Re: kleopatra importiert WEB.DE-Zertifikat nicht

To: debian-user-german@lists.debian.org
Subject: Re: kleopatra importiert WEB.DE-Zertifikat nicht
From: Gebhardt Thomas <gebhardt@hrz.uni-marburg.de>
Date: Mon, 13 Dec 2004 15:49:50 +0100
Message-id: <[🔎] 200412131549.50710.gebhardt@hrz.uni-marburg.de>
In-reply-to: <[🔎] cpd0he$620$03$1@news.t-online.com>
References: <[🔎] cpd0he$620$03$1@news.t-online.com>

On Friday 10 December 2004 21:21, Hauke Seidel wrote:
Hallo,

> S/MIME-Fähigkeiten für KMail verschafft. Das war sehr problemlos. Ich habe
> nun aber die Schwierigkeit, dass ich mein WEB.DE-Zertifikat, das ich in die
> Datei "freemail.p12" exportiert habe, nicht importieren kann. Unter Mozilla
> funzt es ohne weiteres. Ich habe auch versucht, im Kontrollzentrum die
> ganzen WEB.DE.Trustcenter-Zertifikate als CAs zu importieren. Gerade das
> "eMail-Trustcenter"-Zertifikat ging aber nicht.

das habe ich letzte Woche auch probiert und schließlich auch hinbekommen.
Man muss offensichtlich mit openssl die Verschlüsselung entfernen und beim
Einlesen mit gpgsm dann wieder eine Passphrase setzen. Wenn ich mich recht
erinnere, dann ging das etwa so (s.u.).

Wenn Du es schaffst, mit KMail S/MIME-codierte oder signierte Mails zu 
verschicken, dann lass es mich bitte wissen. Das habe ich dann nämlich
nicht geschafft :-(  

Ade, Thomas

-------------------------------------------------------------------------
(http://lists.gnupg.org/pipermail/gpa-dev/2003-January/001148.html)
Hi all,

after playing a little bit with gpgsm and openssl last night, I have hacked up 
a micro-HOWTO on how to import S/MIME certificates, e.g. from some freemail 
service like web.de or CAs like Thawte into GPGSM. Please have a look at it 
and tell me if there's an easier way to do this:

HOWTO import externally generated keys and certificates into GPGSM
==================================================================

Let's assume you have an S/MIME certificate, probably a personal freemail 
certificate from Thawte or some other Certification Authority. Thawte offers 
X509 S/MIME certificates via a web interface, you cannot have gpgsm generate 
the Certificate Request and thus the private key, your browser will do that. 
So the problem is, after the certificate got issued, you have in inside you 
browser while you need it in GPGSM.

"Where's the problem?" you might say. "I can always export my certificate as a 
PKCS#12 certificate bundle and import it into GPGSM."

That's true, but it's a bit more difficult. While GPGSM has an import feature 
for PKCS#12 encoded secret keys, it is very limited:

1. GPGSM cannot import the complete PKCS#12 bundle, ONLY the secret key
2. The Key must not be encrypted.

You need to import the secret key, the certificate, and the issuers 
certificate. Unfortunately, there seems to be no GPGSM-Only solution, but you 
can get along with a little help from OpenSSL :-)

Here's a step-by-step HOWTO that I used to get my Thawte certificate into 
GPGSM:

1. Export the Certificate from your browser. 

You probably have Netscape or Mozilla, konqueror currently lacks support for
generating certificate requests. The browser will ask you to specifiy an 
Export Password, be sure to remember it for the rest of the procedure, and 
store the certificate into a file "certbundle.p12".

2. Use OpenSSL to extract the key from the bundle. 

GPGSM currently seems to be unable to handle the complete bundle in one go. 
You need to extract the pieces yourself. This can be done with the following 
OpenSSL calls:

First, you must convert the bundle from PKCS#12 into PEM format:

bash$ openssl pkcs12 -in certbundle.p12 -out certbundle.pem -nodes

OpenSSL will ask you for the Export Password, that's the password you used in 
your Browser to export the password.

Then, extract the key from the bundle and export it, again in PKCS#12 format

bash$ openssl pkcs12 -in certbundle.pem -export -out certkey.p12 -nocerts \ 
-nodes

Again, OpenSSL will ask you for an Export Password, just use the same as in 
the previous step. Now you have your secret key ready for import into GPGSM:

bash$ gpgsm --call-protect-tool --p12-import --store certkey.p12

3. Import the Issuers certificate and your own certificate

Now that you have imported your secret key successfully, you need to import 
the issuers certificate, too. To obtain this certificate, you may have to 
browse to the issuers website and download it, but Thawte for example stores 
their certificate in the bundle you get when you request the certificate. You 
can then extract it from the file certbundle.pem you generated in the first 
step, simply with a text viewer. My preferred way is to display the
file in vi, then mark the issuer certificate with the mouse and copy it into a 
shell, where before I typed in:

bash$ gpgsm --import

This will import the issuers certificate. Once you have successfully completed 
this step, do the same with your own certificate.

If GPGSM did not spit out any error messages, you have now successfully 
imported your freemail certificate and use your favourite, Aegypten-enabled 
mailer to send and receive S/MIME messages with your own certificates.

You can check with "gpgsm --list-secret-keys". If your freemail certificate 
shows up, you're ready to go.

Reply to:

References:
- kleopatra importiert WEB.DE-Zertifikat nicht
  - From: Hauke Seidel <hip2skip@gmx.de>

Prev by Date: Re: webmin 1.170 für woody r3 installieren
Next by Date: [SOLVED ?] Re: 'swapper' verursacht Kernel-Oops
Previous by thread: kleopatra importiert WEB.DE-Zertifikat nicht
Next by thread: X forwarding via Putty auf Cygwin geht nicht mehr
Index(es):
- Date
- Thread