x.509 and gpg

Bernhard Reiter bernhard at intevation.de
Tue Apr 1 12:12:49 CEST 2014

Hi James,

On Thursday 27 March 2014 at 21:50:16, James B. Byrne wrote:
> However, gpgsm does not seem to want to deal with our certificates and I
> lack the experience or knowledge to determine exactly why.  So, I am here
> asking for your assistance to resolve this problem.
> I started with a single certificate and key issued to myself and signed by
> our CA:
> openssl pkcs12 -export -in 3F.pem -inkey 3F.key -out 3F.p12
> I then attempted to import this into my gpg keyring via the command line
> using gpgsm:
> gpgsm --import 3F.p12

> gpgsm[5321]: can't connect to `/home/byrnejb/.gnupg/S.gpg-agent': No such
> file or directory

> I gather from the first line of error that I should be running gpg-agent. 

Yes, you should run gpg-agent. It is also recommendable when using OpenPGP.
Gpg-agent is the component dealing with the private certificates (that 
includes access to the (private) key material). It can also cache parts of 

Under some circumstances gpg-agent is started automatically, but because
you may access gnupg/gpgsm functions from several applications/terminals,
it makes a lot of sense to start it early.

> I have read how to start this for command line sessions but I am hesitant
> to do so before getting some expert help.  The session manager I am using
> for this is gnome-terminal running from a non-privileged gnome desktop
> manager (gnome-desktop.x86_64-2.28.2).  Should I start this from
> .bash_profile, which would imply that a new gpg-agent would be started for
> each new session window? or as some have suggested, start it from
> .Xsession? or perhaps gpg-agent should not be started at all and I should
> use some option on gpgsm to avoid the need for gpg-agent.

info gnupg2
section Invoking GPG-AGENT
is your friend. :)

> In any case, I am also trying to determine how to load our CA root and CA
> issuer certificates or at least make them known to gpg/gpgsm as this seems
> necessary given what I have read in the man pages.

See http://wiki.gnupg.org/X.509, I've linked by root certificate guide
from there.

Let me know how it works out for you!

www.intevation.de/~bernhard (CEO)    www.fsfe.org (Founding GA Member)
Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998
Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3696 bytes
Desc: not available
URL: </pipermail/attachments/20140401/f102b36f/attachment.bin>

More information about the Gnupg-users mailing list