Ĩesky | english
PDF and ODT signing with LibreOffice
If you want to sign PDF or ODT documents with LibreOffice, your main problem is to get a Client Certificate installed on your computer account.
Once you have a valid Client Certificate installed signing a PDF/ODT document can be done in LibreOffice Writer using the menu item "File -> Digital Signatures -> Sign Existing PDF" or "File -> Digital Signatures -> Digital Signatures", respectively.
Note that though you don't need the CAcert root certificates installed for pure signing of PDF/ODT documents, verifying signatures will need them!
Install Client Certificate
The way to install a Client Certificate so it is usable for LibreOffice depends on your OS. The ways described here assume that you have your key and certificate available in a PKCS#12 file. Such files often use the file extension *.p12 or *.pfx.
To create a PKCS#12 file (suffix .p12 or .pfx), please see the following articles:
Email Certificates, part "The manual way"
The articles referred by the article Tutorials, Howtos, and other Documents, part "Create certificates", the final part of articles with the "PKCS12" in their titles
Note:
The utility MMC - Certificates, or Edge browser, of the Windows system produce .pfx files.
Another UNIX/Windows utilities openSSL, XCA, Kleopatra, browsers Firefox, its clones, Seamonkey, etc., all produce .p12 files.
- Windows programs/utilities accept .p12 files for certificates import.
- Both file types are binary containers, and they both have the similar contents:
- your certificate,
- your corresponding private key,
- and (not always) root certificate(s) of the issuing CA.
- Both file types are protected with password you are expected to set (enter twice) when exporting.
Linux
On Linux you can use the tool certutil. If it is not already installed it is part of the package libnss3-tools1. I found the procedure at askubuntu.com but adapted it a little bit.
This assumes that your keys and certificate is included in cert.p12
# Create a new directory for your certificate database mkdir -p ~/pki/cert8 # Initialize the database. This will ask for a password which will be to access the database. certutil -N -d ~/pki/cert8/ # Import your key into the new database. This asks for the password to the database first, # and then for the password of the PKCS#12 file pk12util -d ~/pki/cert8/ -i cert.p12 # Check the result by listing all certificates in the database certutil -L -d ~/pki/cert8/
Now you have to tell LibreOffice to use your new database directory ~/pki in the menu "Tools -> Options... -> Security -> Certificate... -> Select NSS path...". It may be necessary to restart LibreOffice before the new database is recognized!
Windows
On Windows, !Libre Office uses the repository called Windows Certificate Store. To import a PKCS#12 file into the Windows Certificate Storage can usually be started by double-clicking the *.pfx/*.p12 file. If your file has another file extension try renaming it to *.pfx.
Note: Both .p12 and .pfx file types have mandatory passwords set when the file has been exported. You have to enter it.
You can use the Windows MMC - Certificates utility, or you can import .p12/.pfx file via Edge browser. Then the certificate will be imported into the Windows' system certificate repository - Windows Certificate Store.
However, if you use Firefox browser, its clones, Seamonkey, or utilities like XCA, you import the certificate into their own repositories! Remember: you have to import the certificate into the system repository, for LibreOffice to work with.
Sign PDF documents
Open LibreOffice Writer
Select menu item "File -> Digital Signatures -> Sign Existing PDF"
Select the PDF file you want to sign. The file opens as ReadOnly.
- Click "Sign Document" above the 1st page. A popup dialog opens and shows already existing signatures on the PDF (most probably none).
- Click "Sign Document" in the dialog. Depending on your OS you may be asked to enter the password for the certificate database. A dialog containing the list of all certificates included in your database is shown.
- Optionally enter a description. This is intended to describe how the signature should be interpreted, so something like "approved" or "accepted" may be appropriate. Not all tools used to verify the signature will show this text!
- Select the certificate you want to use for signing and press "Sign". Depending on your OS you may be asked for a confirmation or even a password to access the private key.
If you confirm all the questions of your OS your signature should now be shown in the list of signatures and you are done.
Sign ODT documents
Open LibreOffice Writer
Open the ODT file you want to sign, in the ReadOnly mode
Select menu item "File -> Digital Signatures -> Digital Signatures"
- A popup dialog opens and shows already existing signatures on the ODT (most probably none).
- Click "Sign Document". Depending on your OS you may be asked to enter the password for the certificate database. A dialog containing the list of all certificates included in your database is shown.
- Optionally enter a description. This is intended to describe how the signature should be interpreted, so something like "approved" or "accepted" may be appropriate. Not all tools used to verify the signature will show this text!
- Select the certificate you want to use for signing and press "Sign". Depending on your OS you may be asked for a confirmation or even a password to access the private key.
If you confirm all the questions of your OS your signature should now be shown in the list of signatures and you are done.
Footnotes
At least on Debian derived distributions (1)