Re: [INTERNET] Re: converting gpg files into PEM and certification change confusion

2018-09-28 Thread Werner Koch
On Fri, 28 Sep 2018 09:52, gnupg-users@gnupg.org said:

> You can get a free certificate from Let's Encrypt, they are valid for 3
> months.

.. and you can automated the update of the certificates.  There are lot
of tools for this; we at gnupg.org use the Dehydrated script.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpArHa87852G.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: [INTERNET] Re: converting gpg files into PEM and certification change confusion

2018-09-28 Thread Wiktor Kwapisiewicz via Gnupg-users
Hi Jen,

On 27.09.2018 22:43, Mead, Jennifer wrote:
> Hi Wiktor,
> 
> On this page https://developers.yubico.com/yubikey-val/Installation.html
> 
> Step 7
> You will need to place the private key in 
> /etc/ssl/private/api.example.com-key.pem and the certificate chain in 
> /etc/ssl/private/api.example.com-chain.pem.

Yes, then this is only related to SSL keys used by the server and
doesn't have anything to do with your OpenPGP/GPG keys.

They are a completely separate set of keys, and this looks like a
standard HTTPS setup. You can get some guides by searching for "ssl
apache". Generally the procedure is to generate new pair of keys,
generate CSR, then use the CSR to buy an SSL certificate. CA will
provide you with their certificate chain.

You can get a free certificate from Let's Encrypt, they are valid for 3
months.

Kind regards,
Wiktor

> 
> regards,
> Jen
> 
> From: Wiktor Kwapisiewicz 
> Sent: Thursday, September 27, 2018 1:34 PM
> To: Mead, Jennifer
> Cc: gnupg-users@gnupg.org
> Subject: [INTERNET] Re: converting gpg files into PEM and certification 
> change confusion
> 
> ** STOP. THINK. External Email **
> 
> --
> 
> Hi Jen,
> 
> Could you provide links to the documentation that mentions the
> "certificate chain"?
> 
> I went through these docs but didn't find the exact match:
> https://developers.yubico.com/yubikey-val/
> https://developers.yubico.com/yubikey-ksm/
> 
> PEM format contains X.509 certificates, as used by TLS and S/MIME, not
> OpenPGP ones. Likewise openssl is used to work with X.509 certs,
> /etc/ssl/certs/ca-bundle.crt contains X.509 certs too.
> 
> Maybe the certs that you mention are for HTTPS server?
> 
> X.509 and OpenPGP are not compatible directly, although both can use
> same cryptographic primitives (like RSA keys).
> 
> Kind regards,
> Wiktor
> 
> On 27.09.2018 20:07, Mead, Jennifer wrote:
>> Hi folks, new to gpg and thid forum,
>>
>>
>> I have used keys for many years, but not in a mangement role.  Now I am
>> installing Yubikey KSM and Validation server.  I thought I understood it
>> well enough but apparently that is not true.  While working on the
>> validation piece I was requested to convert my certificate chain into a
>> pem file and place it where all the parts and pieces of yubikey can get
>> to it via the web.  My first what??? moment.  Like what is the
>> certificate chain?  I did some research and even though it is mentioned
>> quite often by others I have not been able to assert which file that
>> actuall is.  Here is what is in my .gnupg directory:
>>
>> .   gpg.conf
>> .#lk0x23dd010.changed.16771  .note.swp  pubring.gpg
>> random_seed  S.gpg-agent
>> ..  .#lk0x10c18a0.changed.32015
>> note   private-keys-v1.d
>> pubring.gpg~  secring.gpg  trustdb.gpg
>>
>>
>> key was created as such:
>>
>> gpg --gen-key
>> chose: (2) DSA and Elgamal
>> Key is valid for? (0) 0
>> input name,email,user-id and passphrase
>> gpg: key 1234WXYZ marked as ultimately trusted
>> public and secret key created and signed.
>>
>> then it spit out that it was checked the trustdb returned these types:
>> uid
>> pub
>> sub
>>
>> I then took those keys and turned them into yubikey format and loaded
>> them into a db.  I thought all was said and done (LOL).
>>
>> So I think one of those files is my supposed "certificate chain"... not
>> sure.  Maybe I have not created the chain?
>>
>> When I try to convert a file (pubring, secring, trustdb) they all end with:
>>
>> [root@cswks99 .gnupg]# openssl dsa -in ~/.gnupg/trustdb.gpg -outform pem
>> read DSA key
>> unable to load Private Key
>> 140528619882384:error:0906D06C:PEM routines:PEM_read_bio:no start
>> line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
>> unable to load Key
>> [root@cswks99 .gnupg]# openssl dsa -in ~/.gnupg/secring.gpg -outform pem
>> read DSA key
>> unable to load Private Key
>> 140648490235792:error:0906D06C:PEM routines:PEM_read_bio:no start
>> line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
>> unable to load Key
>>
>>
>> 1) I am not sure that (2) DSA and Elgamal will work with the above
>> command, it seems like two alogrythms and not one (Elgamal is there
>> too).  Is that the problem?  Or do I need an intermediary format to
>> accomplish this?  What the heck am I doing wrong.  I do have two certs
>> on my ser