Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

decrypt a PDF when offline?

Avatar

Level 2

Hi,

A customer reports that he cannot open a certificate encrypted document when he is not in the network of his company. When he is in the network it works. Why is that and how can I fix that?

What we do:

We send a pdf document via email to the guy. the pdf is encrypted with a certificate. He has the pfx certificate in his Windows certificate store. the pfx certificate is signed by a CA, which is self signed. All certificates and the CA are generated with Adobe Acrobat. I installed the CA certificate on his machine and it does not change anything. We did not change any settings in th LC server regarding the certificates.

Thanks in advance for your answer.

Cheers,

Arne

1 Accepted Solution

Avatar

Correct answer by
Former Community Member

Network connectivity is not necessary to open a "certificate encrypted" PDF as long as the end user has "local" access to the private key that corresponds  to the public key that was used to encrypt the PDF.  If the "private" key was being pulled from the end user's LDAP account then I would say that network connectivity would be necessary.

To clarify, a "self-signed" certificate does not have a CA (certificate authority) or be "signed" by a certificate authority.  This is why it is called a "self-signed" certificate.

A PFX file contains a private key and a public key.  Only the end user should have access to the PFX file.  The public key can be extracted from the PFX, and saved as a ".cer" (certificate) file (this file can be distributed freely).  The "certificate" file is used to encrypt the PDF for the specific user.  When the user receives the encrypted PDF and they attempt to open it, they must have the PFX file containing the "private" key, and they must supply the password for the private key.

Make sure that the PFX is installed in the Windows Certificate Store, not just the public key "certificate" file.

Regards

Steve

View solution in original post

2 Replies

Avatar

Correct answer by
Former Community Member

Network connectivity is not necessary to open a "certificate encrypted" PDF as long as the end user has "local" access to the private key that corresponds  to the public key that was used to encrypt the PDF.  If the "private" key was being pulled from the end user's LDAP account then I would say that network connectivity would be necessary.

To clarify, a "self-signed" certificate does not have a CA (certificate authority) or be "signed" by a certificate authority.  This is why it is called a "self-signed" certificate.

A PFX file contains a private key and a public key.  Only the end user should have access to the PFX file.  The public key can be extracted from the PFX, and saved as a ".cer" (certificate) file (this file can be distributed freely).  The "certificate" file is used to encrypt the PDF for the specific user.  When the user receives the encrypted PDF and they attempt to open it, they must have the PFX file containing the "private" key, and they must supply the password for the private key.

Make sure that the PFX is installed in the Windows Certificate Store, not just the public key "certificate" file.

Regards

Steve

Avatar

Level 2

Thank you for your answer.

I validated this at the customers site and found out that the guy had two windows profiles. Since the certificates are part of the windows profile, it did not work when he took his "offline" profile, because he installed in the other profile only.

The following has evaluated to null or missing: ==> liqladmin("SELECT id, value FROM metrics WHERE id = 'net_accepted_solutions' and user.id = '${acceptedAnswer.author.id}'").data.items [in template "analytics-container" at line 83, column 41] ---- Tip: It's the step after the last dot that caused this error, not those before it. ---- Tip: If the failing expression is known to be legally refer to something that's sometimes null or missing, either specify a default value like myOptionalVar!myDefault, or use <#if myOptionalVar??>when-present<#else>when-missing. (These only cover the last step of the expression; to cover the whole expression, use parenthesis: (myOptionalVar.foo)!myDefault, (myOptionalVar.foo)?? ---- ---- FTL stack trace ("~" means nesting-related): - Failed at: #assign answerAuthorNetSolutions = li... [in template "analytics-container" at line 83, column 5] ----