As I had promised last night, here are the instructions on how to sign a document.
Firstly, you must create a pkcs12 certificate. There appear to be 2 ways to do this:
1) run 'genkey'. This is very convenient. See man genkey for more
information. The key will end up somewhere in the /etc/pki/tls tree,
under certs, or was it private. I don't remember exactly why I opted
not to use this method, although I did try it about 1 or 2 weeks ago
when I was still learning how this works.
2) use openssl. Once again, there are 2 possibilities under openssl:
either you have your system set up as a CA (certificate authourity), or
you don't. I don't, so I can only make self-signed certificates. Nota
Bene: Setting up your system as a CA may or may not be complicated. I
haven't tried.
Note also that if you only issue self-signed certificates, as I have,
they don't really have a lot of validity. Anyone can create a
certificate with your name and your email address and sign documents
with it. There is no trusted authority or web of trust, just the
creator's word that the certificate is valid. However, for signing a
letter you have written or an assignment for a course, this should not
pose a lot of problems. Just be aware that a certificate through
cacert.org would be better, but they would, of course, require a lot of
personal information from you, which you might not wish to divulge.
So, having opted for the self-signed openssl method, you would make the
certificate like this (if you don't specify the days argument, the
default certificate validity will be exactly 30 days, which might be ok
for signing a document, but should you use the certificate to encrypt a
document, then this might be very time-restrictive):
openssl req -new -newkey rsa:1024 -nodes -x509 -days 1000 -keyout key -out cert
This creates 2 ascii files, the key and the certificate. In order to
turn them into a pkcs12 bundle, you have to combine them into one file
and append a line feed to each, thusly:
echo >> key
cat cert >> key
echo >> key
mv key mycertificate.pem
rm cert
You will now have combined the 2 files into one and deleted the extra
one, and then renamed the combined file. What you now have is an RSA
key and an X.509 self-signed certificate, valid for 1000 days, called
mycertificate.pem.
However, the Netscape Certificate format requires that this .pem key
bundle be converted into a pkcs12 format. This is done thusly:
openssl pkcs12 -export -in mycertificate.pem -out mycertificate.p12 -name "My Certificate"
This creates a further file, mycertificate.p12.
So, you now have the required certificate. What you can do with the
.pem file, I do not know, but you had better keep it safe, just like
the .p12 key bundle.
You now want to import the .p12 key into various programs:
1) You might as well import it into Konqueror, since it supports it,
but this is not required for signing Open Office documents. Make sure
you have gpgsm enabled in kmail under settings/security/crypto
backends, otherwise Kleopatra will crash. Once this is done, I believe
you can choose the signing certificate under kmail
settings/identities/crypptography, but I prefer openpgp for email, so I
didn't do that, having already previously entered my openpgp key.
2) Boot firefox, go into edit/preferences/advanced/certificates/manage
certificates/your certificates and import mycertificate.p12 that you
have just created. It will ask you for a passphrase.
If you have mozilla (fedora does by default) and thunderbird, you would
likely want to have all programs seeing the same certificates. You have
2 options, either import the certificate into each program, but then
you will have to do this for every certificate you either add or delete
in each program. To have only one certificate store and avoid the
problem of having unsynchronised certificate stores, you will delete
cert8.db, key3.db and secmod.db from each of the ~/.mozilla and
~/.thunderbird default directories. In their place you will create 3
soft links:
ln -s ~/.thunderbird/some-string/cert8.db ~/.mozilla/firefox/some-other-string/cert8.db
ln -s ~/.thunderbird/some-string/key3.db ~/.mozilla/firefox/some-other-string/key3.db
ln -s ~/.thunderbird/some-string/secmod.db ~/.mozilla/firefox/some-other-string/secmod.db
Verify that these links now point to the appropriate files in your firefox default directory.
One last little item is necessary: the setting of the environment
variable. Putting this line into your ~/.bash_profile will achieve this:
export MOZILLA_CERTIFICATE_FOLDER=/home/myusername/.mozilla/firefox/some-string.default
I believe you will have to log out and back in for this to take effect.
Test it with echo $MOZILLA_CERTIFICATE_FOLDER, if you don't believe me.
And now for the test. Create a document in Open Office. Once you have
finished writing, save the document as either .odt or .rtf. Once it is
saved, click on file/digital signatures from the menu at the top. A
blank window will open. Click on add. Another window will open, listing
the certificate that you just imported into firefox which is located in
the path you have set the variable to. Click ok to add the certificate
and return you to the previous window. [Unfortunately, this does not
work for MSWord .doc files. Hopefully they will soon support .odt so
that we can send those less fortunate ones our signed documents.]
Voilà! You have just signed your document. You can look
at the certificate. Note that every time you alter the file in even the
most miniscule way, the signature will be lost and you must resign it.
This might seem like a nuisance, but it makes sense, since you can't
have only signed sections of a file.
This about covers everything I know. If you have a signing authority
(CA) set up on your computer, see this site for more information:
www.flatmtn.com/computer/Linux-SSLCertifcatesPKCS12.html.
--
kwhiskers{