6 Replies Latest reply on Apr 5, 2011 6:07 AM by ArneAtAdobe

    Reader 9 does not find certificate to decrypt

    ArneAtAdobe Level 1

      Hi,

      I am trying to encrypt a pdf with the receipient's public key and have him decrypt it with his private key. As far as I understood, it is the same procedure as signing and verifying, but with the public and private key exchanged. I am new to this, so please correct me if I am wrong here.

       

      My  problem is, that the Adobe Reader 9 on my windows XP machine would not find any certificate to decrypt the document. I encrypted it with the standard windows certificate each user has and with an imported one, both were not found. When I got to the security preferences in the Reader, I can see both the certificates. When I use my private key to sign the document I cannot open it with the Reader either.

       

      1. How can I make the Reader recognise my certificates?

      2. Can I use the Windows PKI with the default windows certificate or do I have to get some fancy PKI product for that?

      3. Does it make a difference for the reader if I sign the pdf or encrypt it for one single user?

       

      What I do in detail:

      I take a dynamic form, remove the reader extension (because I would get an Exception during encrypting otherwise) and encrypt it using the Java API for the Adobe Livecycle ES, like it is shown here. Before that I created a PKCS#12 certificate using openssl on my Ubuntu 10.10 machine like it is shown here. I imported that into the windows certificate store like shown here. Then I try to open the encrypted document on the windows machine and get the message that a digital ID was used to encrypt this document and there was no digital ID found to decrypt it.

       

      After that I try plan B. I export the windows certificate of my user and use it to encrypt the pdf document. I export it with private key or without, it does not make any difference. I open the PDF file on the windows machine again and get the same message as above. I assumed that he should at least know his own certificate, but he does not.

       

      Thanks in advance for your help.

      Cheers,

      Arne

        • 1. Re: Reader 9 does not find certificate to decrypt
          SForrest96 Level 4

          Arne

           

          Please see my responses in-line...

           

          Thanks

          Steve

           

          ArneAtAdobe wrote:

           

          Hi,

          I am trying to encrypt a pdf with the receipient's public key and have him decrypt it with his private key. As far as I understood, it is the same procedure as signing and verifying, but with the public and private key exchanged. I am new to this, so please correct me if I am wrong here.

           

          Answer:  Signing a PDF and encrypting with a digital certificate are not the same procedure, they do both however use x509 based digital certificates.

           

          To sign a PDF, the private key is used tyo generate the signature, and the public key is used to validate

          To encrypt a PDF, the public key (of the user that you are encrypting the document for) is used to encrypt, the corresponding user's private key is used to decrypt the PDF.

           

          My  problem is, that the Adobe Reader 9 on my windows XP machine would not find any certificate to decrypt the document. I encrypted it with the standard windows certificate each user has and with an imported one, both were not found. When I got to the security preferences in the Reader, I can see both the certificates. When I use my private key to sign the document I cannot open it with the Reader either.

           

          1. How can I make the Reader recognise my certificates?

           

          Answer:  A P12 or PFX file is a digital certificate file that contains the public and prive key.  To add the P12 or PFX file to Reader 9.x, from the menu select Document> Security Settings...  select Digital ID files, then Attach File

           

          See attached screen shot (AttachID.jpg)

           

          You can also install the P12\PFX file into the Windows certificate store by double clicking the file and following installation wizard steps.  Reader can access the certificates stored in the Windows certificate store.

           

          2. Can I use the Windows PKI with the default windows certificate or do I have to get some fancy PKI product for that?

           

          Answer:  You can use self-signed digital digital certificates or certificates issued by a trusted certificate authority (i.e. VeriSign)

           

          3. Does it make a difference for the reader if I sign the pdf or encrypt it for one single user?

           

          Answer:  Not sure what you are asking here... but if you are using certificates to encrypt the PDF, youneed to add the public key (.cer) for EACH user that you want to allow to open\decrypt the document.  Only users with the corresponding private key (and password) to the certificate used to encrypt the document can open the PDF.

           

          What I do in detail:

          I take a dynamic form, remove the reader extension (because I would get an Exception during encrypting otherwise) and encrypt it using the Java API for the Adobe Livecycle ES, like it is shown here. Before that I created a PKCS#12 certificate using openssl on my Ubuntu 10.10 machine like it is shown here. I imported that into the windows certificate store like shown here. Then I try to open the encrypted document on the windows machine and get the message that a digital ID was used to encrypt this document and there was no digital ID found to decrypt it.

           

          After that I try plan B. I export the windows certificate of my user and use it to encrypt the pdf document. I export it with private key or without, it does not make any difference. I open the PDF file on the windows machine again and get the same message as above. I assumed that he should at least know his own certificate, but he does not.

           

          Thanks in advance for your help.

          Cheers,

          Arne

          1 person found this helpful
          • 2. Re: Reader 9 does not find certificate to decrypt
            ArneAtAdobe Level 1

            Hi Steve,

            thank you for your answer. I attached the key in the security settings of the reader but it did not help. Maybe I am doing something wrong during the encryption.

