Expand my Community achievements bar.

Expiration of Reader Extensions certificates and its impact

Avatar

Moderator

Adobe Experience Manager Forms (AEM Forms) customers with Adobe Managed Services or On-premise Enterprise Base licenses are entitled to use Acrobat Reader DC Extensions service. The service enables an organization to easily share interactive PDF documents by extending the functionality of Acrobat Reader with additional usage rights. The service adds usage rights to a PDF document and activates features that are not available when a PDF document is opened using Adobe Acrobat Reader, such as adding comments to a document, filling forms, and saving the document. Third-party users do not require additional software or plug-ins to work with rights-enabled documents. PDF documents that have usage rights added are called rights-enabled documents. A user who opens a rights-enabled PDF document in Acrobat Reader can perform the operations that are enabled for that document.

Adobe leverages a public key infrastructure (PKI) to issue digital certificates for use in licensing and feature enablement. Adobe has been issuing certificates under the certificate authority “Adobe Root CA”, which is set to expire on January 7, 2023. A new certificate authority, "Adobe Root CA G2", and certificates based on the new certificate authority are now available.

Old certificates (certificates based on “Adobe Root CA”) no longer work after January 7, 2023. Adobe recommends that you start using the new certificates — those based on "Adobe Root CA G2" — to Reader extend your PDF documents on or before January 7, 2023. You can obtain new certificates from the Adobe Licensing Website or Adobe Support.

All PDF documents, Reader extended using the older certificates before January 7th 2023, including the ones downloaded by your customers, would continue to work with all the usage rights that are applied to them, and do not require any updates.

 

Frequently Asked Questions

Q. What is the difference between an Adobe Root certificate and an Acrobat Reader Extensions certificate? Is the Adobe Root certificate dependent on an Acrobat Reader Extensions certificate? Are both of these certificates expiring in January 2023?

A. Adobe Root CA is the certificate authority from which an Acrobat Reader Extensions certificate is issued. On January 7, 2023, "Adobe Root CA" and all the certificates issued from it are expiring.

 

Q. There was a previous communication from Adobe regarding the expiration of certificates and the impact on using/opening PDF documents. Should that communication be ignored?
A. Based on the reassessment of the situation, all PDF documents extended using production certificates issued from the old "Adobe Root CA" before January 7, 2023 continue to work without any change after January 7, 2023. If you have already updated your PDF documents there is no change in the experience.

 

Q. Who should I contact if I have additional questions?

A. You can contact Adobe Support or raise a support ticket.

 

Q. What happens if I do not update my certificate before January 7, 2023?

A. All PDF documents extended using production certificates issued from the old 'Adobe Root CA' before January 7, 2023 continue to work without any change after January 7, 2023. PDFs extended with evaluation certificates do not work after the expiration date.

 

Q. Is the description of new certificates any different from old certificates?

A. The description of the new Acrobat Reader Extensions certificates mentions G3-P24 as the program name. In the description of older certificates (certificates based on “Adobe Root CA”), P24 is mentioned as the program name.

 

Q. How do I obtain the latest certificates?

A. All the entitled Forms Customers (with active license) can download the new certificates (certificates based on "Adobe Root CA G2") from the Adobe Licensing Website. If you are unable to find the certificate on Adobe Licensing Website, contact Adobe Support or raise a support ticket.

 

Q. Do my PDF documents extended using certificates issued from "Adobe Root CA" (the old certificate authority) continue to work after January 7, 2023?

A. Yes, all PDF documents extended using production certificates issued from the "Adobe Root CA" (the old certificate authority) before January 7, 2023, continue to work without any change after January 7, 2023. PDF documents extended with evaluation certificates cease to work past the expiration date.

 

Q. Which version of Adobe Acrobat Reader is required to continue using PDF documents extended with certificates issued from "Adobe Root CA" (the old certificate authority)?

A. Adobe Acrobat Reader 2020 or later is required to use PDF documents extended with "Adobe Root CA" (the old certificate authority). It is the supported version of Acrobat Reader at the time of publishing this document. If you are using a non-supported version of Adobe Acrobat, Adobe recommends that you download and install the latest version of Adobe Acrobat Reader.

 

Q. Which version of Adobe Acrobat Reader is required to continue using PDF documents extended with certificates issued from "Adobe Root CA 2" (the new certificate authority)?

