From MichaelHoeller at t-online.de Sun Aug 6 22:12:31 2006 From: MichaelHoeller at t-online.de (Michael Hoeller) Date: Mon Aug 7 01:21:20 2006 Subject: PKCS#12 Message-ID: <200608062212.31600.MichaelHoeller@t-online.de> Hello, it seems that I have a problem with a root certificate - according to the error message the root certificate is not marked as "to be trusted" can some one please tell me what I need to do to get the root cert. trusted? Here is the error message: 4 - 2006-08-04 23:43:46 gpg-agent[7421.0x8092ae8] DBG: <- ISTRUSTED 355E69678EB5D72B5DC882276847F27C0D3C4156 4 - 2006-08-04 23:43:46 gpg-agent[7421.0x8092ae8] DBG: -> ERR 304 not trusted 6 - 2006-08-04 23:43:46 gpgsm[15127]: Das Wurzelzertifikat ist nicht als vertrauensw?rdig markiert And here is the full story: I have imported my PKCS#12 Cert. public, priv. and the root certs via the following method: 1. Export the Certificate from your browser into a file "certbundle.p12". ?2. Use OpenSSL to extract the key from the bundle. ?bash$ openssl pkcs12 -in certbundle.pem -export -out certkey.p12 -nocerts -nodes Then, extract the key from the bundle and export it, again in PKCS#12 format: bash$ gpgsm --call-protect-tool --p12-import --store certkey.p12 3. Import the Issuers certificate and your own certificate bash$ gpgsm --import But when I now want to sign a Mail I get the following error: 4 - 2006-08-04 23:43:46 gpg-agent[7421.0x8092ae8] DBG: <- ISTRUSTED 355E69678EB5D72B5DC882276847F27C0D3C4156 ? 4 - 2006-08-04 23:43:46 gpg-agent[7421.0x8092ae8] DBG: -> ERR 304 not trusted ? 6 - 2006-08-04 23:43:46 gpgsm[15127]: Das Wurzelzertifikat ist nicht als vertrauensw?rdig markiert The last in German means: the root cert is not marked as to be truested. I like to do this. How can I do this? Thanks a lot Michael From wk at gnupg.org Mon Aug 7 16:45:35 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Aug 7 16:51:27 2006 Subject: PKCS#12 In-Reply-To: <200608062212.31600.MichaelHoeller@t-online.de> (Michael Hoeller's message of "Sun, 6 Aug 2006 22:12:31 +0200") References: <200608062212.31600.MichaelHoeller@t-online.de> Message-ID: <87vep4fvu8.fsf@wheatstone.g10code.de> On Sun, 6 Aug 2006 22:12, Michael Hoeller said: > 1. Export the Certificate from your browser into a file > "certbundle.p12". With the latest gnupg 1.9 you should be able to do just an gpgsm --import certbundle.p12 tested with a current Mozilla. > The last in German means: the root cert is not marked as to be truested. > I like to do this. How can I do this? See the info manual under agent configuration: @item trustlist.txt [ Default: ~/gnupg/trustlist.txt ] This is the list of trusted keys. Comment lines, indicated by a leading hash mark, as well as empty lines are ignored. To mark a key as trusted you need to enter its fingerprint followed by a space and a capital letter @code{S}. Colons may optionally be used to separate the bytes of a fingerprint; this allows to cut and paste the fingerprint from a key listing output. Here is an example where two keys are marked as ultimately trusted: @example # CN=Wurzel ZS 3,O=Intevation GmbH,C=DE A6935DD34EF3087973C706FC311AA2CCF733765B S # CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S @end example Before entering a key into this file, you need to ensure its authenticity. How to do this depends on your organisation; your administrator might have already entered those keys which are deemed trustworthy enough into this file. Places where to look for the fingerprint of a root certificate are letters received from the CA or the website of the CA (after making 100% sure that this is indeed the website of that CA). You may want to consider allowing interactive updates of this file by using the @xref{option --allow-mark-trusted}. This is however not as secure as maintaining this file manually. It is even advisable to change the permissions to read-only so that this file can't be changed inadvertently. Salam-Shalom, Werner