Greetings,
I'm trying to set up digital signatures in Openoffice 2.3 and FC 8.
I've followed the instructions at http://wiki.services.openoffice.org/wiki/How_to_use_digital_Signatures and http://www.linux.com/articles/57554
I've got a client certificate and it shows in Firefox but not in OpenOffice. Even setting the MOZILLA_CERTIFICATE_FOLDER variable doesn't help. Further googling only reveals two or three other people who already had the same problem with other versions of Fedora, but no way to make it work.
Is it really impossible to use digital signatures from OpenOffice in Fedora? If yes, what's the reason? Thanks.
Marco
M. Fioretti wrote:
Greetings,
I'm trying to set up digital signatures in Openoffice 2.3 and FC 8.
I've followed the instructions at http://wiki.services.openoffice.org/wiki/How_to_use_digital_Signatures and http://www.linux.com/articles/57554
I've got a client certificate and it shows in Firefox but not in OpenOffice. Even setting the MOZILLA_CERTIFICATE_FOLDER variable doesn't help. Further googling only reveals two or three other people who already had the same problem with other versions of Fedora, but no way to make it work.
Is it really impossible to use digital signatures from OpenOffice in Fedora? If yes, what's the reason? Thanks.
There was some discussion about this in the past on (iirc) this list. Here's a copy of 2 messages with suggestions. Hope this helps.
First suggestion:
To use a digital certificate in Open Office 2.0, you must import it into firefox.
Then add to ~/.bash_profile:
export MOZILLA_CERTIFICATE_FOLDER=3D/home/myname/.mozilla/firefox/blah234blah234bl= ah.default
Now, when you run open office, you can choose the certificate with which to sign a document.
Second very long suggestion:
As I had promised last night, here are the instructions on how to sign a document.
Firstly, you must create a pkcs12 certificate. There appear to be 2 ways to do this:
1) run 'genkey'. This is very convenient. See man genkey for more information. The key will end up somewhere in the /etc/pki/tls tree, under certs, or was it private. I don't remember exactly why I opted not to use this method, although I did try it about 1 or 2 weeks ago when I was still learning how this works.
2) use openssl. Once again, there are 2 possibilities under openssl: either you have your system set up as a CA (certificate authourity), or you don't. I don't, so I can only make self-signed certificates. Nota Bene: Setting up your system as a CA may or may not be complicated. I haven't tried.
Note also that if you only issue self-signed certificates, as I have, they don't really have a lot of validity. Anyone can create a certificate with your name and your email address and sign documents with it. There is no trusted authority or web of trust, just the creator's word that the certificate is valid. However, for signing a letter you have written or an assignment for a course, this should not pose a lot of problems. Just be aware that a certificate through cacert.org http://cacert.org would be better, but they would, of course, require a lot of personal information from you, which you might not wish to divulge.
So, having opted for the self-signed openssl method, you would make the certificate like this (if you don't specify the days argument, the default certificate validity will be exactly 30 days, which might be ok for signing a document, but should you use the certificate to encrypt a document, then this might be very time-restrictive):
openssl req -new -newkey rsa:1024 -nodes -x509 -days 1000 -keyout key -out cert
This creates 2 ascii files, the key and the certificate. In order to turn them into a pkcs12 bundle, you have to combine them into one file and appen= d a line feed to each, thusly:
echo >> key cat cert >> key echo >> key mv key mycertificate.pem rm cert
You will now have combined the 2 files into one and deleted the extra one, and then renamed the combined file. What you now have is an RSA key and an X.509 self-signed certificate, valid for 1000 days, called mycertificate.pe= m .
However, the Netscape Certificate format requires that this .pem key bundle be converted into a pkcs12 format. This is done thusly:
openssl pkcs12 -export -in mycertificate.pem -out mycertificate.p12 -name "My Certificate"
This creates a further file, mycertificate.p12.
So, you now have the required certificate. What you can do with the .pem file, I do not know, but you had better keep it safe, just like the .p12 ke= y bundle.
You now want to import the .p12 key into various programs:
1) You might as well import it into Konqueror, since it supports it, but this is not required for signing Open Office documents. Make sure you have gpgsm enabled in kmail under settings/security/crypto backends, otherwise Kleopatra will crash. Once this is done, I believe you can choose the signing certificate under kmail settings/identities/crypptography, but I prefer openpgp for email, so I didn't do that, having already previously entered my openpgp key.
2) Boot firefox, go into edit/preferences/advanced/certificates/manage certificates/your certificates and import mycertificate.p12 that you have just created. It will ask you for a passphrase.
If you have mozilla (fedora does by default) and thunderbird, you would likely want to have all programs seeing the same certificates. You have 2 options, either import the certificate into each program, but then you will have to do this for every certificate you either add or delete in each program. To have only one certificate store and avoid the problem of having unsynchronised certificate stores, you will delete cert8.db, key3.db and secmod.db from each of the ~/.mozilla and ~/.thunderbird default directories. In their place you will create 3 soft links:
ln -s ~/.thunderbird/some-string/cert8.db ~/.mozilla/firefox/some-other-string/cert8.db ln -s ~/.thunderbird/some-string/key3.db ~/.mozilla/firefox/some-other-string/key3.db ln -s ~/.thunderbird/some-string/secmod.db ~/.mozilla/firefox/some-other-string/secmod.db
Verify that these links now point to the appropriate files in your firefox default directory.
