x.509 and gpg

James B. Byrne byrnejb at harte-lyne.ca
Thu Mar 27 21:50:16 CET 2014


i86_64
CentOS-6.5
OpenSSL-1.0.1e
gnupg2-2.0.14
gpgsm (GnuPG) 2.0.14
libgcrypt 1.4.5
libksba 1.0.7

We operate a private X.509 Certificate Authority (CA) for our company's own
use based upon OpenSSL-1.0.1e.  Our expertise is limited to issuing and
signing X.509 certificates for use with our https services.  We are in the
process of examining how to best provide email security and GnuPG seems to be
the preferred choice.  At least, I am unable to discover any reasonable
alternative.

Members of our staff already possess certificates and keys authenticated by
our CA.  Therefore it seemed reasonable that these certificates should form
the basis of the PGP keys used by the same people.  After some research we
were able to determine the the process involves exporting the X.509 public and
private keys into pksc12 format and then importing that format into gpg format
using gpgsm.

However, gpgsm does not seem to want to deal with our certificates and I lack
the experience or knowledge to determine exactly why.  So, I am here asking
for your assistance to resolve this problem.

I started with a single certificate and key issued to myself and signed by our
CA:

openssl pkcs12 -export -in 3F.pem -inkey 3F.key -out 3F.p12

I then attempted to import this into my gpg keyring via the command line using
gpgsm:

gpgsm --import 3F.p12

which resulted in this mess:

gpgsm[5321]: can't connect to `/home/byrnejb/.gnupg/S.gpg-agent': No such file
or directory
gpgsm: gpgsm: GPG_TTY has not been set - using maybe bogus default
gpgsm: can't connect to `/home/byrnejb/.gnupg/S.gpg-agent': No such file or
directory
gpgsm: gpg-protect-tool: 2256 bytes of RC2 encrypted text
gpgsm: gpg-protect-tool: processing certBag
gpgsm: gpg-protect-tool: 2376 bytes of 3DES encrypted text
gpgsm: gpg-protect-tool: keygrip: 87B740FA84281D0D48AD535A3A5526567FA2EDBF
gpgsm: gpg-protect-tool: secret key file
`/home/byrnejb/.gnupg/private-keys-v1.d/87B740FA84281D0D48AD535A3A5526567FA2EDBF.key'
already existsdirmngr[5378]: error opening
`/home/byrnejb/.gnupg/dirmngr_ldapservers.conf': No such file or directory
dirmngr[5378]: permanently loaded certificates: 0
dirmngr[5378]:     runtime cached certificates: 0
dirmngr[5378]: command LOOKUP failed: Not found

gpgsm: dirmngr cache-only key lookup failed: Not found
dirmngr[5378]: command LOOKUP failed: Not found
gpgsm: dirmngr cache-only key lookup failed: Not found
gpgsm: issuer certificate {13A6FB6414425B75F5F0F131CF608807E2601240}
(#01/DC=harte-lyne.ca,L=Hamilton,ST=Ontario,C=CA,O=Harte & Lyne
Limited,OU=Networked Data Services,CN=CA HLL ROOT) not found using
authorityKeyIdentifier
dirmngr[5378]: command LOOKUP failed: Not found
gpgsm: dirmngr cache-only key lookup failed: Not found
gpgsm: issuer certificate
(#/DC=harte-lyne.ca,L=Hamilton,ST=Ontario,C=CA,O=Harte & Lyne
Limited,OU=Networked Data Services,CN=CA HLL ISSUER 01) not found
dirmngr[5378]: command LOOKUP failed: Not found
gpgsm: dirmngr cache-only key lookup failed: Not found
dirmngr[5378]: command LOOKUP failed: Not found
gpgsm: dirmngr cache-only key lookup failed: Not found
gpgsm: issuer certificate {13A6FB6414425B75F5F0F131CF608807E2601240}
(#01/DC=harte-lyne.ca,L=Hamilton,ST=Ontario,C=CA,O=Harte & Lyne
Limited,OU=Networked Data Services,CN=CA HLL ROOT) not found using
authorityKeyIdentifier
dirmngr[5378]: command LOOKUP failed: Not found
gpgsm: dirmngr cache-only key lookup failed: Not found
gpgsm: total number processed: 2
gpgsm:              unchanged: 1
gpgsm:       secret keys read: 1
gpgsm:  secret keys unchanged: 1


I gather from the first line of error that I should be running gpg-agent.  I
have read how to start this for command line sessions but I am hesitant to do
so before getting some expert help.  The session manager I am using for this
is gnome-terminal running from a non-privileged gnome desktop manager
(gnome-desktop.x86_64-2.28.2).  Should I start this from .bash_profile, which
would imply that a new gpg-agent would be started for each new session window?
or as some have suggested, start it from .Xsession? or perhaps gpg-agent
should not be started at all and I should use some option on gpgsm to avoid
the need for gpg-agent.

In any case, I am also trying to determine how to load our CA root and CA
issuer certificates or at least make them known to gpg/gpgsm as this seems
necessary given what I have read in the man pages.

Guidance on how to proceed at this point would be most welcome.



-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3




More information about the Gnupg-users mailing list