Get/Read Public Certificate for PDF Encryption using .pfx file with password through itext7 library/method

I have iText7 functions which I am using,

right now, I am trying to encrypt my PDF file using a certificate in .pfx format with password.

The thing is, the function cannot read .pfx because it does not provide the password as shown below

using System.IO;
using iText.Kernel.Pdf;
using Org.BouncyCastle.X509;

namespace iText.Samples.Sandbox.Security
{
    public class EncryptWithCertificate
    {
        public static readonly String DEST = "results/sandbox/security/encrypt_with_certificate.pdf";
        public static readonly String SRC = "../../../resources/pdfs/hello.pdf";
        public static readonly String PUBLIC = "../../../resources/encryption/test.cer";

        public static void Main(String[] args)
        {
            FileInfo file = new FileInfo(DEST);
            file.Directory.Create();

            new EncryptWithCertificate().ManipulatePdf(DEST);
        }

        public X509Certificate GetPublicCertificate(String path)
        {
            using (FileStream stream = File.Open(path, FileMode.Open))
            {
                X509CertificateParser parser = new X509CertificateParser();
                X509Certificate readCertificate = parser.ReadCertificate(stream);
                return readCertificate;
            }
        }

        protected void ManipulatePdf(String dest)
        {
            // The file created by this example can not be opened, unless
            // you import the private key stored in test.p12 in your certificate store.
            // The password for the p12 file is kspass.
            X509Certificate cert = GetPublicCertificate(PUBLIC);

            PdfDocument document = new PdfDocument(new PdfReader(SRC), new PdfWriter(dest,
                new WriterProperties().SetPublicKeyEncryption(
                    new[] {cert},
                    new[] {EncryptionConstants.ALLOW_PRINTING},
                    EncryptionConstants.ENCRYPTION_AES_256)));
            document.Close();
        }
    }
}

If i try to load a normal .cer file, it goes through normally for GetPublicCertificate. No issue there. But I am trying to encrypt it with .pfx file as adobe acrobat can only register Digital ID using .p12/.pkf format and the function does throws error.

The error

Org.BouncyCastle.Security.Certificates.CertificateException
      HResult=0x80131500
      Message=Failed to read certificate
      
    
    Inner Exception 1:
    ArgumentException: Unknown object in GetInstance: Org.BouncyCastle.Asn1.DerInteger
    Parameter name: obj

I am hoping to encrypt the pdf using cert as the cert can be set to expire anytime according to what I set it to be and user can only view the PDF file based on the cert expiry.

Thanks in advance.

As per your original post, your intention is:

I am hoping to encrypt the pdf using cert as the cert can be set to expire anytime according to what I set it to be and user can only view the PDF file based on the cert expiry.

Basically, you want to grant a time-limited access to PDF to authorized user. The solution you try to build in code sample doesn't solve the problem. Certificate validity for data encryption is irrelevant, because certificate validity is not checked during decryption. In fact, even certificate is not necessary, it is sufficient to have just a private key to decrypt the data. In other words, certificate-based encryption is equal to password-based encryption. What certificate adds -- an easier way to locate decryption key (secret), nothing else.

In addition, once data is decrypted, a client can save data in an unencrypted form thus your restrictions are useless. Even if you try to put time constraints within JavaScript or whatever else locally (and JavaScript is executed only locally), it isn't a solution. As long as client can manipulate date/time on a device, client always can set desired date/time to violate your restrictions.

Your problem cannot be solved without inventing a 3rd party entity that will make decisions whether the requested operation is allowed, apply necessary restrictions and minimize chances that the data will leak in an unencrypted form (only minimize, not prevent). Such functionality is implemented in Digital Rights Management (DRM) or Rights Management Service (RMS) and you need to build your solution around these tools, not attempt to integrate them in your solution. There are plenty of vendors that offer DRM/RMS solutions you can look into and utilize their functionality to build the solution for your requirements.