Generate Digital Signing Certificate on Linux for Signing PDFs

Here you will learn how to generate and use a digital signature for signing PDFs in Linux. In short, we will generate a certificate an x.509 certificate, create a PKCS #12 version of it, then make it usable by apps like LibreOffice, Okular, or any other app that can untilize Network Security Service (NSS) databases. If that doesn’t make sense now, it will by the end of this guide.

There are a few reasons you may want to digitally sign a PDF that you are creating or someone else has created. A simple drawn of a signature on a digital document does not provide the same level of security and authenticity as a digital signature. A digital signature is encrypted and tied to a specific signer. A drawn signature can be easily replicated or altered, potentially leading to fraud or disputes about the document’s validity. With a digital signature, you are able to see that the document has been unchanged since signing it as well as verify that cryptographically.

A couple of small packages are needed for generating certs. I should note, this has been done on a Debian based Linux system. If you are on another system you will need to adjust the command for installing the following tools.

Get required packages

sudo apt update && sudo apt -y install openssl libnss3-tools

Generate a certificate

Generate an x509 certificate with the following command. Be sure to replace “John T Doe” and “you@somesite.com” with your information. This cert is valid for 3650 days (10 years). Feel free to change that to whatever you want. It is recommended to renew certificates periodically.

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout signing.key -out signing.crt -subj "/CN=John T Doe/emailAddress=you@somesite.com" \
-addext "subjectAltName=email:you@somesite.com"

If the certificate was generated successfully you will see long string. Something like “.+.+…..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++*…”

Now that you have a certificate, convert it to PKCS #12 format (i.e. a .p12 file) using the following command. Once again, change “John T Doe” to your information.

openssl pkcs12 -export -in signing.crt -inkey signing.key -out signing-certificate.p12 -name "John T Doe"

Create an NSS Database

Next we need to create a Network Security Service (NSS) database where your signing certificate will be stored. The commands below will create a database in a dot file in your home directory. The tilde (~) in a Linux path translates to /home/yourusername. The command below will prompt you to generate a password for your NSS database. If you get an invalid password message, try an empty password for the first prompt. After that it will ask you to provide a new password.

mkdir -p ~/.pki/nssdb && certutil -d ~/.pki/nssdb -N

Now, import your p12 certificate in to your new NSS database. The following command will prompt you for the NSS database password you just created.

pk12util -d ~/.pki/nssdb -i signing-certificate.p12

Configure LibreOffice

At this point you have a cert and an NSS database where it is stored. You need to tell LibreOffice where to look for the NSS database. To do this, do the following.

  1. Open LibreOffice Writer.
  2. Navigate to Tools > Options.
  3. Select Security on the left.
  4. On the right, select Certificate under “Certificate Path”.
  5. Select the Select NSS path… button.
  6. In the dialogue that appears, enter the path to your NSS database (i.e. ~/.pki/nssdb)
  7. Select Ok. Make sure you see that “manual” is selected under the profile column of the Certificate Path dialogue.
  8. Select Ok and restart LibreOffice.

Now if you want export a PDF and digitally sign it in LibreOffice do the following.

  1. Open a file in LibreOffice Writer that you want to export as a PDF.
  2. Navigate to File > Export As.. > PDF and select the Digital Signatures tab.
  3. Select the Select… button. You will be prompted for the NSS database password that you set above.
  4. Enter the password for your NSS database and select OK.
  5. In the “Select X.509 Certificate” dialogue, you will now see your certificate(s) listed. Select the certificate you want to use to digitally sign the PDF. Then select the Select button.
  6. Select the Export button.

Now that you have a working digital signing certificate you have just brought your electronic communications and document management to a new level of security. People will be more confident that the document was created by you. Others, and your self can also verify that no changes have been made since you signed the document.

What do you think?