[PATCH 1/3] scute: Do not show deprecated gpgsm-gencert.sh.
Damien Goutte-Gattat
dgouttegattat at incenp.org
Thu Oct 29 12:22:00 CET 2015
* README: Show example of gpgsm --gen-key usage instead of
deprecated gpgsm-gencert.sh.
* doc/manual/scute.texi: Ditto.
--
The gpgsm-gencert.sh script has been deprecated a long time ago
and is no longer distributed with GpgSM. The proper way of
generating a X.509 certificate request from a OpenPGP key is to
call gpgsm --gen-key.
Signed-off-by: Damien Goutte-Gattat <dgouttegattat at incenp.org>
---
README | 64 +++++++++++++++++++++++----------------------
doc/manual/scute.texi | 72 +++++++++++++++++++++++----------------------------
2 files changed, 66 insertions(+), 70 deletions(-)
diff --git a/README b/README
index 42e7802..ac443dc 100644
--- a/README
+++ b/README
@@ -92,51 +92,53 @@ http://www.gnupg.org/(en)/howtos/card-howto/en/smartcard-howto.html
Once the card is initialised, we have to generate a certificate
signing request (CSR) to get the authentication key of the card
(OPENPGP.3, the third key on the card) certified by the CA. This can
-be done with the script "gpgsm-gencert.sh". For the CSR, a
-distinguished name (DN) is required. Your CA will have more
-information about what this DN should contain. Below we use an
-example for a test-employee "Floppy Head" of the test-CA that ships
-with OpenSSL ("Snake Oil, Ltd.").
+be done with GPGSM. For the CSR, a distinguished name (DN) is
+required. Your CA will have more information about what this DN
+should contain. Below we use an example for a test-employee "Floppy
+Head" of the test-CA that ships with OpenSSL ("Snake Oil, Ltd.").
Generating the CSR is then just a matter of answering a few questions:
-$ gpgsm-gencert.sh > /tmp/floppy.csr
-Key type
- [1] RSA
- [2] existing key
- [3] OPENPGP.1
- [4] OPENPGP.3
-Your selection: 4
-You selected: OPENPGP.3
-Key usage
- [1] sign, encrypt
- [2] sign
- [3] encrypt
-Your selection: 2
-You selected: sign
-Name (DN)
-> CN=Floppy Head,OU=Webserver Team,O="Snake Oil, Ltd",L=Snake Town,ST=Snake Desert,C=XY
-E-Mail addresses (end with an empty line)
+$ gpgsm --armor --output /tmp/floppy.csr --gen-key
+
+Please select what kind of key you want:
+ (1) RSA
+ (2) Existing key
+ (3) Existing key from card
+Your selection: 3
+
+Serial number of the card: D27600012401010100010000051B0000
+Available keys:
+ (1) 39820691E60A775AF9B979F4A960B23A2FC8892A OPENPGP.1
+ (2) BE3918CCCC237E42AF6D15869DCAE291276C5548 OPENPGP.2
+ (3) 386F81432E2C864085885251EB5D6D0B875D1E91 OPENPGP.3
+Your selection? 3
+
+Possible actions for a RSA key:
+ (1) sign, encrypt
+ (2) sign
+ (3) encrypt
+Your selection? 2
+Enter the X.509 subject name: CN=Floppy Head,OU=Webserver Team,O="Snake Oil, Ltd",L=Snake Town,ST=Snake Desert,C=XY
+Enter email addresses (end with an empty line):
> floppy at head.com
-E-Mail addresses (end with an empty line)
>
-DNS Names (optional; end with an empty line)
+Enter DNS names (optional; end with an empty line):
>
-URIs (optional; end with an empty line)
+Enter URIs (optional; end with an empty line):
>
Parameters for certificate request to create:
1 Key-Type: card:OPENPGP.3
- 2 Key-Length:
+ 2 Key-Length: 1024
3 Key-Usage: sign
4 Name-DN: CN=Floppy Head,OU=Webserver Team,O="Snake Oil, Ltd",L=Snake Town,ST=Snake Desert,C=XY
5 Name-Email: floppy at head.com
-Really create such a CSR?
- [1] yes
- [2] no
-Your selection: 1
-You selected: yes
+Really create request? (y/N) y
+Now creating certificate request. This may take a while ...
+gpgsm: about to sign CSR for key: &386F81432E2C864085885251EB5D6D0B875D1E91
gpgsm: certificate request created
+Ready. You should now send this request to your CA.
