the section Verifying documents signed before September 2016 ii. Loss of internet connection. Once the Internet connection is restored, open the PDF report again and Acrobat will proceed with authenticating the esignature. iii. The document is not an official Intertek-signed document. Please verify the document by checking the certificate. If you have attempted to validate the document and still see errors or suspect you are possession of a counterfeit document, please contact your Intertek support or sales representative for assistance. f. Can a PDF report s content be modified after it was signed (such as making comments)? Modifications should not be made to Intertek s PDF report content. Any content changes after signing will be logged in the file and the display message Signed and all signatures are valid, but with unsigned changes after last signature or At least one signature is invalid will appear. For details, please refer to the section What if the PDF report was modified after it was signed? If there is a need to perform markups on Intertek s report, Adobe Acrobat provides built-in methods to add comments and annotations while maintaining a list of changes post-signature. Intertek will never use this function as a formal publication of a document. g. What if the PDF Report was modified after it was signed? Page 5 of 17
If annotations or comments were added after the report was digitally signed, the message Signed and all signatures are valid, but with unsigned changes after last signature will display and related modifications will be logged as below: If pages were added/deleted after the PDF was signed, the message At least one signature is invalid. will display and pages added/deleted will be logged. h. What is the official version/copy of an Intertek report? The official copy of a report will be an Intertek-signed version in PDF format. Any other formats, such as Excel and Word are for reference only. Please contact your Intertek support person for further clarification or to check on a specific report with us. Page 6 of 17
i. How much Internet bandwidth is required for esignature validation? There is no minimum bandwidth required. The validation process uses a minimal amount of data using standard certificate verification processes. j. What software is necessary for esignature validation? An Adobe-supported Adobe Acrobat Reader version is needed to open and verify documents signed with the esignature platform. Acrobat Reader can be downloaded free of charge at https://get.adobe.com/reader/ To see which versions of Adobe Acrobat are supported, you may check here: http://www.adobe.com/support/programs/policies/supported.html If prompted by Adobe Acrobat for a Trusted Certificates Update, please allow the update to occur by clicking OK Note: If you are viewing reports signed prior to September 2016, please make sure that you use the instructions in the section Verifying documents signed before September 2016 k. What versions of Acrobat Reader are supported? An Adobe-supported Adobe Acrobat Reader version is needed to open and verify documents signed with the esignature platform. Acrobat Reader can be downloaded free of charge at https://get.adobe.com/reader/ To see which versions of Adobe Acrobat are supported, you may check here: http://www.adobe.com/support/programs/policies/supported.html If you do not use Adobe Acrobat, or use an unsupported version of it, the signed documents may not show as valid. l. Can signed report content be copied after it was signed? Report content should not be copied. Intertek can only guarantee the integrity of content within a signed and validated Intertek report. Page 7 of 17
2. Verifying Intertek-Signed Documents Before validating Intertek s esignature, first ensure that: You are using an Adobe-supported and updated version of Adobe Acrobat Reader You have an Internet connection If you are validating a report signed prior to September 2016, you will need to use the Verifying Documents Signed Prior to September 2016 process When opening a signed PDF report for the first time, Acrobat Reader should display the message Signed and all signatures are valid or Certified by NAME (email@intertek.com), Intertek Group plc, certificate issued by Intertek Document Signing Authority on top of the document if the certificate is valid. If the document does not say this, please refer to the section on What steps should be taken if esignature validation fails. - OR - Note: If your document was signed before September 2016, it may show a yellow exclamation mark with the text At least one signature has problems. If you see this message, please use the steps for Verifying Documents Signed Prior to September 2016. a. Verifying documents signed after September 2016 To verify the digital signature placed by Intertek s esignature platform: 1) Open the signed document and look for the message that the document is Signed and all signatures are valid or Certified by NAME (email@intertek.com), Intertek Group plc, certificate issued by Intertek Document Signing Authority - OR - 2) Open the signature panel by clicking on the Signature Panel button 3) Expand the Rev.1 signature item by double-clicking on it, and verify all of the appropriate information that is outlined in green below. Verify the certificate details match the details from the Valid Intertek Signing Certificates section. Page 8 of 17
This should include the following verifications: Signature is valid Document has not been modified since this signature was applied Signer s identity is valid b. Verifying documents signed before September 2016 Note: This section only applies to documents signed before September 2016. If the error says Signature is valid, but revocation of the signer s identity could not be checked, first ensure that you have an Internet connection, and then follow the steps to check the certificate expiration date. Although this message is received, the signature attached to the document may still be valid for the purpose of authentication and authorization, but should be verified. To eliminate this warning and allow the certificate to validate, the following configuration should be done in Adobe Acrobat: 1) Open the signature panel by clicking on the Signature Panel button 2) Expand the signature properties in the signature panel and click on Certificate Details under the Signature Details section Page 9 of 17
