PDF and ODT signing with LibreOffice

If you want to sign PDF or ODT documents with LibreOffice, your main problem is to get a Client Certificate installed on your computer account.

Once you have a valid Client Certificate installed signing a PDF/ODT document can be done in LibreOffice Writer using the menu item "File -> Digital Signatures -> Sign Existing PDF" or "File -> Digital Signatures -> Digital Signatures", respectively.

{i} Note that though you don't need the CAcert root certificates installed for pure signing of PDF/ODT documents, verifying signatures will need them!

Install Client Certificate

The way to install a Client Certificate so it is usable for LibreOffice depends on your OS. The ways described here assume that you have your key and certificate available in a PKCS#12 file. Such files often use the file extension *.p12 or *.pfx.

To create a PKCS#12 file (suffix .p12 or .pfx), please see the following articles:

Note:

Linux

On Linux you can use the tool certutil. If it is not already installed it is part of the package libnss3-tools1. I found the procedure at askubuntu.com but adapted it a little bit.

This assumes that your keys and certificate is included in cert.p12

# Create a new directory for your certificate database
mkdir -p ~/pki/cert8
# Initialize the database. This will ask for a password which will be to access the database.
certutil -N -d ~/pki/cert8/
# Import your key into the new database. This asks for the password to the database first,
# and then for the password of the PKCS#12 file
pk12util -d ~/pki/cert8/ -i cert.p12
# Check the result by listing all certificates in the database
certutil -L -d ~/pki/cert8/

Now you have to tell LibreOffice to use your new database directory ~/pki in the menu "Tools -> Options... -> Security -> Certificate... -> Select NSS path...". It may be necessary to restart LibreOffice before the new database is recognized!

Windows

On Windows, !Libre Office uses the repository called Windows Certificate Store. To import a PKCS#12 file into the Windows Certificate Storage can usually be started by double-clicking the *.pfx/*.p12 file. If your file has another file extension try renaming it to *.pfx.

Note: Both .p12 and .pfx file types have mandatory passwords set when the file has been exported. You have to enter it.

You can use the Windows MMC - Certificates utility, or you can import .p12/.pfx file via Edge browser. Then the certificate will be imported into the Windows' system certificate repository - Windows Certificate Store.

However, if you use Firefox browser, its clones, Seamonkey, or utilities like XCA, you import the certificate into their own repositories! Remember: you have to import the certificate into the system repository, for LibreOffice to work with.

Sign PDF documents

If you confirm all the questions of your OS your signature should now be shown in the list of signatures and you are done.

Sign ODT documents

If you confirm all the questions of your OS your signature should now be shown in the list of signatures and you are done.

Footnotes

  1. At least on Debian derived distributions (1)

--