converting gpg files into PEM and certification change confusion

Mead, Jennifer Jennifer.Mead at pacificorp.com
Thu Sep 27 20:07:59 CEST 2018 

Hi folks, new to gpg and thid forum,


I have used keys for many years, but not in a mangement role.  Now I am installing Yubikey KSM and Validation server.  I thought I understood it well enough but apparently that is not true.  While working on the validation piece I was requested to convert my certificate chain into a pem file and place it where all the parts and pieces of yubikey can get to it via the web.  My first what??? moment.  Like what is the certificate chain?  I did some research and even though it is mentioned quite often by others I have not been able to assert which file that actuall is.  Here is what is in my .gnupg directory:

.   gpg.conf                                   .#lk0x23dd010.changed.16771  .note.swp          pubring.gpg   random_seed  S.gpg-agent
..  .#lk0x10c18a0.changed.32015  note                                       private-keys-v1.d  pubring.gpg~  secring.gpg  trustdb.gpg


key was created as such:

gpg --gen-key
chose: (2) DSA and Elgamal
Key is valid for? (0) 0
input name,email,user-id and passphrase
gpg: key 1234WXYZ marked as ultimately trusted
public and secret key created and signed.

then it spit out that it was checked the trustdb returned these types:
uid
pub
sub

I then took those keys and turned them into yubikey format and loaded them into a db.  I thought all was said and done (LOL).

So I think one of those files is my supposed "certificate chain"... not sure.  Maybe I have not created the chain?

When I try to convert a file (pubring, secring, trustdb) they all end with:

[root at cswks99 .gnupg]# openssl dsa -in ~/.gnupg/trustdb.gpg -outform pem
read DSA key
unable to load Private Key
140528619882384:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
unable to load Key
[root at cswks99 .gnupg]# openssl dsa -in ~/.gnupg/secring.gpg -outform pem
read DSA key
unable to load Private Key
140648490235792:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
unable to load Key


1) I am not sure that (2) DSA and Elgamal will work with the above command, it seems like two alogrythms and not one (Elgamal is there too).  Is that the problem?  Or do I need an intermediary format to accomplish this?  What the heck am I doing wrong.  I do have two certs on my server as follows:

/etc/ssl/certs/ca-bundle.trust.crt
/etc/ssl/certs/ca-bundle.crt

perhaps they are related?  I don't remember what step created them.  This is all very confusing to me and I need some gental nudges in the right direction.  Sorry for being such a newbie and not really getting any of this.  Any help is greatly appreciated.


Regards,

Jen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180927/205b2dd9/attachment-0001.html>

More information about the Gnupg-users mailing list