I'm stuck trying to figure out what kind of certificate I need to create, and how to create it to sign PDF's with LibreOffice. I created a GnuPG key, that did not work. I tried to create a private key (through the 'Passwords and keys' app), but it won't let me.
Where am i going wrong here?
I am trying to make a certificate that i can use to electronically sign PDF's.
something that will show up here in libreoffice, when creating documents.
Thanks a bunch in advance.
Maybe it is worth to give some more details, how to sign PDFs with Libreoffice. There are some pitfalls and this is a good place to store the experience I made.
First get yourself a x509 certificate you can use to sign/encrypt emails. Where you can get one, is dynamically changing. The free ones are rare, in worst case create a self signed. There are plenty of explanations in the web on how to do this. At the end you need a signed certificate including the private key in pk12 format.
For the moment, lets assume the pk12 file is named:
cert.pk12Now the certificate is in the database. In Libreoffice in the options (Tools -> Options... -> Security -> Certificate... -> Select NSS path...) the path to the database needs to be configured.
Now the certificate should be selectable in the "Digital Signatures" dialog.
With this at least all tools show me that the PDF is signed. Most of them show me that the signature is valid. But Windows Acrobat Reader still is not convinced. In Acrobat you need to explicitly manually trust the certificate. But my PDFs from Linux are marked as "modified". Maybe the transfer changed the Linux line endings to Windows line endings?
Using "Time Stamp Authotity" (TSA) seems only possible if you go via "Export as PDF".
Addition: With
seahorse(which is started from Libreoffice by clicking on "Start Certificate Manager") it is not possible to add x509 certificates (at least at the time writing this).There are three basic stages to obtaining a certificate.
You can get a certificate from a certification authority. No matter if you choose a governmental institution or a private company it is common to be charged for this service, for example when they certify your identity. Few other authorities issue certificates free of costs, like the Open Source Project "CAcert" which is based on the well-known and reliable Web of Trust model and is of growing popularity.
If you are using Solaris or Linux, you must install a recent version of Thunderbird or Firefox to install some system files that are needed for encryption.
Sign the macros inside a document. Normally, macros are part of a document. If you sign a document, the macros inside the document are signed automatically.
Reference
Here's how you can generate your own certificate for signing documents within libreoffice on (eg Debian), and get yourself set up to do so:
Prep
Install necessary tools:
Making the certificate
First, generate an x509 certificate:
Note that
subjectAltNamecan containemail:instead of DNS entriesNext, convert the certificate to a p12 format key:
Making the NSS Database
Next, we need to prepare a database path for NSS and generate the database:
Note that the password in question is your default master firefox password (on Debian/Ubuntu). So if you haven't set one up, its an empty string - once you do it will prompt you to enter a new one and change it
Or, do so without adding a password (Reference 4):
Finally, import the p12 certificate into the database:
Note that you can use -k ${database.password.file} -w ${certificate.password.file} to flag in the passwords programatically if you want to get fancy
Configuring LibreOffice
~/.pki/nssdb), select Ok (ensuring the new Manual path is selected), and finally Restart Now.You can lastly go into File ⇨ Digital Signatures... ⇨ Sign Existing PDF, and open your signed PDF to verify that a signature exists (and you could also sign in this fashion too):
References: