Generating GnuPG S/MINE key pair
Werner Koch
wk at gnupg.org
Tue Apr 28 09:26:16 CEST 2015
On Mon, 27 Apr 2015 22:07, dkbryant at gmail.com said:
> gpgsm: no issuer found in certificate
> gpgsm: basic certificate checks failed - not imported
Your root certificate is not valid. An Issuer is required and that
issuer must match the Subject. Also certain other fields are required
for a root certificate. I suggest to use a tool like tinyca2 to create
your own CA or use one of the scripts which come with OpenSSL to setup a
CA (you need a Unix shell on Windows, though).
gpgsm 2.1 has a much improve certifciate generation. You may create a
self-signed certificate directly:
--8<---------------cut here---------------start------------->8---
$ gpgsm --gen-key
Please select what kind of key you want:
(1) RSA
(2) Existing key
(3) Existing key from card
Your selection? 1
What keysize do you want? (2048)
Requested keysize is 2048 bits
Possible actions for a RSA key:
(1) sign, encrypt
(2) sign
(3) encrypt
Your selection? 1
Enter the X.509 subject name: CN=test cert
Enter email addresses (end with an empty line):
>
Enter DNS names (optional; end with an empty line):
>
Enter URIs (optional; end with an empty line):
>
Create self-signed certificate? (y/N) y
These parameters are used:
Key-Type: RSA
Key-Length: 2048
Key-Usage: sign, encrypt
Serial: random
Name-DN: CN=test cert
Proceed with creation? (y/N)
--8<---------------cut here---------------end--------------->8---
This works well on Windows - however the installer for 2.1.3 is a bit
experimental.
gpgsm --export-secret-key-p8 -a KEYID
may then be used to export the private key in PKCS#8 format (what Apache
etc requires.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list