A. Adobe Acrobat Reader 2020 or later is required to use PDF documents extended with "Adobe Root CA 2" (the new certificate authority). If you are using a non-supported version of Adobe Acrobat Reader, Adobe recommends that you download and install the latest version of Adobe Acrobat Reader.

 

Q. Can I delete an old Acrobat Reader Extensions certificate and add a new one on an Adobe Experience Manager Forms Server while continuing to use the existing alias?

A. Yes, you can delete an old Acrobat Reader Extensions certificate and add a new one with the existing alias to an Adobe Experience Manager Forms Server.

 

Q. Can I keep both new and old Acrobat Reader Extensions certificates on an Adobe Experience Manager Forms Server?

A. Yes, you can keep both certificates but with different aliases on an Adobe Experience Manager Forms Server. After January 7, 2023, you can use only the new certificate to Reader extend a PDF document.

 

Q. Can I import the same Acrobat Reader Extensions certificate to all the Adobe Experience Manager Forms environments?

A. Yes, the same Acrobat Reader Extensions certificate can be used across multiple environments.

 

Q. How do I check the usage rights applied to a PDF document?

A. You can use the getDocumentUsageRights API to retrieve the information about the usage rights applied to a PDF document.

 

Q. How do I change the password of an Acrobat Reader Extensions certificate file?

A. On Microsoft Windows, to change the certificate Password, install the certificate using the Microsoft Management Console (MMC) and select Mark the key as Exportable. Once installed, export the certificate with a Private key, and use another password for the PFX file.

 

Last updated on 24 Nov, 2022 

10 Replies

Avatar

Level 4

Hi, we applied this Adobe reader extension certificate to our LC server. To our surprise, some of the windows 7/8/10 users reported the "This document enabled extended features in Adobe Acrobat Reader. The document has been changed since it was created and use of extended features is no longer available. Please contact the author for the original version of this document.", while most of the client who are using Windows 11 didn't report any error at all.

The same LC application for the problematic client worked fine just before the certificate update for many years.

We changed our alias with "READER Extension" and "default", also, we changed "ADOBEROOT" to the new certificate, rename the old one to ADOBEROOT_OLD, then restarted LC server.

While some windows 7/8/10 user not working, others with even old windows OS build still works fine.

Is anyway we can understand how the server certificate pushed to Adobe reader and where's the certificate in the PDF and how to validate this certificate?

We opened ticket to Adobe, but Adobe only keep asking windows version and Adobe reader version, but our client update windows and Adobe reader to latest os build and reader 64bit already, but still no luck.

To my surprise, Adobe doesn't request any Adobe reader log if error happens.

Do any other company upgrade the Adobe reader extension certificate and got the same issue?

 

Avatar

Level 4

Also, Adobe root certificate will be expired on Jan 9 as well, will be any impact?

Avatar

Level 4

We followed. However, some win 7/8/10 home users reported error no matter how they reinstall latest Adobe reader DC.

Also, we can reproduce this error on Adobe reader 9.5.5.1 on Ubuntu.

Avatar

Level 4

I am also having this same issue with a form that is used in our Adobe AEM instance. Have you had any luck getting it fixed?

Avatar

Employee Advisor

@SeanLapointe 

We are already working with @DavidZhang to investigate this issue.

 

Adobe reader 9.5.5 is end of life now, so the behavior is expected.

If you're seeing this issue with the latest Reader version and Win10 or above operating system, please raise a support ticket with the required artifacts.

Avatar

Level 4

The issue has been resolved in all our windows customer by rename the addressbook.acrodata file under %appdata%\AppData\Roaming\Adobe\Acrobat\DC\Security or rename the whole DC folder completely.

However, for Macbook, seems the user still doesn't work. We are still working on it.

Seems Adobe forget to clean up very old users addressbook.acrodata, so the new certificate is not trusted.

Avatar

Level 4

Thank you for the information. As it turns out, I was the only user with an out-of-date version of Reader.

Avatar

Level 4

It's not how old is your reader, it's the matter of how old is this file we talked about. We have very old customer, even with latest Adobe reader, still have the same issue. Anyway, glad to hear your problem resolved. Are you using windows or Mac?

Avatar

Level 4

This is good to know. I will make a note if users experience errors after we apply the new certificate. Thanks!