I would like to generate a certificate(self-signed at the moment) for an encrypted PDF on the server. What is interesting to me is the workflow on how to to that with TCPDF.

What I did:

1) Generate keys:

openssl req -x509 -nodes -days 365000 -newkey rsa:1024 
openssl pkcs12 -export -in tcpdf.crt -out tcpdf.p12

2) Then generate the PDF with the .crt - file

3) Then I started acrobat reader and installed the certificate (tcpdf.p12). I used Document->security settings -> digital id

4) I could import the security settings but still can't open the PDF. Don't know if I am doing it right? What happens that acrobat reader 9.5.4 opens a dialog with input of a password. I give in the password and an error appears -> unknown error -> CRecipientList-218

5) Code I used (basically the same)

$certificate = 'file://../tcpdf.crt';
$info = array(
'Name' => 'TCPDF',
'Location' => 'Office',
'Reason' => 'Testing TCPDF',
'ContactInfo' => 'http://www.tcpdf.org',
);
$pdf->setSignature($certificate, $certificate, 'tcpdfdemo', '', 2, $info);
$pdf->SetProtection($permissions=array('print', 'copy'), $user_pass='', owner_pass=null, $mode=1, $pubkeys=array(array('c' => 'file://../tcpdf.crt', 'p' => array('print'))));

I combined the following examples:

http://www.tcpdf.org/examples/example_052.phps

http://www.tcpdf.org/examples/example_016.phps

P.S.: I know its a very practical example. Just thought its easier to understand the steps I am doing.

Questions:

1. Is the workflow in general right on how(!) to approach certificates for a PDF with encryption?

2. When I generate the .p12 file I have to give in a password for that file which I used later on when imported the certificate into acrobat. I'm asking because I have also the possibility "on generation" to give the password.

3. If the workflow is right...how do I fix the problem?

The approach is basically correct - but you may have missed some detail in it.

I have been using the certificate in *.crt format without the passphrase (including private and public key) and it works fine.

Also note, that you must have installed OpenSSL extension in PHP.

See the comments for method TCPDF::setSignature() by Nicola Asuni:

* To create self-signed signature: openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout tcpdf.crt -out tcpdf.crt
* To export crt to p12: openssl pkcs12 -export -in tcpdf.crt -out tcpdf.p12
* To convert pfx certificate to pem: openssl pkcs12 -in tcpdf.pfx -out tcpdf.crt -nodes

You dont need to install any certificate into Acrobat Reader - generated PDF documents signed with self-signed certificates simply show up as untrusted, but still they can normally open.

I hope you also took a look at the comments ;) there is a mini how to setup the pdf using provided file

especially:

// To open the document you need to install the private key (tcpdf.p12) on the Acrobat Reader. The password is: 1234

however, you need to provide setProtection with existing key:

'c' => 'file://../tcpdf.crt'

the path you given is just showing where you need to give the path, but the path itself need to be changed

Summary: please read again the comments in the example 016 file, they WILL help to get it working the way you need