Attention: Central Adobe CA certificate expires on January 7, 2023 – no new certificate for perpetual licensing customers!

Stop - Pixabay[German]Brief note for users or administrators of Adobe perpetual licensing software. A German blog reader alerted me about the expiration of a CA certificate on Adobe AEM servers or Adobe LiveCycle ES servers. As of January 7, 2023, any Adobe document servers still in use will no longer function. And there is no certificate renewal for customers who don't have a subscription from Adobe.

Adobe AEM and LiveCycle ES server

Adobe Experience Manager (AEM) is a web-based client-server system for building, managing, and deploying commercial websites and related services. AEM can be installed on-premises on enterprise servers, but is also available as a cloud solution.

Adobe LiveCycle Reader Extensions ES formerly known as Adobe Reader Extension Server) is a product from Adobe Inc. that enables certain functionality in Adobe Reader. By default, Adobe Reader only allows you to view and print PDF documents. Other functions such as inserting annotations, saving and sending completed forms, and generating digital signatures are available in Reader, but can only be used in documents that have been specially enabled for this purpose. ES stands for Enterprise Suite.

CA certificate expires

A blog reader who wishes to remain anonymous emailed me yesterday and told me that CA certifcates for Adobe AEM servers or Adobe LiveCycle ES servers  will expires soon (thanks for the tip). The tipster recently discovered during a software test that an Adobe document server used internally in the company (at least until now) will no longer function after January 7, 2023.

As part of the test, the server date was changed a few months into the future, among other things. That resulted in various server processes no longer running. The subsequent analysis showed that a certificate on the server, which is required to activate Reader Extension rights in PDF documents, will expire on January 7, 2023.

These Reader Extension rights for PDF documents are a way to set a cryptographically signed flag in a PDF document. This flag enables Adobe Reader users not only to fill out a PDF document in Adobe Reader, but also to save the completed PDF document afterwards. This is otherwise only possible with the paid Adobe Acrobat Standard or Professional.

A workaround

At this point, the user started to research and came across the Adobe post Expiration of Reader Extensions certificates and its impact with the info that you should manually renew this ARES certificate on the server until January 7, 2023. I pulled out the text from Adobe in case that disappears at some point:

Adobe Experience Manager Forms (AEM Forms) customers with Adobe Managed Services or On-premise Enterprise Base licenses are entitled to use Acrobat Reader DC Extensions service. The service enables an organization to easily share interactive PDF documents by extending the functionality of Acrobat Reader with additional usage rights. The service adds usage rights to a PDF document and activates features that are not available when a PDF document is opened using Adobe Acrobat Reader, such as adding comments to a document, filling forms, and saving the document. Third-party users do not require additional software or plug-ins to work with rights-enabled documents. PDF documents that have usage rights added are called rights-enabled documents. A user who opens a rights-enabled PDF document in Acrobat Reader can perform the operations that are enabled for that document.

Adobe leverages a public key infrastructure (PKI) to issue digital certificates for use in licensing and feature enablement. Adobe has been issuing certificates under the certificate authority "Adobe Root CA", which is set to expire on January 7, 2023. A new certificate authority, "Adobe Root CA G2", and certificates based on the new certificate authority are now available.

Old certificates (certificates based on "Adobe Root CA") no longer work after January 7, 2023. Adobe recommends that you start using the new certificates — those based on "Adobe Root CA G2" — to Reader extend your PDF documents on or before January 7, 2023.

For certificate renewal, Adobe offers a manual intervention option, but a kludge lurks. The blog reader puts it this way:

In addition to the problem that the Adobe AEM or LiveCycle ES server will stop working without warning on January 7, 2023 (if you don't intervene manually yourself before then), there is now another big fail:

Adobe support takes the position that if you own a perpetual license, you won't get a new certificate to download. Only those who also have a current support contract for the purchased product with Adobe will be offered the new certificate for download in the license portal. Who has no support contract, should get a new subscription based license in addition to his already existing purchase license!

Adobe writes about this:

You can obtain new certificates from the Adobe Licensing Website or Adobe Support.

All PDF documents, Reader extended using the older certificates before January 7th 2023, including the ones downloaded by your customers, would continue to work with all the usage rights that are applied to them, and do not require any updates.

In a FAQ on the website, Adobe explains various constraints.

Q. How do I obtain the latest certificates?

A. All the entitled Forms Customers (with active license) can download the new certificates (certificates based on "Adobe Root CA G2") from the Adobe Licensing Website. If you are unable to find the certificate on Adobe Licensing Website, contact Adobe Support or raise a support ticket.

This is probably the crux – an "active license" is required to get the certificate. This probably does not work for purchase licenses that are valid indefinitely (perpetual licenses). The blog reader wrote:

The whole thing reminds me of how Adobe shut down the license server for Creative Suite a few years ago and suddenly you couldn't reinstall your purchased software package.

At that time Adobe offered at least for CS2 a version for download, which does not require activation against the license server anymore, so that you could not install from the original CDs anymore, but you could continue to use the software based on the purchased license.

Error: Activation Server Unavailable | CS2 or older products, Acrobat 7

Where can I download my Creative Suite app?

In the current case, however, it seems to me that this is more a case of planned DRM-based software obsolescence by Adobe, and that the previous purchasers are to be expropriated once and for all in order to force them into an annual subscription license…

My question to the readership: has anyone been affected by this certificate expiration? And if so, has this been known? Has anyone found a solution to renew the CA certificate even for perpetual licenses?

This entry was posted in issue, Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *