As I had promised last night, here are the instructions on how to sign a document. Firstly, you must create a pkcs12 certificate. There appear to be 2 ways to do this: 1) run 'genkey'. This is very convenient. See man genkey for more information. The key will end up somewhere in the /etc/pki/tls tree, under certs, or was it private. I don't remember exactly why I opted not to use this method, although I did try it about 1 or 2 weeks ago when I was still learning how this works. 2) use openssl. Once again, there are 2 possibilities under openssl: either you have your system set up as a CA (certificate authourity), or you don't. I don't, so I can only make self-signed certificates. Nota Bene: Setting up your system as a CA may or may not be complicated. I haven't tried. Note also that if you only issue self-signed certificates, as I have, they don't really have a lot of validity. Anyone can create a certificate with your name and your email address and sign documents with it. There is no trusted authority or web of trust, just the creator's word that the certificate is valid. However, for signing a letter you have written or an assignment for a course, this should not pose a lot of problems. Just be aware that a certificate through <a href="http://cacert.org">cacert.org</a> would be better, but they would, of course, require a lot of personal information from you, which you might not wish to divulge. So, having opted for the self-signed openssl method, you would make the certificate like this (if you don't specify the days argument, the default certificate validity will be exactly 30 days, which might be ok for signing a document, but should you use the certificate to encrypt a document, then this might be very time-restrictive): openssl req -new -newkey rsa:1024 -nodes -x509 -days 1000 -keyout key -out cert This creates 2 ascii files, the key and the certificate. In order to turn them into a pkcs12 bundle, you have to combine them into one file and append a line feed to each, thusly: echo >> key cat cert >> key echo >> key mv key mycertificate.pem rm cert You will now have combined the 2 files into one and deleted the extra one, and then renamed the combined file. What you now have is an RSA key and an X.509 self-signed certificate, valid for 1000 days, called mycertificate.pem. However, the Netscape Certificate format requires that this .pem key bundle be converted into a pkcs12 format. This is done thusly: openssl pkcs12 -export -in mycertificate.pem -out mycertificate.p12 -name "My Certificate" This creates a further file, mycertificate.p12. So, you now have the required certificate. What you can do with the .pem file, I do not know, but you had better keep it safe, just like the .p12 key bundle. You now want to import the .p12 key into various programs: 1) You might as well import it into Konqueror, since it supports it, but this is not required for signing Open Office documents. Make sure you have gpgsm enabled in kmail under settings/security/crypto backends, otherwise Kleopatra will crash. Once this is done, I believe you can choose the signing certificate under kmail settings/identities/crypptography, but I prefer openpgp for email, so I didn't do that, having already previously entered my openpgp key. 2) Boot firefox, go into edit/preferences/advanced/certificates/manage certificates/your certificates and import mycertificate.p12 that you have just created. It will ask you for a passphrase. If you have mozilla (fedora does by default) and thunderbird, you would likely want to have all programs seeing the same certificates. You have 2 options, either import the certificate into each program, but then you will have to do this for every certificate you either add or delete in each program. To have only one certificate store and avoid the problem of having unsynchronised certificate stores, you will delete cert8.db, key3.db and secmod.db from each of the ~/.mozilla and ~/.thunderbird default directories. In their place you will create 3 soft links: ln -s ~/.thunderbird/some-string/cert8.db ~/.mozilla/firefox/some-other-string/cert8.db ln -s ~/.thunderbird/some-string/key3.db ~/.mozilla/firefox/some-other-string/key3.db ln -s ~/.thunderbird/some-string/secmod.db ~/.mozilla/firefox/some-other-string/secmod.db Verify that these links now point to the appropriate files in your firefox default directory. One last little item is necessary: the setting of the environment variable. Putting this line into your ~/.bash_profile will achieve this: export MOZILLA_CERTIFICATE_FOLDER=/home/myusername/.mozilla/firefox/some-string.default I believe you will have to log out and back in for this to take effect. Test it with echo $MOZILLA_CERTIFICATE_FOLDER, if you don't believe me. And now for the test. Create a document in Open Office. Once you have finished writing, save the document as either .odt or .rtf. Once it is saved, click on file/digital signatures from the menu at the top. A blank window will open. Click on add. Another window will open, listing the certificate that you just imported into firefox which is located in the path you have set the variable to. Click ok to add the certificate and return you to the previous window. [Unfortunately, this does not work for MSWord .doc files. Hopefully they will soon support .odt so that we can send those less fortunate ones our signed documents.] Voilà! You have just signed your document. You can look at the certificate. Note that every time you alter the file in even the most miniscule way, the signature will be lost and you must resign it. This might seem like a nuisance, but it makes sense, since you can't have only signed sections of a file. This about covers everything I know. If you have a signing authority (CA) set up on your computer, see this site for more information: <a href="http://www.flatmtn.com/computer/Linux-SSLCertifcatesPKCS12.html">www.flatmtn.com/computer/Linux-SSLCertifcatesPKCS12.html</a>. -- kwhiskers{