GnuPG to create CSR

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Jan 13 22:40:35 CET 2017


On Thu 2017-01-12 06:14:06 -0500, Ali Hassan Hamed Al Ajmi (eChannels) wrote:
> Hi,
>
> We are using GPG4win as files encryption tool which utilize "GnuPG"
> crypto engine. One of our requirements is to have certificate signed
> by our internal CA. since we have Microsoft CA, we need to create
> certification request that is compatible with Microsoft CA . Via
> gpg4win GUI, we are able to generate a X.509 keys CR (p10) that does
> not seem compatible with Microsoft CA.

When you say "does not seem compatible with Microsoft CA", i don't know
what that means.  Is there a specific Microsoft CA product that you're
using?  can you provide pointers to it?

can you provide error messages, warnings, or behaviors that indicate
that the CSR you generated is incompatible?  What specific steps did you
take with the Gpg4win gui to generate the CSR?

> Does "GnuPG" support creating CR (CSR) that is compatible with Microsoft CA (from command line/ other tools with GUI)?
> If Yes, how to generate a certification request that is compatible with Microsoft CA (CSR)?
> Can you please guide us to a manual /documentation where we will find such information.

If you want to use a command-line part of the GnuPG suite to create an
X.509 CSR, the tool "gpgsm" should be capable of doing it.

Use:

   gpgsm --gen-key


and follow the prompts.

If it asks you "Create self-signed certificate? (y/N)", you want to
answer "N" (no) because you want the csr instead.

For example (this is not on windows, this is on a GNU/Linux machine, but
it should look similar to what you see in the windows cmd.exe shell:

0 dkg at alice:~$ gpgsm --gen-key
gpgsm (GnuPG) 2.1.17; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA
   (2) Existing key
   (3) Existing key from card
Your selection? 1
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Possible actions for a RSA key:
   (1) sign, encrypt
   (2) sign
   (3) encrypt
Your selection? 1
Enter the X.509 subject name: CN=bananas.example
Enter email addresses (end with an empty line):
> 
Enter DNS names (optional; end with an empty line):
> bananas.example
> www.bananas.example
> 
Enter URIs (optional; end with an empty line):
> 
Create self-signed certificate? (y/N) 
These parameters are used:
    Key-Type: RSA
    Key-Length: 2048
    Key-Usage: sign, encrypt
    Name-DN: CN=bananas.example
    Name-DNS: bananas.example
    Name-DNS: www.bananas.example

Proceed with creation? (y/N) y
Now creating certificate request.  This may take a while ...
gpgsm: about to sign the CSR for key: &C6962BE32BF3CA7C3207BCECC0FC1CD3C24CC2E7
gpgsm: certificate request created
Ready.  You should now send this request to your CA.
-----BEGIN CERTIFICATE REQUEST-----
MIICsTCCAZkCAQAwGjEYMBYGA1UEAxMPYmFuYW5hcy5leGFtcGxlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuFLyvrSVb75agoi43FWQJwr4da7IraU1
iv2DBpFQU54Kst8sgs7ocHtgHQAVlCbiJ3XNVAv4brt+kb8ASp6xGXpTVKe5bzCw
/+OPPW5o/ymSF6wlHar7hKWSylTD3Xl6fyQaw1h6LRpY9S0QG2ua3kX1QIp6rWLd
K3Eq/X41+NFBIVeMtlu0FBCVoUDAC65BsIDahPZwDSsXhVNU2lO1TQXyr4ZCZGQb
c6qYnerlplvzjDT/a7WgaKQgYJzbxa6IM1COCCwDQMW4GH9ZsUi77iu+io/A3h/v
8B3WcVe6m6rg8lIChKSXvd1kmC8ueiCTnYKFHGpKZECPS0ec8hcOkQIDAQABoFIw
UAYJKoZIhvcNAQkOMUMwQTAvBgNVHREEKDAmgg9iYW5hbmFzLmV4YW1wbGWCE3d3
dy5iYW5hbmFzLmV4YW1wbGUwDgYDVR0PAQH/BAQDAgTwMA0GCSqGSIb3DQEBCwUA
A4IBAQARmLx97fNMd2JdPlllA0Kl5bOafXdraLMw7E0gdqoGTcgSy4oKwzYXVXCE
8PcQ5Ld+QSzZRcaEr/cWoZJSPEXX4ahhYPDs14PxNUvDX1R5MUrUGIqUmMQU28Vc
+vxTSmSY/ehvCaCDXDqcTVZjX7pyQ2LGxiy44Sqf8weGL1aHHq6znCJtPUWqpW8n
bMGj34lNPYBXW/95WAAPuLQP6zUDAq6oFf69jVJUKhIZ9Jlkr6XhAKHRpS5VjEeP
Q7PIUMKKM6PMXU1IPMo0X/TfJ7ApUJ0bWWwUTBoHcjAoIIcQCDfBZ+Wh7T9Rvrdm
wKfK8jbgQph4k/9lJXzrEKnXejo7
-----END CERTIFICATE REQUEST-----
0 dkg at alice:$ 


Then you'd copy/paste the stuff between the
"-----BEGIN CERTIFICATE REQUEST-----" and
"-----END CERTIFICATE REQUEST-----" lines (including those lines as
well) into a file that you can import into your CA.

make sense?

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170113/f77d12e7/attachment.sig>


More information about the Gnupg-users mailing list