PKCS#12
Werner Koch
wk at gnupg.org
Mon Aug 7 16:45:35 CEST 2006
On Sun, 6 Aug 2006 22:12, Michael Hoeller said:
> 1. Export the Certificate from your browser into a file
> "certbundle.p12".
With the latest gnupg 1.9 you should be able to do just an
gpgsm --import certbundle.p12
tested with a current Mozilla.
> The last in German means: the root cert is not marked as to be truested.
> I like to do this. How can I do this?
See the info manual under agent configuration:
@item trustlist.txt
[ Default: ~/gnupg/trustlist.txt ]
This is the list of trusted keys. Comment lines, indicated by a leading
hash mark, as well as empty lines are ignored. To mark a key as trusted
you need to enter its fingerprint followed by a space and a capital
letter @code{S}. Colons may optionally be used to separate the bytes of
a fingerprint; this allows to cut and paste the fingerprint from a key
listing output.
Here is an example where two keys are marked as ultimately trusted:
@example
# CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
A6935DD34EF3087973C706FC311AA2CCF733765B S
# CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE
DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S
@end example
Before entering a key into this file, you need to ensure its
authenticity. How to do this depends on your organisation; your
administrator might have already entered those keys which are deemed
trustworthy enough into this file. Places where to look for the
fingerprint of a root certificate are letters received from the CA or
the website of the CA (after making 100% sure that this is indeed the
website of that CA). You may want to consider allowing interactive
updates of this file by using the @xref{option --allow-mark-trusted}.
This is however not as secure as maintaining this file manually. It is
even advisable to change the permissions to read-only so that this file
can't be changed inadvertently.
Salam-Shalom,
Werner
More information about the Gpa-dev
mailing list