It is required to enter the signing PIN of the card to complete this
step. The certificate can then be found in the file "/tmp/floppy.csr".
diff --git a/doc/manual/scute.texi b/doc/manual/scute.texi
index ceed13e..01d4784 100644
--- a/doc/manual/scute.texi
+++ b/doc/manual/scute.texi
@@ -310,52 +310,47 @@ Before you start, make sure that the GPG Agent is running, see
create a CSR with the command:
@example
-$ gpgsm-gencert.sh > floppy-head.p10
-Key type
- [1] RSA
- [2] Existing key
- [3] Direct from card
-Your selection: 3
-You selected: Direct from card
+$ gpgsm --armor --output floppy-head.p10 --gen-key
+
+Please select what kind of key you want:
+ (1) RSA
+ (2) Existing key
+ (3) Existing key from card
+Your selection? 3
@end example
-As we create a certificate for the OpenPGP Card, the option ``@code{[3]
-Direct from card}'' should be selected.
+As we create a certificate for the OpenPGP Card, the option ``@code{(3)
+Existing key from card}'' should be selected.
@example
-Card with S/N D27600012401010100010000051B0000 found
-gpg-agent uses OPENPGP.3 as ssh key
-Select key
- [1] OPENPGP.1
- [2] OPENPGP.2
- [3] OPENPGP.3
- [4] back
-Your selection: 3
-You selected: OPENPGP.3
-Key usage
- [1] sign, encrypt
- [2] sign
- [3] encrypt
-Your selection: 2
-You selected: sign
+Serial number of the card: D27600012401010100010000051B0000
+Available keys:
+ (1) 39820691E60A775AF9B979F4A960B23A2FC8892A OPENPGP.1
+ (2) BE3918CCCC237E42AF6D15869DCAE291276C5548 OPENPGP.2
+ (3) 386F81432E2C864085885251EB5D6D0B875D1E91 OPENPGP.3
+Your selection? 3
+
+Possible actions for a RSA key:
+ (1) sign, encrypt
+ (2) sign
+ (3) encrypt
+Your selection? 2
@end example
The only operation currently supported is client authentication. For
this, the authentication key has to be selected. This is the third key
-on the card, so the options ``@code{[3] OPENPGP.3}'' and ``@code{[2]
+on the card, so the options ``@code{(3) OPENPGP.3}'' and ``@code{(2)
sign}'' should be chosen. Note that the key usage is only advisory, and
the CA may assign different capabilities.
@example
-Name (DN)
-> CN=Floppy Head,OU="Webserver Team",O="Snake Oil, Ltd",L="Snake Town",ST="Snake Desert",C=XY
-E-Mail addresses (end with an empty line)
+Enter the X.509 subject name: CN=Floppy Head,OU=Webserver Team,O="Snake Oil, Ltd",L=Snake Town,ST=Snake Desert,C=XY
+Enter email addresses (end with an empty line):
> floppy.head@@example.com
-E-Mail addresses (end with an empty line)
>
-DNS Names (optional; end with an empty line)
+Enter DNS names (optional; end with an empty line):
>
-URIs (optional; end with an empty line)
+Enter URIs (optional; end with an empty line)
>
@end example
@@ -370,16 +365,14 @@ it has gathered and ask whether to create the certificate request:
@example
Parameters for certificate request to create:
1 Key-Type: card:OPENPGP.3
- 2 Key-Length:
+ 2 Key-Length: 1024
3 Key-Usage: sign
- 4 Name-DN: CN=Floppy Head,OU="Webserver Team",O="Snake Oil, Ltd",L="Snake Town",ST="Snake Desert",C=XY
+ 4 Name-DN: CN=Floppy Head,OU=Webserver Team,O="Snake Oil, Ltd",L=Snake Town,ST=Snake Desert,C=XY
5 Name-Email: floppy.head@@example.com
-Really create such a CSR?
- [1] yes
- [2] no
-Your selection: 1
-You selected: yes
+Really create request? (y/N) y
+Now creating certificate request. This may take a while ...
+gpgsm: about to sign CSR for key: &386F81432E2C864085885251EB5D6D0B875D1E91
@end example
GPGSM will now start working on creating the request. During this time
@@ -389,7 +382,8 @@ key on the card. A pop up window will appear to ask for it.
When it is ready, you should see the final notice:
@example
- gpgsm: certificate request created
+gpgsm: certificate request created
+Ready. You should now send this request to your CA.
@end example
Now, you may look at the created request:
--
1.8.4
More information about the Gnupg-devel
mailing list