October 10, 2006

How you can digitally sign OpenOffice.org documents

Author: Dmitri Popov

The ability to digitally sign OpenOffice.org documents is a boon for users who want to make their document exchange and collaboration secure. Using digital signatures in OpenOffice.org is not that difficult, but configuring it involves several steps that are far from obvious.

Before you enable the digital signatures feature in OpenOffice.org, you must obtain a digital certificate and install it on your machine. A digital certificate is a password-protected file that includes a variety of information, including the name and email address of the certificate owner, encryption key, issuing authority, and expiration period. Digital certificates are normally issued by so-called certificate authorities. Most certificate authorities charge for certificates, but not all do. CACert is a community-driven certificate authority that issues perfectly usable certificates free of charge.

To obtain a digital certificate from CAcert, you have to create an account, which takes just a few minutes. Once you've verified your email address, fire up Firefox, log in to CAcert, and request a certificate. Since you are going to use your certificate to sign documents, you have to obtain a so-called client certificate. To do this, click on the Client Certificates menu item, and press the New link. Follow the provided instructions, and once the certificate is created, click on the provided link to install it into the browser. To verify that the certificate is properly installed, choose Edit -> Preferences -> Advanced -> Security and press the View Certificates button. Under the Your Certificates tab, you should see the certificate. While you are at it, you might want to back up the certificate. Simply select the certificate, press the Import button, and save it in the desired location.

If you are on Linux, your certificate is ready to go. On Windows, there are a few additional steps. If you haven't imported the certificate as described above, do so. Double-click then on the certificate file. This launches the Certificate Import Wizard that guides you through the rest of the process. To check whether the certificate has been properly installed, choose Run from the Start menu and run the certmgr.msc command. You should see your certificate under Personal Certificates.

If you are using Windows, and you'd like to create a certificate for personal use with minimum fuss, you might want to try the free and easy-to-use utility SELFCERT from Abylonsoft, which allows you to create self-signed certificates. To create a self-signed certificate with Abylon SELFCERT, launch the program, fill out the fields, press the Create button, and save the file. Confirm that you want to import the certificate into the Windows certificate database, and follow the instructions provided by the Certificate Import wizard.

To sign an OpenOffice.org document using the created certificate, choose File -> Digital Signatures, press the Add button, select your certificate, and press OK to close the dialogs and sign the document. You should see a tiny Seal icon in the Status bar, which indicates that the document has now been digitally signed. Other users can view the certificate by double-clicking on the Seal icon and pressing the View Certificate button.

The Seal icon indicates that the document has not been altered in any way. Modifying a signed document on your machine automatically removes the digital signature, and you must sign the document again once you're done editing it.

There are other visual clues that you can use to monitor the security status of the document. A red seal and a small yellow triangle with an exclamation mark indicates that the document signature is in order and the document hasn't been modified, but the certificate used for signing could not be validated. A yellow triangle with a black exclamation mark indicates that the document signature is broken, which indicates that the document has been altered and can't be trusted.

Using the digital signatures feature, you can sign not only OpenOffice.org documents, but also OOoBasic macros. This allows the end users to verify the authenticity of a macro before executing it. There are two ways to sign a macro. You can either choose Tools -> Macro -> Digital Signature, or choose File -> Digital Signatures when you are in the OOoBasic Editor.


If OpenOffice.org on Linux can't detect the installed certificate, you need to export your Firefox default profile path in the environment variable MOZILLA_CERTIFICATE_FOLDER using the following command:

  export MOZILLA_CERTIFICATE_FOLDER=~/.mozilla/firefox/profile.default

Replace the profile.default part with the actual profile folder (it looks something like this: 6nx55faj.default). You can also add this line to the .bashrc file in your home directory.

On some Linux distros (notably, PCLinuxOS), OpenOffice.org only detects certificates which are installed in Mozilla Thunderbird (only if Thunderbird is installed on your machine). In this case, you need to export the certificate from Firefox and import it into Thunderbird.

Obtaining, installing, and using digital certificates requires some work, but it can help you make sure that your documents are secure.

Dmitri Popov is a freelance writer whose articles have appeared in Russian, British, German, and Danish computer magazines.

Click Here!