Re: kleopatra importiert WEB.DE-Zertifikat nicht
On Friday 10 December 2004 21:21, Hauke Seidel wrote:
Hallo,
> S/MIME-Fähigkeiten für KMail verschafft. Das war sehr problemlos. Ich habe
> nun aber die Schwierigkeit, dass ich mein WEB.DE-Zertifikat, das ich in die
> Datei "freemail.p12" exportiert habe, nicht importieren kann. Unter Mozilla
> funzt es ohne weiteres. Ich habe auch versucht, im Kontrollzentrum die
> ganzen WEB.DE.Trustcenter-Zertifikate als CAs zu importieren. Gerade das
> "eMail-Trustcenter"-Zertifikat ging aber nicht.
das habe ich letzte Woche auch probiert und schließlich auch hinbekommen.
Man muss offensichtlich mit openssl die Verschlüsselung entfernen und beim
Einlesen mit gpgsm dann wieder eine Passphrase setzen. Wenn ich mich recht
erinnere, dann ging das etwa so (s.u.).
Wenn Du es schaffst, mit KMail S/MIME-codierte oder signierte Mails zu
verschicken, dann lass es mich bitte wissen. Das habe ich dann nämlich
nicht geschafft :-(
Ade, Thomas
-------------------------------------------------------------------------
(http://lists.gnupg.org/pipermail/gpa-dev/2003-January/001148.html)
Hi all,
after playing a little bit with gpgsm and openssl last night, I have hacked up
a micro-HOWTO on how to import S/MIME certificates, e.g. from some freemail
service like web.de or CAs like Thawte into GPGSM. Please have a look at it
and tell me if there's an easier way to do this:
HOWTO import externally generated keys and certificates into GPGSM
==================================================================
Let's assume you have an S/MIME certificate, probably a personal freemail
certificate from Thawte or some other Certification Authority. Thawte offers
X509 S/MIME certificates via a web interface, you cannot have gpgsm generate
the Certificate Request and thus the private key, your browser will do that.
So the problem is, after the certificate got issued, you have in inside you
browser while you need it in GPGSM.
"Where's the problem?" you might say. "I can always export my certificate as a
PKCS#12 certificate bundle and import it into GPGSM."
That's true, but it's a bit more difficult. While GPGSM has an import feature
for PKCS#12 encoded secret keys, it is very limited:
1. GPGSM cannot import the complete PKCS#12 bundle, ONLY the secret key
2. The Key must not be encrypted.
You need to import the secret key, the certificate, and the issuers
certificate. Unfortunately, there seems to be no GPGSM-Only solution, but you
can get along with a little help from OpenSSL :-)
Here's a step-by-step HOWTO that I used to get my Thawte certificate into
GPGSM:
1. Export the Certificate from your browser.
You probably have Netscape or Mozilla, konqueror currently lacks support for
generating certificate requests. The browser will ask you to specifiy an
Export Password, be sure to remember it for the rest of the procedure, and
store the certificate into a file "certbundle.p12".
2. Use OpenSSL to extract the key from the bundle.
GPGSM currently seems to be unable to handle the complete bundle in one go.
You need to extract the pieces yourself. This can be done with the following
OpenSSL calls:
First, you must convert the bundle from PKCS#12 into PEM format:
bash$ openssl pkcs12 -in certbundle.p12 -out certbundle.pem -nodes
OpenSSL will ask you for the Export Password, that's the password you used in
your Browser to export the password.
Then, extract the key from the bundle and export it, again in PKCS#12 format
bash$ openssl pkcs12 -in certbundle.pem -export -out certkey.p12 -nocerts \
-nodes
Again, OpenSSL will ask you for an Export Password, just use the same as in
the previous step. Now you have your secret key ready for import into GPGSM:
bash$ gpgsm --call-protect-tool --p12-import --store certkey.p12
3. Import the Issuers certificate and your own certificate
Now that you have imported your secret key successfully, you need to import
the issuers certificate, too. To obtain this certificate, you may have to
browse to the issuers website and download it, but Thawte for example stores
their certificate in the bundle you get when you request the certificate. You
can then extract it from the file certbundle.pem you generated in the first
step, simply with a text viewer. My preferred way is to display the
file in vi, then mark the issuer certificate with the mouse and copy it into a
shell, where before I typed in:
bash$ gpgsm --import
This will import the issuers certificate. Once you have successfully completed
this step, do the same with your own certificate.
If GPGSM did not spit out any error messages, you have now successfully
imported your freemail certificate and use your favourite, Aegypten-enabled
mailer to send and receive S/MIME messages with your own certificates.
You can check with "gpgsm --list-secret-keys". If your freemail certificate
shows up, you're ready to go.
Reply to: