Import a pkcs12 certificate chain

Ian Prideaux worzel at
Wed Apr 27 13:47:32 CEST 2016

On 26/04/16 15:09, Damien Goutte-Gattat wrote:
> On 04/26/2016 02:47 PM, Ian Prideaux wrote:
>> The Symantec command is: pgp --new-passphrase newpp --passphrase
>> oldpp --import CertificateChain.p12
>> However, I can't figure out what the gpg2 command is, or even if
>> gnupg is capable of this.
> I am not sure I understand your workflow and what you want to achieve
> exactly.
No, I'm not sure either. This is a system that I've inherited, with no
documentation :-(

Every other third party uses keypairs that are generated by the
pgp --gen-key command. I don't understand what is gained by using a
keypair which is generated from a certificate chain.

> But, as a starting point, you must know that the gpg2 program only deals
> with OpenPGP keys and messages. To manipulate X.509 certificates, you
> need gpgsm (another component of the GnuPG project) instead.
> Presumably, the command you need should be
> $ gpgsm --import CertificateChain.p12
> to import the certificate and key from the PKCS#12 file into your
> keyring. Then you would probably use the --export command to export back
> the certificate only and send it to your third party.
Yes that works. However I'm having trouble exporting the old
certificate-generated-keys from symantec. gpg2 uses the same keyring
format as symantec, so I can just copy and rename the keyring files.
gpgsm uses it's own keyring format, and doesn't interoperate with gpg2.
I'd have to write code specifically to deal with that one customer.

More information about the Gnupg-users mailing list