How to install certificates in Kmail

From MEPIS Documentation Wiki

Revision as of 00:34, 20 March 2007 by Jerry bond (Talk | contribs)
Jump to: navigation, search

HowTo import externally generated keys and certificates into GpgSM (written by Matthias Welwarsky from here: -- modified slightly by Lance Haverkamp)

Let's assume you have an S/MIME certificate, probably a personal freemail certificate from CAcert or some other Certification Authority. CAcert offers X509 S/MIME certificates via a web interface, you cannot have gpgsm generate the Certificate Request and thus the private key, your browser will do that. So the problem is, after the certificate got issued, you have it inside your browser while you need it in GPGSM.

"Where's the problem?" you might say. "I can always export my certificate as a PKCS#12 certificate bundle and import it into GPGSM."

That's true, but it's a bit more difficult. While GPGSM has an import feature for PKCS#12 encoded secret keys, it is limited:

1. GPGSM cannot import the complete PKCS#12 bundle, ONLY the secret key 2. The Key must not be encrypted.

You need to import the secret key, the certificate, and the issuers certificate. Unfortunately, there seems to be no GPGSM-Only solution, but you can get along with a little help from OpenSSL :-)

Here's a step-by-step HOWTO that I used to get my Thawte (or better yet CAcert) certificate into GPGSM:

You must have some extra packages installed. You can do that with synaptic, kamil or simply:

# apt-get install gnupg2 gnupg-agent dirmngr kleopatra gpgsm pinentry-qt

Be sure to un-comment the use-agent line in the gpg.conf file in your ~/.gnupg directory. That means get rid of the # and the space in front of use-agent.

Now end session and log back in!

1. Export the Certificate from your browser.

You probably will use Mozilla Firefox or Swiftfox, as Konqueror currently lacks support for generating certificate requests. The browser will ask you to specifiy an Export Password, be sure to remember it for the rest of the procedure, and store the certificate into a file "certbundle.p12".

2. Use OpenSSL to extract the key from the bundle.

GPGSM currently seems to be unable to handle the complete bundle in one go. You need to extract the pieces yourself. This can be done with the following OpenSSL calls:

First, you must convert the bundle from PKCS#12 into PEM format:

$ openssl pkcs12 -in certbundle.p12 -out certbundle.pem -nodes

OpenSSL will ask you for the Export Password, that's the password you used in your Browser to export the password.

Then, extract the key from the bundle and export it, again in PKCS#12 format

$ openssl pkcs12 -in certbundle.pem -export -out certkey.p12 -nocerts -nodes

Again, OpenSSL will ask you for an Export Password, just use the same as in the previous step. Now you have your secret key ready for import into GPGSM:

$ gpgsm --call-protect-tool --p12-import --store certkey.p12

3. Import the Issuers certificate and your own certificate

Now that you have imported your secret key successfully, you need to import the issuers certificate, too. To obtain this certificate, you may have to browse to the issuers website and download it, but some sites (CAcert, for example) stores their certificate in the bundle you get when you request the certificate. You can then extract it from the file certbundle.pem you generated in the first step, simply with a text viewer. My preferred way is to display the file in vi, then mark the issuer certificate with the mouse and copy it into a shell, where before I typed in:

$ gpgsm --import

This will import the issuers certificate. Once you have successfully completed this step, do the same with your own certificate.

If GPGSM did not spit out any error messages, you have now successfully imported your freemail certificate and use your favourite, Aegypten-enabled mailer to send and receive S/MIME messages with your own certificates.

You can check with "gpgsm --list-secret-keys". If your freemail certificate shows up, you're ready to go.

Personal tools