             

            My question about the procedure of encrypting was too ambiguous. Sorry for that. I found a code example in the LC documentation that obviously uses a private key to sign a document:

             

                        FileInputStream fileInputStreamCert = new FileInputStream("C:\\Adobe\\Encryption.cer");    
                        Document privateKey = new Document (fileInputStreamCert); 
                        recipient.setX509Cert(privateKey);
            
            

            This document could be read by anyone afterwards. I want to achieve that the document can only be read by one person, therefore I have to provide the public key of that person to this piece of code. Can I put the receipient's public key into the file C:\Adobe\Encryption.cer and expect to get the desired result? Or do I need a different piece of code to do that?

             

             

            Am I doing the encryption right? I do ...

            - export my default certificate (That was installed with windows) to a file (without private key)

            - I choose format X509 (.cer) binary

            - I copy the file to my Linux machine

            - I execute the java program from the example stated above. I tell the program to use the exported windows certificate and my pdf file (dynamic form, no RE)

            - I get a new pdf file, which I copy to the windows machine

            - I open the pdf file on the windows machine and get the message that no digital ID was found to decrypt it.

             

            I cannot upload the document and certificate to show it

             

            BTW, I dont know if that makes any difference, but my windows machine is not part of a domain and has no access to an Active Directory server. It is a Windows XP SP3 on a Virtual Box virtual machine.

             

            Thank you very much for your help so far.

            Cheers,

            Arne

            • 3. Re: Reader 9 does not find certificate to decrypt
              SForrest96 Level 4

              Arne

               

              I have not tested the API myself, but I think your code looks correct.  Also, the steps you outlined look correct, it appears that you have the corresponding private key installed in the Windows certificate store of the machine that you are trying to view the encrypted PDF with.

               

              Do you have access to Acrobat Pro?  If so, I would suggest that you use it to encrypt the PDF (using the same public key that you have been testing with) then test the encrypted to see if it can be opened.  This would help determine if the problem is with your code, or with the system used to view the document.

               

              As for your last question, it should not matter that the windows machine is not part of a domain, assuming that the P12 or PFX file in installed on the machine itself ( and not being pulled or accessed from Active Directory, as you have stated that you have no connection to it)

               

              Hope this helps.

               

              Steve

              1 person found this helpful
              • 4. Re: Reader 9 does not find certificate to decrypt
                ArneAtAdobe Level 1

                Hi Steve,

                I installed a test version of Acrobat, encrypted a document with the certificate of my windows user and saw the same error message when I tried to open it again. It did not work with Acrobat and Adobe Reader. I conclude that there has to be something wrong with my certificate. Are there any special requirements for certificates? I do not have a certificate that is trusted by one of the official trust organisation like VeriSign. Is that a problem?

                 

                Is there any way to validate or test my certificate?

                 

                Thanks for your help.

                Cheers,

                Arne

                • 5. Re: Reader 9 does not find certificate to decrypt
                  SForrest96 Level 4

                  Arne

                   

                  The certificates must be x509 compliant, they do not need to be issued by a specific certificate authority.  You can use a self-signed certificate to do this.  You can use Acrobat to easily create a self-signed certificate (.P12) file.

                   

                  In Acrobat, select Tools > Protection > More Protection > Security Settings > Add ID  then follow the wizard steps.  This will create a credential (public\private key pair) that will work to encrypt a PDF with a certificate.

                   

                  Try the encryption with the new certificate.

                   

                  Thanks

                  Steve

                  • 6. Re: Reader 9 does not find certificate to decrypt
                    ArneAtAdobe Level 1

                    Hi Steve,

                    IT WORKS. I created a new certificate with Acrobat and imported it into the windows certificate repository. I exported it to a X.509 certificate file (.cer) and used that to encrypt the document with Livecycle. Adobe Reader was not able to open the encrypted file, but Acrobat was. After that I imported the newly created .cer file into Adobe Reader and it worked.

                     

                    Here is a short manual for everyone having the same problem:

                     

                    - Install Adobe Acrobat (there is a test version available)

                    - open a pdf with it or create new one

                    - go to Tools > Protection > More Protection > Security Settings, select "Digital IDs" in the tree on the left and click Add ID then follow the wizard steps.

                    - save the .pfx file somewhere

                    - double click the .pfx file to import it in the windows key store.

                    - open the windows key store (howto)

                    - right click the certificate and select All tasks > export (or something similar, I translated this from German)

                    - select the X.509 binary format and save the .cer file somewhere

                    - Use this example to encrypt a PDF file with the Adobe Livecycle ES and Java.

                    - In the Adobe Reader of the target computer select Document > manage trusted abilities > add contacts > browse and select the .cer file

                    - open the encrypted document with the Adobe Reader. It should work now.

                     

                    Thank you very much for your great help, Steve. It helped a lot.

                     

                    Cheers,

                    Arne