PDF Signature

Preamble

An off subject blog post for once, but I have spent a bit of time on this so sharing the few simple steps needed to digitally signed your PDF i.e. inserting a PDF signature.

What a pleasure to digitally signed your PDF file with your own certificate and put a stamp of this certificate in first page of your own generated PDF documents. Of course your own signature will never be validated by one of the recognized companies (Verisign, CAcert, …) but at least your signature appears in first page of document (and not only your name in document properties) and provides a “professional” look to your creation.

To achieve this you need a server with OpenSSL (any Linux box have it) and I’m personally using PDF Creator to generate PDF file from Word or Power Point documents. I obviously also configure the security option to avoid copy/paste…

Certificate generation

Server I’m using:

[root]# uname -a
Linux localhost 2.6.18-274.3.1.el5 #1 SMP Fri Aug 26 18:49:02 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
[root]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.5 (Tikanga)

First generate RSA parameters with something like:

[root]# rm -rf private
[root]# mkdir private
[root]# openssl genrsa -des3 -out private/ca.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................................................+++
......+++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key:
Verifying - Enter pass phrase for private/ca.key:

X.509 Certificate Signing Request (CSR) Management, with my own server that’s why it will not be a validated signature:

[root]# rm -rf certs
[root]# mkdir certs
[root]# openssl req -new -x509 -days 0 -keyout private/ca.key -out certs/ca.crt
Generating a 1024 bit RSA private key
........++++++
.++++++
writing new private key to 'private/ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CH
State or Province Name (full name) [Berkshire]:Geneva
Locality Name (eg, city) [Newbury]:Geneva
Organization Name (eg, company) [My Company Ltd]:STMicroelectronics
Organizational Unit Name (eg, section) []:ICT
Common Name (eg, your name or your server's hostname) []:Yannick Jaquier
Email Address []:yannick.jaquier@st.com

PKCS#12 Data Management, managing the creation of the p12 file (yannick_jaquier_myown_certificate.p12) that will be the signature file:

[root]# openssl pkcs12 -export -in certs/ca.crt -out yannick_jaquier_myown_certificate.p12 -inkey private/ca.key -certfile certs/ca.crt -name "Self Generated Certificate"
Enter pass phrase for private/ca.key:
Enter Export Password:
Verifying - Enter Export Password:

Final signature file:

[root@server1 STMoracleagent]# ll yannick*
-rw-r----- 1 root root 3034 Nov 10 15:10 yannick_jaquier_myown_certificate.p12

PDF Creator configuration

Better than long explanation a screen shot of PDF Creator signing configuration tab:

certificate1
certificate1

PDF signature result

Even if I daily use Foxit Reader the Adobe Reader signature display is a bit more verbose than Foxit Reader one:

certificate2
certificate2

References

About Post Author

This entry was posted in Linux. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>