Expiration of Reader Extensions certificates and its impact

Adobe Experience Manager Forms (AEM Forms) customers with Adobe Managed Services or On-premise Enterprise Base licenses are entitled to use Acrobat Reader DC Extensions service. The service enables an organization to easily share interactive PDF documents by extending the functionality of Acrobat Reader with additional usage rights. The service adds usage rights to a PDF document and activates features that are not available when a PDF document is opened using Adobe Acrobat Reader, such as adding comments to a document, filling forms, and saving the document. Third-party users do not require additional software or plug-ins to work with rights-enabled documents. PDF documents that have usage rights added are called rights-enabled documents. A user who opens a rights-enabled PDF document in Acrobat Reader can perform the operations that are enabled for that document.

Adobe leverages a public key infrastructure (PKI) to issue digital certificates for use in licensing and feature enablement. Adobe has been issuing certificates under the certificate authority “Adobe Root CA”, which is set to expire on January 7, 2023. A new certificate authority, “Adobe Root CA G2”, and certificates based on the new certificate authority are now available.

Old certificates (certificates based on “Adobe Root CA”) no longer work after January 7, 2023. Adobe recommends that you start using the new certificates — those based on “Adobe Root CA G2” — to Reader extend your PDF documents on or before January 7, 2023. You can obtain new certificates from the Adobe Licensing Website or Adobe Support.

All PDF documents, Reader extended using the older certificates before January 7th 2023, including the ones downloaded by your customers, would continue to work with all the usage rights that are applied to them, and do not require any updates.

Frequently Asked Questions

Q. What is the difference between an Adobe Root certificate and an Acrobat Reader Extensions certificate? Is the Adobe Root certificate dependent on an Acrobat Reader Extensions certificate? Are both of these certificates expiring in January 2023?

A. Adobe Root CA is the certificate authority from which an Acrobat Reader Extensions certificate is issued. On January 7, 2023, “Adobe Root CA” and all the certificates issued from it are expiring.

Q. There was a previous communication from Adobe regarding the expiration of certificates and the impact on using/opening PDF documents. Should that communication be ignored?

A. Based on the reassessment of the situation, all PDF documents extended using production certificates issued from the old “Adobe Root CA” before January 7, 2023 continue to work without any change after January 7, 2023. If you have already updated your PDF documents there is no change in the experience.

Q. Who should I contact if I have additional questions?

A. You can contact Adobe Support or raise a support ticket.

Q. What happens if I do not update my certificate before January 7, 2023?

A. All PDF documents extended using production certificates issued from the old ‘Adobe Root CA’ before January 7, 2023 continue to work without any change after January 7, 2023. PDFs extended with evaluation certificates do not work after the expiration date.

Q. Is the description of new certificates any different from old certificates?

A. The description of the new Acrobat Reader Extensions certificates mentions G3-P24 as the program name. In the description of older certificates (certificates based on “Adobe Root CA”), P24 is mentioned as the program name.

Q. How do I obtain the latest certificates?

A. All the entitled Forms Customers (with active license) can download the new certificates (certificates based on “Adobe Root CA G2”) from the Adobe Licensing Website. If you are unable to find the certificate on Adobe Licensing Website, contact Adobe Support or raise a support ticket.

Q. Do my PDF documents extended using certificates issued from “Adobe Root CA” (the old certificate authority) continue to work after January 7, 2023?

A. Yes, all PDF documents extended using production certificates issued from the “Adobe Root CA” (the old certificate authority) before January 7, 2023, continue to work without any change after January 7, 2023. PDF documents extended with evaluation certificates cease to work past the expiration date.

Q. Which version of Adobe Acrobat Reader is required to continue using PDF documents extended with certificates issued from “Adobe Root CA” (the old certificate authority)?

A. Adobe Acrobat Reader 2020 or later is required to use PDF documents extended with “Adobe Root CA” (the old certificate authority). It is the supported version of Acrobat Reader at the time of publishing this document. If you are using a non-supported version of Adobe Acrobat, Adobe recommends that you download and install the latest version of Adobe Acrobat Reader.

Q. Which version of Adobe Acrobat Reader is required to continue using PDF documents extended with certificates issued from “Adobe Root CA 2” (the new certificate authority)?

A. Adobe Acrobat Reader 2020 or later is required to use PDF documents extended with “Adobe Root CA 2” (the new certificate authority). If you are using a non-supported version of Adobe Acrobat Reader, Adobe recommends that you download and install the latest version of Adobe Acrobat Reader.

Q. Can I delete an old Acrobat Reader Extensions certificate and add a new one on an Adobe Experience Manager Forms Server while continuing to use the existing alias?

A. Yes, you can delete an old Acrobat Reader Extensions certificate and add a new one with the existing alias to an Adobe Experience Manager Forms Server.

Q. Can I keep both new and old Acrobat Reader Extensions certificates on an Adobe Experience Manager Forms Server?

A. Yes, you can keep both certificates but with different aliases on an Adobe Experience Manager Forms Server. Post January 7, 2023, you can use only the new certificate to Reader extend a PDF document.

Q. Can I import the same Acrobat Reader Extensions certificate to all the Adobe Experience Manager Forms environments?

A. Yes, the same Acrobat Reader Extensions certificate can be used across multiple environments.

Q. How do I check the usage rights applied to a PDF document?

A. You can use the getDocumentUsageRights API to retrieve the information about the usage rights applied to a PDF document.

Q. How do I change the password of an Acrobat Reader Extensions certificate file?

A. On Microsoft Windows, to change the certificate Password, install the certificate using the Microsoft Management Console (MMC) and select Mark the key as Exportable. Once installed, export the certificate with a Private key, and use another password for the PFX file.

On this page