SUMMARY By default settings, okular doesn't find certificates in `$HOME/.pki/nssdb` So the [documentation](https://docs.kde.org/stable5/en/okular/okular/signatures.html#adding_digital_signatures) is wrong about where okular looks for certificates STEPS TO REPRODUCE 1. add certificate to `$HOME/.pki/nssdb` 2. try to sign a pdf 3. set `$HOME/.pki/nssdb` as custom certificate store 4. try to sign a pdf 5. change certificate store back to default 6. try to sign a pdf OBSERVED RESULT steps 2 and 6 result in no certificates found. step 4 works EXPECTED RESULT steps 2, 4 and 6 work or different documentation SOFTWARE/OS VERSIONS Windows: macOS: Linux/KDE Plasma: manjaro (available in About System) KDE Plasma Version: 5.21.4 KDE Frameworks Version: 5.81.0 Qt Version: 5.15.2 ADDITIONAL INFORMATION
Did you actually create a NSS certificate store in $HOME/.pki/nssdb or you just copied the certificate file?
I didn't change anything on the certificate store during the above described procedure, and step 4 worked so I believe I set up the store correctly. I didn't set up the store in a special way, I solely added the certificate via `$ pk12util -d sql:$HOME/.pki/nssdb -i /path/to/cert/filename.p12` and checked via `$ certutil -d sql:$HOME/.pki/nssdb -V -u S -n "certificate-abc"` -> `certutil: certificate is valid`
Oh wait i did misread your report, sorry. What does the "default" checkbox in the configuration dialog say?
It's the current Firefox user certificate store: `/home/myuser/.mozilla/firefox/abcdef12.default-release`
So yeah, it's not using $HOME/.pki/nssdb, why is that a bug?
I read the the [documentation](https://docs.kde.org/stable5/en/okular/okular/signatures.html#adding_digital_signatures) in the way, that okular should work with the certificate in this cert store, without me telling okular to use a special cert store. But yes, this doesn't feel like a proper bug, more a mismatch between docs and reality. I don't know what the intentions of the developer were, that's why I am reporting this issue. Probably the easiest thing right now is to adjust the documentation.
I guess it's a different intepretation of what " At the point of writing, Poppler will try to use the following NSS certificate stores in order (if they exist): " means. The first one exists, so it's the one used, it doesn't mean that all 3 will be used. How would you reword it so you would have understood it that way?
Oh, that's very true. I didn't find good changes yet. Nevertheless two sugestions: * Poppler will try to use the following -> Poppler will try to use one of the following * adding: You can check which cert store is used via the entry in the 'PDF Backend Configuration' section of the 'Configure Backends...' dialog. I would appreciate if there were instructions on how to properly (or easiest) add a certificate. I am not sure whether this would be helpfull to many people. What is the usual setup procedure to enable the signing documents? Is it something that is always preconfigured in your organisation? After reading on [ArchWiki - nss](https://wiki.archlinux.org/index.php/Network_Security_Services) and [MDN NSS](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Tools) I got to these two instructions that worked for me (manjaro kde, firefox installed, .p12 and .pfx certificates): VERSION A: 1. Go to the 'PDF Backend Configuration' section of the 'Configure Backends...' dialog. Find the certificate store that okular uses by default (right now one can *not* mark or copy from this field!) and in the following commands please substitute 'cert/store' with the found path. One example would be `/home/myuser/.mozilla/firefox/abcdef12.default-release` 2. Add the certificate via `pk12util -d sql:cert/store -i /path/to/cert/filename.p12`. You can see the certificate added in `certutil -d sql:cert/store -L`. You can check the certificate for signing messages via `certutil -d sql:cert/store -V -u S -n "certificate-name"` you need to look for `certificate-name` in the output of the previous command. This output is acceptable: `certutil: certificate is invalid: Peer's certificate issuer has been marked as not trusted by the user.` 3. restart okular, now everything should be working. The certificate should be listed in the 'PDF Backend Configuration' section. VERSION B: 1. Add the certificate via `pk12util -d sql:$HOME/.pki/nssdb -i /path/to/cert/filename.p12`. You can see the certificate added in `certutil -d sql:$HOME/.pki/nssdb -L`. You can check the certificate for signing messages via `certutil -d sql:$HOME/.pki/nssdb -V -u S -n "certificate-name"` you need to look for `certificate-name` in the output of the previous command. This output is acceptable: `certutil: certificate is invalid: Peer's certificate issuer has been marked as not trusted by the user.` 2. Go to the 'PDF Backend Configuration' section of the 'Configure Backends...' dialog. Set the certificate store to custom and set the path to `$HOME/.pki/nssdb` 3. restart okular, now everything should be working. The certificate should be listed in the 'PDF Backend Configuration' section. Questions: * Do I need `sql:` in the commands? * Is the environment variable the same in okular and shell? * Should one do something about this invalid certificate message? * ...
A possibly relevant merge request was started @ https://invent.kde.org/graphics/okular/-/merge_requests/425
Okular manual is not the place that should explain you how to do that in my opinion. Moreover people should just use firefox's one or thunderbird's one, and if not, someone should write a GUI tool to set certificate stores, suggesting to use command line tools is just not a good user experience.
Git commit 3ff6ff35bafc4e098bb8d742c42f914629415b63 by Albert Astals Cid. Committed on 12/05/2021 at 21:24. Pushed by aacid into branch 'master'. doc: Try to make it clearer that one one is used not all three M +1 -1 doc/index.docbook https://invent.kde.org/graphics/okular/commit/3ff6ff35bafc4e098bb8d742c42f914629415b63
Thank you for the documentation change and all the patience you showed to me. Interesting to know that I could have used the Thunderbird certificate store where I had the certificates already imported. This cert store can even be protected by Thunderbird's master password. And okular managed to sign a pdf with this protected cert store.