Select a submit button, click the Submit tab in the Object palette, ensure that Sign Submission is selected, click Settings, and then click the Issuers and Policies tab.
Select an email or HTTP submit button and, in the Object palette, ensure that Sign Submission is selected, click Settings, and then click the Issuers and Policies tab.
Opens the Select Issuer Certificate dialog box, where you can browse for and add issuer certificates. A certificate file has a file name extension such as .p7c, .p7b, or .cer.
Opens the Certificate Viewer, where you can view the details about the selected certificate. The details that are listed vary according to the installed Certificate Authority (CA) certificates.
Acrobat rejects the signature if the signing party does not have a certificate from a specified issuer.
Specifies the URL for a web page where people can enroll for a certificate. This web page appears when a signing party does not have an available signing certificate, or when the URL is required and the certificate set using the Restrict Signing To Certificates From The Specified Issuers option is not available.
Lists the object identifiers (OIDs) that are associated with the certificate policies that restrict the certificates that can be used to sign the document or data. When you set an OID, you must also set the certificate issuer so that Acrobat recognizes the entry.
Acrobat rejects the signature if the signing certificate does not conform to the specified policies.
When deciding whether to restrict signing to certificates that conform to the specified policies, it is helpful to understand what the signing party can and cannot do in Acrobat and Adobe Reader, depending on the circumstances.
Note:
The Adobe.PPKLite signature handler analyzes and processes the object identifier information that you enter in the Signature Settings and the Sign Data and Submit Settings dialog boxes, not Adobe Acrobat. As a result, these four situations arise only if you select the Adobe.PPKLite signature handler. Third-party signature handlers may not process this information.
Available to signing party
The Adobe default security handler lets the signing party use any digital ID for signing regardless of it’s certificate policy.
The Adobe default security handler only lets the signing party use a digital ID with the specified certificate policy. The signing party cannot select (for signing) a digital ID that does not contain the matching certificate policy.
The Adobe default security handler requires the signing party to use a digital ID with the specified certificate policy. The signing party must obtain a digital ID with the specified certificate policy before they can proceed with the signing.
The Adobe default security handler requires the signing party to use a digital ID with the specified certificate policy.
See also 

Issuers and Policies tab (Signature Settings/Sign Data and Submit Settings dialog box)