I have successfully implemented a password based agile encryption for Apache POI (#55818 ) and now try to find out how the certificate based encryption works. Based on the MS-OFFCRYPTO  entry, I've created the necessary x509/encryptedKey/verifier entries with a self-signed certificate. I thought, if I import the self-signed certificate into the private key and CA area of the windows certificate store it might be possible to open the file without password input ... but of course it didn't work ...
So now I basically try to find a way, to somehow validate my implementation, either by opening my generated file in Office or by creating a file via Office and check my file against it ... and on my way, I have a few things to check:
1. On my private PC, I have only a MS Word/Excel/... Viewer installation available:
- is it possible to open certificate based encrypted files with them, i.e. without entering the password?
2. On my project PC, I have an Office 2010 enterprise installation - when I try to create a file (e.g. a word doc) with a restricted user list  - it says something about an unsupported environment. The error message seems to be connected with the missing of a RMS client:
- is the "restrict permission" option the right way, to add certificates?
- is certificate encryption supported out of the box? or ...
- ... do I need something like a rms client/infrastructure? (... I would prefer, not to install something which seems to be a DRM environment on a laptop I don't own ...)
- are there any Office GPOs , which might limit the usage of certifcates?
3. In a different question  you state that the ms-offcrypto docs are not accompanied by sample files, but maybe you have some in a different "folder"? ;) ...
4. is it possible to provide you with a sample file (like in yet another question ) to see, if it is according to the specs? (in this case, either we use my self-signed cert. or you provide a public cert)
Thank you for your support.
Sorry html-links don't work for not verified users ...:
 http://www.techrepublic.com/article/safeguard-your-office-2007-files-with-encryption-document-protection-and-digital-signatures/ (look at Figure M)
Hi Kiwi-Wings, I apologize for the lack of response until now. I will try to address each of your issues.
Questions 1 and 2:
We do not provide sample files. However, the MS-OFFCRYPTO Examples project on CodePlex could have something that might be able to help you.
We do not provide file or implementation validation. However, tools such as BFF Validator or OffVis can be used for basic binary file format validation. Though I don't know what level of support they have for encrypted files.
Josh Curry (jcurry) | Escalation Engineer | Open Specifications Support Team
- Proposed as answer by JCurryMicrosoft employee, Owner Wednesday, March 05, 2014 8:50 PM