One last little item is necessary: the setting of the environment variable. Putting this line into your ~/.bash_profile will achieve this:
export MOZILLA_CERTIFICATE_FOLDER=3D/home/myusername/.mozilla/firefox/some- string.default
I believe you will have to log out and back in for this to take effect. Tes= t it with echo $MOZILLA_CERTIFICATE_FOLDER, if you don't believe me.
And now for the test. Create a document in Open Office. Once you have finished writing, save the document as either .odt or .rtf. Once it is saved, click on file/digital signatures from the menu at the top. A blank window will open. Click on add. Another window will open, listing the certificate that you just imported into firefox which is located in the pat= h you have set the variable to. Click ok to add the certificate and return yo= u to the previous window. [Unfortunately, this does not work for MSWord .doc files. Hopefully they will soon support .odt so that we can send those less fortunate ones our signed documents.]
Voil=E0! You have just signed your document. You can look at the certificat= e. Note that every time you alter the file in even the most miniscule way, the signature will be lost and you must resign it. This might seem like a nuisance, but it makes sense, since you can't have only signed sections of = a file.
This about covers everything I know. If you have a signing authority (CA) set up on your computer, see this site for more information: www.flatmtn.com/computer/Linux-SSLCertifcatesPKCS12.htmlhttp://www.flatmtn= .com/computer/Linux-SSLCertifcatesPKCS12.html.
Regards, Patrick
On Mon, Sep 29, 2008 22:41:25 PM +0200, Patrick wrote:
Patrick,
first of all, thanks a lot for the suggestions, they contain useful advice regardless of this specific problem. However:
There was some discussion about this in the past on (iirc) this list. Here's a copy of 2 messages with suggestions. Hope this helps.
First suggestion:
this doesn't help, as I mentioned in my original message I'd already tried those steps and commands myself. Nothing appears in OOo.
With respect to the longest suggestion: sincere thanks, I will try it tonight (can't do it immediately), but I must say I'm dubious. I know how to create a self-signed certificate, for example, but **if** I understand correctly what you posted, the second suggestion is little more than:
1) create a certificate by yourself, import it into Firefox 2) apply the first suggestion
But here the problem is not how to get or create a certificate: it's how to make OO.o, **as packaged by Fedora** see a certificate imported in Firefox, no matter where that came from. Why is there this problem only in Fedora, and how to fix it?
On the other hand, why are certificates needed to sign within openoffice? Couldn't one make do with plain old gpg keys?
Marco
On Tue, Sep 30, 2008 12:58:22 PM +0200, io wrote:
I know how to create a self-signed certificate, for example, but **if** I understand correctly what you posted, the second suggestion is little more than:
- create a certificate by yourself, import it into Firefox
- apply the first suggestion
But here the problem is not how to get or create a certificate: it's how to make OO.o, **as packaged by Fedora** see a certificate imported in Firefox, no matter where that came from. Why is there this problem only in Fedora, and how to fix it?
Sorry to insist on this, but is it really possible that there isn't even a clue as to what the problem may be, why it only exists in Fedora, who should one talk to to at least understand what should be checked to diagnose the problem, etc...?
I'm frankly frustrated because I'd have no problem to help fix this, running tests if nothing else, but if there's nobody or nowhere telling you which tests to do...
I've also asked the same question to the OOo users list without result.
Marco
On Thu, 2008-10-02 at 06:50 +0200, M. Fioretti wrote:
On Tue, Sep 30, 2008 12:58:22 PM +0200, io wrote:
I know how to create a self-signed certificate, for example, but **if** I understand correctly what you posted, the second suggestion is little more than:
- create a certificate by yourself, import it into Firefox
- apply the first suggestion
But here the problem is not how to get or create a certificate: it's how to make OO.o, **as packaged by Fedora** see a certificate imported in Firefox, no matter where that came from. Why is there this problem only in Fedora, and how to fix it?
Sorry to insist on this, but is it really possible that there isn't even a clue as to what the problem may be, why it only exists in Fedora, who should one talk to to at least understand what should be checked to diagnose the problem, etc...?
I'm frankly frustrated because I'd have no problem to help fix this, running tests if nothing else, but if there's nobody or nowhere telling you which tests to do...
I've also asked the same question to the OOo users list without result.
Probably an indicator of lack of interest in the general user population, i.e. not many people are trying to do the same as you. You might have better luck reporting it to Bugzilla (bugzilla.redhat.com) where it will be seen by developers. I recently has a problem with the X server which no-one responded to, but after going to BZ it got fixed (because it was a genuine bug, not just a misconfiguration on my part).
poc