Network connectivity is not necessary to open a "certificate encrypted" PDF as long as the end user has "local" access to the private key that corresponds to the public key that was used to encrypt the PDF. If the "private" key was being pulled from the end user's LDAP account then I would say that network connectivity would be necessary.
To clarify, a "self-signed" certificate does not have a CA (certificate authority) or be "signed" by a certificate authority. This is why it is called a "self-signed" certificate.
A PFX file contains a private key and a public key. Only the end user should have access to the PFX file. The public key can be extracted from the PFX, and saved as a ".cer" (certificate) file (this file can be distributed freely). The "certificate" file is used to encrypt the PDF for the specific user. When the user receives the encrypted PDF and they attempt to open it, they must have the PFX file containing the "private" key, and they must supply the password for the private key.
Make sure that the PFX is installed in the Windows Certificate Store, not just the public key "certificate" file.
Thank you for your answer.
I validated this at the customers site and found out that the guy had two windows profiles. Since the certificates are part of the windows profile, it did not work when he took his "offline" profile, because he installed in the other profile only.