将根 CA 导入 MS Office

Question

I've use Apache POI and my certificate to digitally sign a.docx document:

@Override
public byte[] sign(byte[] content, List<X509Certificate> certChain, PrivateKey privateKey) throws Exception {
    OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(content));

    SignatureConfig signatureConfig = new SignatureConfig();
    signatureConfig.setKey(privateKey);
    signatureConfig.setSigningCertificateChain(certChain);
    signatureConfig.setOpcPackage(pkg);

    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    SignatureInfo si = new SignatureInfo();
    si.setSignatureConfig(signatureConfig);
    si.confirmSignature();
    pkg.save(outputStream);

    IOUtils.closeQuietly(pkg);
    return outputStream.toByteArray();
}

certChain contains my certificate and a self-signed certificate (root CA) that is used to sign my certificate (the root CA is the issuer of my certificate). This code run perfectly and a get signed.docx file. But when I open it by Microsoft Word 2016, I get this message:

I also sign PDF content with Apache PDFBox and when I open a signed PDF file by Acrobat Reader, I get similar issue, but it's easily to solve by adding root CA to the list of Trusted certificates inside Acrobat Reader. But in Microsoft Office, I can not see any similar option. How can I get MS Office to trust the root CA (or at least trust my certificate)?

Answer 1

After installing the certificate, export it as a PFX file. The export has an option to attach the root CA. Then use the PFX file for signing.

Disclaimer: I haven't tried this with a self-signed root CA, so I don't know if Office will accept it.