Create and Use Certificates for Digitally Signing PDFs in Linux

In the digital world we live in, we rarely touch a physical document. Signing a digital document usually results in a poor representation of our signature or it is mere plain text in a “handwritten” font. Neither of these are proof that you were the one who wrote the signature.

Everyone has a unique way of hand writing certain letters. This helps identify that it is truly your signature. A cryptographic signature accomplishes this but is much harder to fake than a hand written signature.

My aim is to be as succinct as possible in the instructions below. It may be helpful to do more reading to understand the “how and why” of cryptographic signatures.

Environment

This will probably work on most Linux environments. For the record, I have done this on Debian 12 and Ubuntu 24. On both machines, I am using the KDE Plasma. From what I have seen, any app that can reference your certificate database can use the signing keys we are about to set up. Okular and LibreOffice happen to be what I am using below.

Your certificate

We will create a place for storing your certificate(s) and then generate a certificate.

Create a certificate database

Make sure the directory exists for a Network Security Services (NSS) database. There are a few standard directories for this. We are using the one in the home directory. Some applications may have already created the ~/.pki/nssdb directory. To see if there is already a DB, try listing the files in that directory.

ls ~/.pki/nssdb

If the files already exist (i.e. .db and .txt files), you can try adding to the existing database. It may have an empty password. For details on adding to an existing database, read the man page for certutil. For this guide, we will create a fresh NSS database. So if the files already exist, you will need to change any references to ~/.pki/nssdb to something like ~/.pki/nssdb-custom for the rest of this guide.

The command below will create the standard directory if it doesn’t already exist.

mkdir -p ~/.pki/nssdb

Create a new NSS database with the command below. You will be prompted to create a password for opening the database. Use a strong password and store it in your password manager.

certutil -N -d ~/.pki/nssdb

Issue a self signed certificate

A widely accepted certificate for signing and verification of PDFs is currently x509. So that is what we will create. I recommend doing this in a directory with nothing else in it. Be sure to replace your name and email when using the following command for creating a certificate.

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout signing.key -out signing.crt \
-subj "/CN=John T Doe/emailAddress=you@somesite.com" \
-addext "subjectAltName=email:you@somesite.com"

Now put your certificate and key in PKCS #12 format (i.e. a .p12 file). PKCS #12 is a format for storing many cryptography objects as a single file. Change “John T Doe” to your name.

openssl pkcs12 -export -in signing.crt -inkey signing.key -out signing-certificate.p12 -name "John T Doe"

Import your PKCS #12 file in to the NSS database. You will be prompted for your NSS database password.

pk12util -d ~/.pki/nssdb -i signing-certificate.p12

Now confirm it was imported with the following commands.

certutil -L -d ~/.pki/nssdb
certutil -K -d ~/.pki/nssdb

If everything went as expected, you should see some output about your new certificate from those commands.

Setting up Digital Signing

Now that we have an NSS database and certificate, we need to make sure applications are ready to use them.

If you get any error message saying scdaemon failed, you may need to install it (i.e. sudo apt install scdaemon) for Kleopatra to work properly.

LibreOffice

1. Open LibreOffice Writer.
2. Navigate to Tools > Options.
3. Select Security on the left.
4. On the right, select Certificate….
5. Select the Select NSS path… button.
6. In the dialogue that appears, enter the path to your NSS database (i.e. ~/.pki/nssdb)
7. Select Ok. Make sure you see that “manual” is selected under the profile column of the Certificate Path dialogue.
8. Select Ok on the Certificate Path dialogue.
9. Restart LibreOffice.

You can digitally sign a PDF with LibreOffice in two ways.

• File > Digital Signatures > Sign Existing PDF…
• File > Export As > Export As PDF… then navigate to the Digital Signatures tab.

Okular

Okular should automatically find your NSS database if you used the default location (i.e. ~/.pki/nssdb). You can verify this or change the location by doing the following.

1. Open Okular.
2. Navigate to Settings > Configure Backends….
3. In the “Configure Backends” dialogue, navigate to PDF.
4. To set a custom path, select the Custom option and enter the path where your NSS database is saved.
5. Select OK.
6. Restart Okular.

You can digitally sign a PDF with Okular by navigating to Tools > Digitally Sign…, then draw a rectangle where you would like your signature to appear.