Tutorial for gpgsm?
Simon Josefsson
jas at extundo.com
Wed Sep 8 10:04:16 CEST 2004
Werner Koch <wk at gnupg.org> writes:
>> * How to import a key and bind it to some certificate already
>> imported. Alternatively, import key and certificate together, from
>> a pkcs12 blob, or pkcs8 + certificate blobs, or whatever.
>> Alternatively, don't import the key at all, but specify location of
>> key using a parameter when signing.
>
> You always need to import the key; there is something similar to a
> keyring (here called a keybox: ~/.gnupg/pubring.kbx).
>
> Importing a key either from a binary or ascii armored (PEM) certificate
> file or from a cert-only signature file is done using
>
> gpg --import FILE
>
> or
>
> gpg --import < FILE
>
> In general you should first import the root certificates and then down
> to the end user certificate. You may put all into one file and gpgsm
> will do the right thing in this case independend of the order.
>
> While verifying a signature, all included certificates are
> automagically imported.
>
> To import from a pkcs#12 file you may use the same command; if a
> private key is contained in that file, you will be asked for the
> transport passphrases as well as for the new passphrase used to
> protect it in gpg-agent's private key storage
> (~/.gnupg/private-keys-v1.d/). Note that the pkcs#12 support is very
> basic but sufficient for certificates exported from Mozilla, OpenSSL
> and MS Outlook.
I'm afraid I can't get this part to work. Here's what I'm trying to
do and what happens:
0. rm ~/.gnupg/pubring.kbx
1. Import CA certificate, seems to work.
jas at latte:~$ gpgsm --import cacert.crt
Secure memory is not locked into core
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
gpgsm: keybox `/home/jas/.gnupg/pubring.kbx' created
gpgsm: total number processed: 1
gpgsm: imported: 1
jas at latte:~$ gpgsm --list-keys
Secure memory is not locked into core
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
/home/jas/.gnupg/pubring.kbx
----------------------------
Serial number: 00
Issuer: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/EMail=support at cacert.org
Subject: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/EMail=support at cacert.org
validity: 2003-03-30 12:29:49 through 2033-03-29 12:29:49
key type: 4096 bit RSA
chain length: unlimited
fingerprint: 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
jas at latte:~$ echo '135CEC36F49CB8E93B1AB270CD80884676CE8F33 S' >> ~/.gnupg/trustlist.txt
2. Import key and user certificate.
jas at latte:~$ gpgsm --import cacert.user.key
Secure memory is not locked into core
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
gpgsm: no issuer found in certificate
gpgsm: basic certificate checks failed - not imported
gpgsm: total number processed: 1
gpgsm: not imported: 1
jas at latte:~$
The cacert.crt and cacert.user.key files attached below. (I know I'm
sending my private key. It should be revoked when my testing is
completed..)
Thanks,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cacert.crt
Type: application/x-x509-ca-cert
Size: 2569 bytes
Desc: not available
Url : /pipermail/attachments/20040908/1f5bf2fc/cacert-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cacert.user.key
Type: application/x-x509-user-cert
Size: 2526 bytes
Desc: not available
Url : /pipermail/attachments/20040908/1f5bf2fc/cacert.user-0001.bin
More information about the Gnupg-users
mailing list