Small HowTo on how to import freemail S/MIME certificates into GPGSM

Matthias Welwarsky mwelwarsky@web.de
Sun Jan 26 10:08:02 2003


--Boundary-02=_XT6M+yOw8rwxgW+
Content-Type: text/plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

Hi all,

after playing a little bit with gpgsm and openssl last night, I have hacked=
 up=20
a micro-HOWTO on how to import S/MIME certificates, e.g. from some freemail=
=20
service like web.de or CAs like Thawte into GPGSM. Please have a look at it=
=20
and tell me if there's an easier way to do this:

HOWTO import externally generated keys and certificates into GPGSM
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Let's assume you have an S/MIME certificate, probably a personal freemail=20
certificate from Thawte or some other Certification Authority. Thawte offer=
s=20
X509 S/MIME certificates via a web interface, you cannot have gpgsm generat=
e=20
the Certificate Request and thus the private key, your browser will do that=
=2E=20
So the problem is, after the certificate got issued, you have in inside you=
=20
browser while you need it in GPGSM.

"Where's the problem?" you might say. "I can always export my certificate a=
s a=20
PKCS#12 certificate bundle and import it into GPGSM."
=20
That's true, but it's a bit more difficult. While GPGSM has an import featu=
re=20
for PKCS#12 encoded secret keys, it is very limited:

1. GPGSM cannot import the complete PKCS#12 bundle, ONLY the secret key
2. The Key must not be encrypted.

You need to import the secret key, the certificate, and the issuers=20
certificate. Unfortunately, there seems to be no GPGSM-Only solution, but y=
ou=20
can get along with a little help from OpenSSL :-)

Here's a step-by-step HOWTO that I used to get my Thawte certificate into=20
GPGSM:

1. Export the Certificate from your browser.=20

You probably have Netscape or Mozilla, konqueror currently lacks support for
generating certificate requests. The browser will ask you to specifiy an=20
Export Password, be sure to remember it for the rest of the procedure, and=
=20
store the certificate into a file "certbundle.p12".

2. Use OpenSSL to extract the key from the bundle.=20

GPGSM currently seems to be unable to handle the complete bundle in one go.=
=20
You need to extract the pieces yourself. This can be done with the followin=
g=20
OpenSSL calls:

=46irst, you must convert the bundle from PKCS#12 into PEM format:

bash$ openssl pkcs12 -in certbundle.p12 -out certbundle.pem -nodes

OpenSSL will ask you for the Export Password, that's the password you used =
in=20
your Browser to export the password.

Then, extract the key from the bundle and export it, again in PKCS#12 format

bash$ openssl pkcs12 -in certbundle.pem -export -out certkey.p12 -nocerts \=
=20
=2Dnodes

Again, OpenSSL will ask you for an Export Password, just use the same as in=
=20
the previous step. Now you have your secret key ready for import into GPGSM:

bash$ gpgsm --call-protect-tool --p12-import --store certkey.p12

3. Import the Issuers certificate and your own certificate

Now that you have imported your secret key successfully, you need to import=
=20
the issuers certificate, too. To obtain this certificate, you may have to=20
browse to the issuers website and download it, but Thawte for example store=
s=20
their certificate in the bundle you get when you request the certificate. Y=
ou=20
can then extract it from the file certbundle.pem you generated in the first=
=20
step, simply with a text viewer. My preferred way is to display the
file in vi, then mark the issuer certificate with the mouse and copy it int=
o a=20
shell, where before I typed in:

bash$ gpgsm --import

This will import the issuers certificate. Once you have successfully comple=
ted=20
this step, do the same with your own certificate.

If GPGSM did not spit out any error messages, you have now successfully=20
imported your freemail certificate and use your favourite, Aegypten-enabled=
=20
mailer to send and receive S/MIME messages with your own certificates.

You can check with "gpgsm --list-secret-keys". If your freemail certificate=
=20
shows up, you're ready to go.

regards,
	matthias

--Boundary-02=_XT6M+yOw8rwxgW+
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Description: signature
Content-Disposition: attachment; filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFvDCCAzgw
ggKhoAMCAQICEGZFcrfMdPXPY3ZFhNAukQEwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpB
MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhh
d3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24x
JDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVy
c29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMDA4MzAwMDAwMDBaFw0wNDA4MjcyMzU5NTla
MIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRv
d24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNV
BAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzAwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAN4zMqZjxwklRT7SbngnZ4HF2ogZgpcO40QpimM1Km1wPPrcrvfudG8wvDOQf/k0caCj
bZjxw0+iZdsN+kvx1t1hpfmFzVWaNRqdknWoJ67Ycvm6AvbXsJHeHOmr4BgDqHxDQlBRh4M88Dm0
m1SKE4f/s5udSWYALQmJ7JRr6aFpAgMBAAGjTjBMMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQ
cml2YXRlTGFiZWwxLTI5NzASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG
9w0BAQQFAAOBgQAxsUtHXfkBceX1U2xdedY9mMAmE2KBIqcS+CKV6BtJtyd7BDm6/ObyJOuR+r3s
DSo491BVqGz3Da1MG7wD9LXrokefbKIMWI0xQgkRbLAaadErErJAXWr5edDqLiXdiuT82w0fnQLz
WtvKPPZE6iZph39Ins6ln+eE2MliYq0FxjCCAnwwggHloAMCAQICAwkZYjANBgkqhkiG9w0BAQQF
ADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBU
b3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD
VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMB4XDTAzMDEyMDEwNDQ1N1oXDTA0
MDEyMDEwNDQ1N1owQzEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEgMB4GCSqGSIb3
DQEJARYRbXdlbHdhcnNreUB3ZWIuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKvCTCPG
gRPGwQzADmX88KdN/2JPBoiQCvyH5YsyionLz5CYxPQR459HVgNqwmBXrpcuWU+n2mEY/Nf6dN8+
FkIMZbL+tyRNR8a4Dd6MPZIzLYAnDZJVcdYgIIQz3eVM8/8y8cyRzbRYfcqjr5uIzg+ioqH7ALKy
SUV4CLc2vJUHAgMBAAGjLjAsMBwGA1UdEQQVMBOBEW13ZWx3YXJza3lAd2ViLmRlMAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAXtzPkTFALF1/kC55Wjk5/OOE2IjkIVgJmtote0wWmPXS
0RHuM8sX//6IpQQJFNNFwP39KG3Cmy4ht8NfGQ+h4n7tsU3RzeGrfUooUbDWbwPyLa8SgefmEq8j
I5oPthfcZowP857vxbhVhkvp63Qu8oqBAXHMsAXHxKPnBdSWllExggGcMIIBmAIBATCBmjCBkjEL
MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8w
DQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9Q
ZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMJGWIwBwYFKw4DAhqgXTAjBgkqhkiG9w0B
CQQxFgQU9RUwgXmMa85rL/X4cTjNS0UkLTYwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq
hkiG9w0BCQUxDxcNMDMwMTI2MDkwNTIzWjALBgkqhkiG9w0BAQEEgYAL7hhc131nbBRC7q/r3gEr
Y4Ta4jKpARAjjRRzK1i3l7Yu7r3hdaPE3SK/RCcCe2SaB69g528KxdVYr6xIvjzPSVyL1lO15/Hz
XZZxYjNDvzAc7pE/Dmk3Nvgh0EpbusND4ImvyfNKLTVpeJ4viasrynlBnVCOo+h2VDAJOwZAaQAA
AAAAAA==

--Boundary-02=_XT6M+yOw8rwxgW+--