CODEWITHSUNDEEP
javams-wordapache-poims-officedigital-signature
SoT
SoT

Reputation: 1203

Import root CA to MS Office

I've use Apache POI and my certificate to digitally sign a .docx document:

@Override
public byte[] sign(byte[] content, List<X509Certificate> certChain, PrivateKey privateKey) throws Exception {
    OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(content));

    SignatureConfig signatureConfig = new SignatureConfig();
    signatureConfig.setKey(privateKey);
    signatureConfig.setSigningCertificateChain(certChain);
    signatureConfig.setOpcPackage(pkg);

    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    SignatureInfo si = new SignatureInfo();
    si.setSignatureConfig(signatureConfig);
    si.confirmSignature();
    pkg.save(outputStream);

    IOUtils.closeQuietly(pkg);
    return outputStream.toByteArray();
}

certChain contains my certificate and a self-signed certificate (root CA) that is used to sign my certificate (the root CA is the issuer of my certificate). This code run perfectly and a get signed .docx file. But when I open it by Microsoft Word 2016, I get this message:

Enter image description here

Enter image description here

I also sign PDF content with Apache PDFBox and when I open a signed PDF file by Acrobat Reader, I get similar issue, but it's easily to solve by adding root CA to the list of Trusted certificates inside Acrobat Reader. But in Microsoft Office, I can not see any similar option. How can I get MS Office to trust the root CA (or at least trust my certificate)?

Upvotes: 0

Views: 75

Answers (1)

John Korchok
John Korchok

Reputation: 4913

After installing the certificate, export it as a PFX file. The export has an option to attach the root CA. Then use the PFX file for signing.

Disclaimer: I haven't tried this with a self-signed root CA, so I don't know if Office will accept it.

Upvotes: 1

Related Questions