[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Digital signatures don't work in Fedora's OpenOffice



M. Fioretti wrote:
Greetings,

I'm trying to set up digital signatures in Openoffice 2.3 and FC 8.

I've followed the instructions at
http://wiki.services.openoffice.org/wiki/How_to_use_digital_Signatures
and http://www.linux.com/articles/57554

I've got a client certificate and it shows in Firefox but not in
OpenOffice. Even setting the MOZILLA_CERTIFICATE_FOLDER variable
doesn't help. Further googling only reveals two or three other people
who already had the same problem with other versions of Fedora, but no
way to make it work.

Is it really impossible to use digital signatures from OpenOffice in
Fedora? If yes, what's the reason? Thanks.

There was some discussion about this in the past on (iirc) this list. Here's a copy of 2 messages with suggestions. Hope this helps.

First suggestion:

To use a digital certificate in Open Office 2.0, you must import it into
firefox.

Then add to ~/.bash_profile:

export MOZILLA_CERTIFICATE_FOLDER=3D/home/myname/.mozilla/firefox/blah234blah234bl=
ah.default


Now, when you run open office, you can choose the certificate with which to
sign a document.

Second very long suggestion:

As I had promised last night, here are the instructions on how to sign a
document.

Firstly, you must create a pkcs12 certificate. There appear to be 2 ways to
do this:

1) run 'genkey'. This is very convenient. See man genkey for more
information. The key will end up somewhere in the /etc/pki/tls tree, under
certs, or was it private. I don't remember exactly why I opted not to use
this method, although I did try it about 1 or 2 weeks ago when I was still
learning how this works.

2) use openssl. Once again, there are 2 possibilities under openssl: either
you have your system set up as a CA (certificate authourity), or you don't.
I don't, so I can only make self-signed certificates. Nota Bene: Setting up
your system as a CA may or may not be complicated. I haven't tried.

Note also that if you only issue self-signed certificates, as I have, they
don't really have a lot of validity. Anyone can create a certificate with
your name and your email address and sign documents with it. There is no
trusted authority or web of trust, just the creator's word that the
certificate is valid. However, for signing a letter you have written or an
assignment for a course, this should not pose a lot of problems. Just be
aware that a certificate through cacert.org <http://cacert.org> would be
better, but they would, of course, require a lot of personal information
from you, which you might not wish to divulge.

So, having opted for the self-signed openssl method, you would make the
certificate like this (if you don't specify the days argument, the default
certificate validity will be exactly 30 days, which might be ok for signing
a document, but should you use the certificate to encrypt a document, then
this might be very time-restrictive):

openssl req -new -newkey rsa:1024 -nodes -x509 -days 1000 -keyout key -out
cert

This creates 2 ascii files, the key and the certificate. In order to turn
them into a pkcs12 bundle, you have to combine them into one file and appen=
d
a line feed to each, thusly:

echo >> key
cat cert >> key
echo >> key
mv key mycertificate.pem
rm cert

You will now have combined the 2 files into one and deleted the extra one,
and then renamed the combined file. What you now have is an RSA key and an
X.509 self-signed certificate, valid for 1000 days, called mycertificate.pe=
m
.

However, the Netscape Certificate format requires that this .pem key bundle
be converted into a pkcs12 format. This is done thusly:

openssl pkcs12 -export -in mycertificate.pem -out mycertificate.p12 -name
"My Certificate"

This creates a further file, mycertificate.p12.

So, you now have the required certificate. What you can do with the .pem
file, I do not know, but you had better keep it safe, just like the .p12 ke=
y
bundle.

You now want to import the .p12 key into various programs:

1) You might as well import it into Konqueror, since it supports it, but
this is not required for signing Open Office documents. Make sure you have
gpgsm enabled in kmail under settings/security/crypto backends, otherwise
Kleopatra will crash. Once this is done, I believe you can choose the
signing certificate under kmail settings/identities/crypptography, but I
prefer openpgp for email, so I didn't do that, having already previously
entered my openpgp key.

2) Boot firefox, go into edit/preferences/advanced/certificates/manage
certificates/your certificates and import mycertificate.p12 that you have
just created. It will ask you for a passphrase.

If you have mozilla (fedora does by default) and thunderbird, you would
likely want to have all programs seeing the same certificates. You have 2
options, either import the certificate into each program, but then you will
have to do this for every certificate you either add or delete in each
program. To have only one certificate store and avoid the problem of having
unsynchronised certificate stores, you will delete cert8.db, key3.db and
secmod.db from each of the ~/.mozilla and ~/.thunderbird default
directories. In their place you will create 3 soft links:

ln -s ~/.thunderbird/some-string/cert8.db
~/.mozilla/firefox/some-other-string/cert8.db
ln -s ~/.thunderbird/some-string/key3.db
~/.mozilla/firefox/some-other-string/key3.db
ln -s ~/.thunderbird/some-string/secmod.db
~/.mozilla/firefox/some-other-string/secmod.db

Verify that these links now point to the appropriate files in your firefox
default directory.

One last little item is necessary: the setting of the environment variable.
Putting this line into your ~/.bash_profile will achieve this:

export MOZILLA_CERTIFICATE_FOLDER=3D/home/myusername/.mozilla/firefox/some-
string.default

I believe you will have to log out and back in for this to take effect. Tes=
t
it with echo $MOZILLA_CERTIFICATE_FOLDER, if you don't believe me.

And now for the test. Create a document in Open Office. Once you have
finished writing, save the document as either .odt or .rtf. Once it is
saved, click on file/digital signatures from the menu at the top. A blank
window will open. Click on add. Another window will open, listing the
certificate that you just imported into firefox which is located in the pat=
h
you have set the variable to. Click ok to add the certificate and return yo=
u
to the previous window. [Unfortunately, this does not work for MSWord .doc
files. Hopefully they will soon support .odt so that we can send those less
fortunate ones our signed documents.]

Voil=E0! You have just signed your document. You can look at the certificat=
e.
Note that every time you alter the file in even the most miniscule way, the
signature will be lost and you must resign it. This might seem like a
nuisance, but it makes sense, since you can't have only signed sections of =
a
file.

This about covers everything I know. If you have a signing authority (CA)
set up on your computer, see this site for more information:
www.flatmtn.com/computer/Linux-SSLCertifcatesPKCS12.html<http://www.flatmtn=
.com/computer/Linux-SSLCertifcatesPKCS12.html>.



Regards,
Patrick


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]