3) With the signature properties open, select the CoSign Certificate Authority by ARX certificate in the chain on the left. Once selected you will see the properties of this certificate appear on the right. If you do not see CoSign Certificate Authority by ARX and the document was signed prior to September 2016, the document is forged, invalid, or the wrong certificate has been selected. Here are examples of proper Intertek certificates. Do NOT continue these steps if the certificate does not say CoSign Certificate Authority by ARX. If the certificate does not say CoSign Certificate Authority by ARX or Intertek Document Signing Authority, then the document is not a valid signed Intertek document. 4) Click on the Details tab and locate the detail for Serial Number. Confirm that the serial number on the certificate is: 4E FA BB 32 A3 0D 00 A4 EB DC 13 03 C0 3C 5C BB Do NOT continue these steps if the serial number is NOT 4E FA BB 32 A3 0D 00 A4 EB DC 13 03 C0 3C 5C BB. Page 10 of 17
5) If both the name and serial number of the certificate match as described above, click on the Trust tab and then click the Add to Trusted Certificates button to add the root certificate to your trusted certificate store. 6) After clicking to add the certificate you will be prompted with a warning. If you have properly validated that the certificate that you are importing is CoSign Certificate Authority by ARX, please click OK to add it to your trusted certificates store. Page 11 of 17
7) Confirm that the box is checked for Use this certificate as a trusted root, and the details outlined in green to make sure that you are importing the proper certificate. If the details match with what is displayed below, click OK to finish the process. 8) Re-open the document and you should find that the signature comes up as valid. All other Intertek-signed documents should appear as valid now as well. c. Viewing Certificate Details Once you have checked that the signature is valid, you should also ensure that the certificate information is similar to the information below. An Intertek representative may provide different specifics depending on specific location or the type of business. Page 12 of 17
To get to the certificate details: 1) Open the signature panel by clicking on the Signature Panel button 2) Expand the signature properties in the signature panel and click on Certificate Details under the Signature Details section d. Valid Intertek Signing Certificates The signing certificate is only a valid Intertek certificate if the intermediate certificate details match the details below. The intermediate certificate is the certificate in the chain directly above the user certificate, and can be selected by clicking on it after you have the certificate details open: Below are the details of the two valid Intertek intermediate certificates: The document was signed after September 2016, the intermediate certificate will have the following details: o Company: Intertek Document Signing Authority Intertek Group plc o Issued by: GlobalSign CA for AATL - SHA256 - G2 o Serial Number: 48 1B 6A 0E DD D2 23 36 DC 04 C6 60 60 A9 Page 13 of 17
The document was signed before September 2016, the intermediate certificate will have the following details: o Company: CoSign Certificate Authority by ARX ARX (Algorithmic Research) o Issued by: UTN-USERFirst-Client Authentication and Email o Serial Number: 4E FA BB 32 A3 0D 00 A4 EB DC 13 03 C0 3C 5C BB Page 14 of 17
e. Checking the expiration date of a certificate Signed documents do not expire even when the signing certificate does. This is because the authorization to sign is embedded at the time of signing, embedding Long Term Validation (LTV) methods into the document. To check the expiration date of a certificate: i. Open up the certificate details as described in the Certificate Details section ii. Check the Valid to section of the certificate details to see the expiration date 3. Common Issues When validating documents that are Intertek-signed, it is important that you see the following message ensuring that the document is an authentic Intertek document that is unmodified. - OR - If your document does not show as valid after going through the verification steps listed in this document, you can refer to this list of common issues to try to resolve the problem. a. Error: At least one signature has problems (documents signed before September 2016) If your document was signed before September 2016, it may show a yellow exclamation mark with the text Page 15 of 17
At least one signature has problems. If you see this message, please use the steps for Verifying Documents Signed Before September 2016. b. Error: Signed and all signatures are valid, but with unsigned changes after the last signature If you see this message, you can easily see what changes have been made to the document since signing. 1) Open the signature panel by clicking on the Signature Panel button 2) In the signature panel, look at the list of items under the Annotations Created section to see what changes have been made. c. Error: At least one signature is invalid If you see this error message, it could be the result of several issues: 1) The document that you are viewing is a forged or unauthentic Intertek document. Please check the steps as to what to do if the esignature validation fails. 2) The document has been modified with more than simple annotations. Documents in this state have been invalidated because the content has been modified since signing. This includes page Page 16 of 17
adds, deletes, and text changes. Please check the steps as to what to do if the esignature validation fails. d. Error: Signature is not LTV enabled and will expire after XXXX/XX/XX (Windows XP/2003) On Windows XP and Windows 2003, the Adobe Acrobat client does not have a core checking component turned on by default to validate LTV-enabled signatures (Long-Term Validation). When this component is not enabled, documents that have been signed will not show as LTV-enabled and will indicate that the signature will expire on the date of the signer s certificate. This error message is misleading, as the documents will continue to be valid past the date displayed. To fix this error, please enable the proper certificate verification by doing the following: 1) In Adobe Acrobat, click on the Edit menu and then click on Preferences. 2) In the left-hand pane, click on Signatures. Page 17 of 17
3) Click on the More button under the Verification section. 4) Check the box for Require certificate revocation checking to succeed whenever possible during signature verification. 5) Close Acrobat and re-open the document to see the updated verification. e. Resetting Adobe Acrobat or Acrobat Reader settings If you need to reset all settings within Adobe Acrobat or Acrobat Reader, the settings are per-user (individual for each user who logs in). To reset a user s settings: 1) Log in as the user 2) Close Adobe Acrobat or Acrobat Reader 3) Open the registry by using regedit.exe 4) Delete the following keys: HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat 5) Open Adobe Acrobat or Acrobat Reader Page 18 of 17