Expand my Community achievements bar.

SOLVED

Reader 9 does not find certificate to decrypt

Avatar

Level 2

Hi,

I am trying to encrypt a pdf with the receipient's public key and have him decrypt it with his private key. As far as I understood, it is the same procedure as signing and verifying, but with the public and private key exchanged. I am new to this, so please correct me if I am wrong here.

My  problem is, that the Adobe Reader 9 on my windows XP machine would not find any certificate to decrypt the document. I encrypted it with the standard windows certificate each user has and with an imported one, both were not found. When I got to the security preferences in the Reader, I can see both the certificates. When I use my private key to sign the document I cannot open it with the Reader either.

1. How can I make the Reader recognise my certificates?

2. Can I use the Windows PKI with the default windows certificate or do I have to get some fancy PKI product for that?

3. Does it make a difference for the reader if I sign the pdf or encrypt it for one single user?

What I do in detail:

I take a dynamic form, remove the reader extension (because I would get an Exception during encrypting otherwise) and encrypt it using the Java API for the Adobe Livecycle ES, like it is shown here. Before that I created a PKCS#12 certificate using openssl on my Ubuntu 10.10 machine like it is shown here. I imported that into the windows certificate store like shown here. Then I try to open the encrypted document on the windows machine and get the message that a digital ID was used to encrypt this document and there was no digital ID found to decrypt it.

After that I try plan B. I export the windows certificate of my user and use it to encrypt the pdf document. I export it with private key or without, it does not make any difference. I open the PDF file on the windows machine again and get the same message as above. I assumed that he should at least know his own certificate, but he does not.

Thanks in advance for your help.

Cheers,

Arne

1 Accepted Solution

Avatar

Correct answer by
Former Community Member

Arne

The certificates must be x509 compliant, they do not need to be issued by a specific certificate authority.  You can use a self-signed certificate to do this.  You can use Acrobat to easily create a self-signed certificate (.P12) file.

In Acrobat, select Tools > Protection > More Protection > Security Settings > Add ID  then follow the wizard steps.  This will create a credential (public\private key pair) that will work to encrypt a PDF with a certificate.

Try the encryption with the new certificate.

Thanks

Steve

View solution in original post

6 Replies

Avatar

Level 2

Hi Steve,

thank you for your answer. I attached the key in the security settings of the reader but it did not help. Maybe I am doing something wrong during the encryption.

My question about the procedure of encrypting was too ambiguous. Sorry for that. I found a code example in the LC documentation that obviously uses a private key to sign a document:

            FileInputStream fileInputStreamCert = new FileInputStream("C:\\Adobe\\Encryption.cer");    
            Document privateKey = new Document (fileInputStreamCert);
            recipient.setX509Cert(privateKey);

This document could be read by anyone afterwards. I want to achieve that the document can only be read by one person, therefore I have to provide the public key of that person to this piece of code. Can I put the receipient's public key into the file C:\Adobe\Encryption.cer and expect to get the desired result? Or do I need a different piece of code to do that?

Am I doing the encryption right? I do ...

- export my default certificate (That was installed with windows) to a file (without private key)

- I choose format X509 (.cer) binary

- I copy the file to my Linux machine

- I execute the java program from the example stated above. I tell the program to use the exported windows certificate and my pdf file (dynamic form, no RE)

- I get a new pdf file, which I copy to the windows machine

- I open the pdf file on the windows machine and get the message that no digital ID was found to decrypt it.

I cannot upload the document and certificate to show it

BTW, I dont know if that makes any difference, but my windows machine is not part of a domain and has no access to an Active Directory server. It is a Windows XP SP3 on a Virtual Box virtual machine.

Thank you very much for your help so far.

Cheers,

Arne

Avatar

Former Community Member

Arne

I have not tested the API myself, but I think your code looks correct.  Also, the steps you outlined look correct, it appears that you have the corresponding private key installed in the Windows certificate store of the machine that you are trying to view the encrypted PDF with.

Do you have access to Acrobat Pro?  If so, I would suggest that you use it to encrypt the PDF (using the same public key that you have been testing with) then test the encrypted to see if it can be opened.  This would help determine if the problem is with your code, or with the system used to view the document.

As for your last question, it should not matter that the windows machine is not part of a domain, assuming that the P12 or PFX file in installed on the machine itself ( and not being pulled or accessed from Active Directory, as you have stated that you have no connection to it)

Hope this helps.

Steve

Avatar

Level 2

Hi Steve,

I installed a test version of Acrobat, encrypted a document with the certificate of my windows user and saw the same error message when I tried to open it again. It did not work with Acrobat and Adobe Reader. I conclude that there has to be something wrong with my certificate. Are there any special requirements for certificates? I do not have a certificate that is trusted by one of the official trust organisation like VeriSign. Is that a problem?

Is there any way to validate or test my certificate?

Thanks for your help.

Cheers,

Arne

Avatar

Correct answer by
Former Community Member

Arne

The certificates must be x509 compliant, they do not need to be issued by a specific certificate authority.  You can use a self-signed certificate to do this.  You can use Acrobat to easily create a self-signed certificate (.P12) file.

In Acrobat, select Tools > Protection > More Protection > Security Settings > Add ID  then follow the wizard steps.  This will create a credential (public\private key pair) that will work to encrypt a PDF with a certificate.

Try the encryption with the new certificate.

Thanks

Steve

Avatar

Level 2

Hi Steve,

IT WORKS. I created a new certificate with Acrobat and imported it into the windows certificate repository. I exported it to a X.509 certificate file (.cer) and used that to encrypt the document with Livecycle. Adobe Reader was not able to open the encrypted file, but Acrobat was. After that I imported the newly created .cer file into Adobe Reader and it worked.

Here is a short manual for everyone having the same problem:

- Install Adobe Acrobat (there is a test version available)

- open a pdf with it or create new one

- go to Tools > Protection > More Protection > Security Settings, select "Digital IDs" in the tree on the left and click Add ID then follow the wizard steps.

- save the .pfx file somewhere

- double click the .pfx file to import it in the windows key store.

- open the windows key store (howto)

- right click the certificate and select All tasks > export (or something similar, I translated this from German)

- select the X.509 binary format and save the .cer file somewhere

- Use this example to encrypt a PDF file with the Adobe Livecycle ES and Java.

- In the Adobe Reader of the target computer select Document > manage trusted abilities > add contacts > browse and select the .cer file

- open the encrypted document with the Adobe Reader. It should work now.

Thank you very much for your great help, Steve. It helped a lot.

Cheers,

Arne

The following has evaluated to null or missing: ==> liqladmin("SELECT id, value FROM metrics WHERE id = 'net_accepted_solutions' and user.id = '${acceptedAnswer.author.id}'").data.items [in template "analytics-container" at line 83, column 41] ---- Tip: It's the step after the last dot that caused this error, not those before it. ---- Tip: If the failing expression is known to be legally refer to something that's sometimes null or missing, either specify a default value like myOptionalVar!myDefault, or use <#if myOptionalVar??>when-present<#else>when-missing. (These only cover the last step of the expression; to cover the whole expression, use parenthesis: (myOptionalVar.foo)!myDefault, (myOptionalVar.foo)?? ---- ---- FTL stack trace ("~" means nesting-related): - Failed at: #assign answerAuthorNetSolutions = li... [in template "analytics-container" at line 83, column 5] ----