converting gpg files into PEM and certification change confusion
Wiktor Kwapisiewicz
wiktor at metacode.biz
Thu Sep 27 22:34:51 CEST 2018
Hi Jen,
Could you provide links to the documentation that mentions the
"certificate chain"?
I went through these docs but didn't find the exact match:
https://developers.yubico.com/yubikey-val/
https://developers.yubico.com/yubikey-ksm/
PEM format contains X.509 certificates, as used by TLS and S/MIME, not
OpenPGP ones. Likewise openssl is used to work with X.509 certs,
/etc/ssl/certs/ca-bundle.crt contains X.509 certs too.
Maybe the certs that you mention are for HTTPS server?
X.509 and OpenPGP are not compatible directly, although both can use
same cryptographic primitives (like RSA keys).
Kind regards,
Wiktor
On 27.09.2018 20:07, Mead, Jennifer wrote:
> Hi folks, new to gpg and thid forum,
>
>
> I have used keys for many years, but not in a mangement role. Now I am
> installing Yubikey KSM and Validation server. I thought I understood it
> well enough but apparently that is not true. While working on the
> validation piece I was requested to convert my certificate chain into a
> pem file and place it where all the parts and pieces of yubikey can get
> to it via the web. My first what??? moment. Like what is the
> certificate chain? I did some research and even though it is mentioned
> quite often by others I have not been able to assert which file that
> actuall is. Here is what is in my .gnupg directory:
>
> . gpg.conf
> .#lk0x23dd010.changed.16771 .note.swp pubring.gpg
> random_seed S.gpg-agent
> .. .#lk0x10c18a0.changed.32015
> note private-keys-v1.d
> pubring.gpg~ secring.gpg trustdb.gpg
>
>
> key was created as such:
>
> gpg --gen-key
> chose: (2) DSA and Elgamal
> Key is valid for? (0) 0
> input name,email,user-id and passphrase
> gpg: key 1234WXYZ marked as ultimately trusted
> public and secret key created and signed.
>
> then it spit out that it was checked the trustdb returned these types:
> uid
> pub
> sub
>
> I then took those keys and turned them into yubikey format and loaded
> them into a db. I thought all was said and done (LOL).
>
> So I think one of those files is my supposed "certificate chain"... not
> sure. Maybe I have not created the chain?
>
> When I try to convert a file (pubring, secring, trustdb) they all end with:
>
> [root at cswks99 .gnupg]# openssl dsa -in ~/.gnupg/trustdb.gpg -outform pem
> read DSA key
> unable to load Private Key
> 140528619882384:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
> unable to load Key
> [root at cswks99 .gnupg]# openssl dsa -in ~/.gnupg/secring.gpg -outform pem
> read DSA key
> unable to load Private Key
> 140648490235792:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
> unable to load Key
>
>
> 1) I am not sure that (2) DSA and Elgamal will work with the above
> command, it seems like two alogrythms and not one (Elgamal is there
> too). Is that the problem? Or do I need an intermediary format to
> accomplish this? What the heck am I doing wrong. I do have two certs
> on my server as follows:
>
> /etc/ssl/certs/ca-bundle.trust.crt
> /etc/ssl/certs/ca-bundle.crt
>
> perhaps they are related? I don't remember what step created them.
> This is all very confusing to me and I need some gental nudges in the
> right direction. Sorry for being such a newbie and not really getting
> any of this. Any help is greatly appreciated.
>
>
> Regards,
>
> Jen
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
--
https://metacode.biz/@wiktor
More information about the Gnupg-users
mailing list