You are here: Home Cheat Sheets S/MIME Key Management

S/MIME Key Management

Little snippets for creating and managing S/MIME keys using gnupg.

Disclaimer

I'm not an expert when it comes to S/MIME. These are notes of my first afternoon wrestling this beast. They have 2 purposes.

  1. As a cheat sheet for me because i won't remember this.
  2. As a potential help for someone else.

Key Creation

This is the interactive method. I used pinentry-qt so the subsequent password prompts aren't included below.

$ gpgsm-gencert.sh
Key type
[1] RSA
[2] Existing key
[3] Direct from card
Your selection: 1
You selected: RSA
Key length
[1] 1024
[2] 2048
Your selection: 1
You selected: 1024
Key usage
[1] sign, encrypt
[2] sign
[3] encrypt
Your selection: 1
You selected: sign, encrypt
Name (DN)
> C=US, ST=CA, L=Palo Alto, O=Hot Company, CN=Foo Bar, EMAIL=foo@bar.com
E-Mail addresses (end with an empty line)
> foo@bar.com
E-Mail addresses (end with an empty line)
>
DNS Names (optional; end with an empty line)
>
URIs (optional; end with an empty line)
>
Parameters for certificate request to create:
        1  Key-Type: RSA
        2  Key-Length: 1024
        3  Key-Usage: sign, encrypt
        4  Name-DN: C=US, ST=CA, L=Palo Alto, O=Hot Company, CN=Foo Bar, EMAIL=foo@bar.com
        5  Name-Email: foo@bar.com

Really create such a CSR?
[1] yes
[2] no
Your selection: 1
You selected: yes
gpgsm: certificate request created
-----BEGIN CERTIFICATE REQUEST-----
MIIB0zCCATwCAQAwZTEaMBgGA1UEAxMRTWFyaW8gVGhlb2RvcmlkaXMxGTAXBgNV
....
GnCIskCgT1mQ4FmVpll9WMh+rI3TMwnF9fqX+Oy4TlOia9QWXkV1
-----END CERTIFICATE REQUEST-----
  • Then take the above cert request and get it signed. Assuming the signed cert is in foo.pem run
$ gpgsm --import foo.pem
gpgsm: certificate is good
gpgsm: certificate imported
gpgsm: total number processed: 1
gpgsm:               imported: 1
secmem usage: 0/16384 bytes in 0 blocks
  • In addition you might need to import the CA Cert as well. Assuming it is in a file called ca.cer run:
gpgsm --import ca.cer
gpgsm: total number processed: 1
gpgsm:              unchanged: 1
secmem usage: 0/16384 bytes in 0 blocks

Make it trusted

  • First get the fingerprint of the imported CA. One way to do this is
$ gpgsm --dump-keys
  • Then sift thorught the output to find the cert of your CA and retrieving the value of it's sha1_fpr parameter. Something like:
sha1_fpr: E9:97:06:C0:72:09:C0:7C:14:C9:F0:95:14:44:D0:82:45:2F:DC:05
  • Add that to ~/.gnupg/trustedlist.txt. And restart gpg-agent with a kill -HUP
E9:97:06:C0:72:09:C0:7C:14:C9:F0:95:14:44:D0:82:45:2F:DC:05 *

The '*' at the end means the cert can be used for PGP as well as S/MIME operations. If you only want one or the other replace this respectively with 'S' or 'P'. Then again, you may not need this for a signing cert. This is one of those things that i'm not exactly clear about at the moment, so don't drink the water just yet.

  • Make sure that there's a LF after it else you'll get a
checking the trust list failed: Line too long

Listing Keys

  • To list all keys
$ gpgsm --list-keys
  • To list all secret keys
$ gpgsm --list-secret-keys

Zapping Passwords

  • To remove the password, useful in development enviroments run
$ gpgsm --passwd foo@bar.com

Then enter the original password followed by blank passwords always confirming that you really want to do this.

Document Actions

Copyright © 2007-2015 Mario Theodoridis. All rights reserved. Content licensed under AFL.   Impressum   Datenschutz
Content from the underlying Plone CMS is © 2000-2009 by the Plone Foundation