Creating X.509 certificates with GnuPG
Werner Koch
wk at gnupg.org
Tue Mar 1 18:15:24 CET 2011
Hi,
those who follow the commit list may have noticed it: It is now possible
to create an X.509 certificate using GPGSM. The reason I implemented
this is that it was pretty easy to twist the PKCS#10 generation code to
allow the creation of X.509 certificates directly. Another reasons is
that I was never able to recall the OpenSSL commands to create a
certificate (in particular not if you want an rfc822Name).
Here is how the UI looks:
$ gpgsm --gen-key >x.pem
Please select what kind of key you want:
(1) RSA
(2) Existing key
(3) Existing key from card
Your selection? 1
What keysize do you want? (2048)
Requested keysize is 2048 bits
Possible actions for a RSA key:
(1) sign, encrypt
(2) sign
(3) encrypt
Your selection? 1
Enter the X.509 subject name: CN=Joe Hacker, O=Hackers United, C=unv
Enter email addresses (end with an empty line):
> joe at example.org
> joe.hacker at example.org
>
Enter DNS names (optional; end with an empty line):
>
Enter URIs (optional; end with an empty line):
>
Create self-signed certificate? (y/N) y
These parameters are used:
Key-Type: RSA
Key-Length: 2048
Key-Usage: sign, encrypt
Serial: random
Name-DN: CN=Joe Hacker, O=Hackers United, C=unv
Name-Email: joe at example.org
Name-Email: joe.hacker at example.org
Proceed with creation? (y/N) y
Now creating self-signed certificate. This may take a while ...
gpgsm: about to sign the certificate for key: &B71FA28BCE8B2[...]
gpgsm: certificate created
Ready.
$ gpgsm --import x.pem
gpgsm: certificate imported
gpgsm: total number processed: 1
gpgsm: imported: 1
Running gpgsm -k on it shows:
ID: 0x159A7D3D
S/N: 6E3E32BC38A687E8
Issuer: /CN=Joe Hacker/O=Hackers United/C=unv
Subject: /CN=Joe Hacker/O=Hackers United/C=unv
aka: joe at example.org
aka: joe.hacker at example.org
validity: 2011-03-01 17:02:46 through 2063-04-05 17:00:00
key type: 2048 bit RSA
chain length: unlimited
fingerprint: A0:31:50:B1:A4:56:FD:54:63:35:5F:25:59:F5:7A:B5:15:9A:7D:3D
Now if you want a "real" certificate you use the option --batch along
with a proper parameter file; the manual explains them all. This
feature may even be used to write a proper CA tool. Note that the DNS
name prompt is useful to create server certificates. Surprisingly the
"existing key" options are useful to create certificates from already
existing keys (e.g. an OpenPGP keys).
You need the latest gnupg from git and the new libksba 1.2.0.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list