On Friday 10 December 2004 21:21, Hauke Seidel wrote: Hallo, > S/MIME-Fähigkeiten für KMail verschafft. Das war sehr problemlos. Ich habe > nun aber die Schwierigkeit, dass ich mein WEB.DE-Zertifikat, das ich in die > Datei "freemail.p12" exportiert habe, nicht importieren kann. Unter Mozilla > funzt es ohne weiteres. Ich habe auch versucht, im Kontrollzentrum die > ganzen WEB.DE.Trustcenter-Zertifikate als CAs zu importieren. Gerade das > "eMail-Trustcenter"-Zertifikat ging aber nicht.
das habe ich letzte Woche auch probiert und schließlich auch hinbekommen. Man muss offensichtlich mit openssl die Verschlüsselung entfernen und beim Einlesen mit gpgsm dann wieder eine Passphrase setzen. Wenn ich mich recht erinnere, dann ging das etwa so (s.u.). Wenn Du es schaffst, mit KMail S/MIME-codierte oder signierte Mails zu verschicken, dann lass es mich bitte wissen. Das habe ich dann nämlich nicht geschafft :-( Ade, Thomas ------------------------------------------------------------------------- (http://lists.gnupg.org/pipermail/gpa-dev/2003-January/001148.html) Hi all, after playing a little bit with gpgsm and openssl last night, I have hacked up a micro-HOWTO on how to import S/MIME certificates, e.g. from some freemail service like web.de or CAs like Thawte into GPGSM. Please have a look at it and tell me if there's an easier way to do this: HOWTO import externally generated keys and certificates into GPGSM ================================================================== Let's assume you have an S/MIME certificate, probably a personal freemail certificate from Thawte or some other Certification Authority. Thawte offers X509 S/MIME certificates via a web interface, you cannot have gpgsm generate the Certificate Request and thus the private key, your browser will do that. So the problem is, after the certificate got issued, you have in inside you browser while you need it in GPGSM. "Where's the problem?" you might say. "I can always export my certificate as a PKCS#12 certificate bundle and import it into GPGSM." That's true, but it's a bit more difficult. While GPGSM has an import feature for PKCS#12 encoded secret keys, it is very limited: 1. GPGSM cannot import the complete PKCS#12 bundle, ONLY the secret key 2. The Key must not be encrypted. You need to import the secret key, the certificate, and the issuers certificate. Unfortunately, there seems to be no GPGSM-Only solution, but you can get along with a little help from OpenSSL :-) Here's a step-by-step HOWTO that I used to get my Thawte certificate into GPGSM: 1. Export the Certificate from your browser. You probably have Netscape or Mozilla, konqueror currently lacks support for generating certificate requests. The browser will ask you to specifiy an Export Password, be sure to remember it for the rest of the procedure, and store the certificate into a file "certbundle.p12". 2. Use OpenSSL to extract the key from the bundle. GPGSM currently seems to be unable to handle the complete bundle in one go. You need to extract the pieces yourself. This can be done with the following OpenSSL calls: First, you must convert the bundle from PKCS#12 into PEM format: bash$ openssl pkcs12 -in certbundle.p12 -out certbundle.pem -nodes OpenSSL will ask you for the Export Password, that's the password you used in your Browser to export the password. Then, extract the key from the bundle and export it, again in PKCS#12 format bash$ openssl pkcs12 -in certbundle.pem -export -out certkey.p12 -nocerts \ -nodes Again, OpenSSL will ask you for an Export Password, just use the same as in the previous step. Now you have your secret key ready for import into GPGSM: bash$ gpgsm --call-protect-tool --p12-import --store certkey.p12 3. Import the Issuers certificate and your own certificate Now that you have imported your secret key successfully, you need to import the issuers certificate, too. To obtain this certificate, you may have to browse to the issuers website and download it, but Thawte for example stores their certificate in the bundle you get when you request the certificate. You can then extract it from the file certbundle.pem you generated in the first step, simply with a text viewer. My preferred way is to display the file in vi, then mark the issuer certificate with the mouse and copy it into a shell, where before I typed in: bash$ gpgsm --import This will import the issuers certificate. Once you have successfully completed this step, do the same with your own certificate. If GPGSM did not spit out any error messages, you have now successfully imported your freemail certificate and use your favourite, Aegypten-enabled mailer to send and receive S/MIME messages with your own certificates. You can check with "gpgsm --list-secret-keys". If your freemail certificate shows up, you're ready to go.