Tired of using OpenSSL and editing weird configuration files just to
create a certificate?
Fortunately there is an easier way with the
advantage of using an already used system: Since version 1.9.18, GnuPG
is a able to create certificate requests for servers; due to a bug in
the export command, it is however suggested to use version 1.9.19.
Here is a brief run up on how to create a server certificate. It has
actually been done this way to get a certificate from CAcert to be used on a real server.
It has only be tested with this CA, but there shouldn't be any problem
to run this against any other CA.
Before you start, make sure that gpg-agent is running; see the manual
on how to do this ("info gnupg"). As there is no need for a
configuration file, you may simply enter:
$ gpgsm-gencert.sh >a.p10
Key type
[1] RSA
[2] existing key
Your selection: 1
You selected: RSA
I opted for creating a new RSA key. The other option is to use an
already existing key, by selecting "2" and entering the so-called
keygrip. Running
"gpgsm --dump-secret-key USERID" will
show you this keygrip.
Let's continue:
Key length
[1] 1024
[2] 2048
Your selection: 1
You selected: 1024
The script offers just two common key sizes. With the current setup
of CAcert, it does not make much sense to use a 2k key; their
policies need to be revised anyway (a CA root key valid for 30 years
is not really serious).
Key usage
[1] sign, encrypt
[2] sign
[3] encrypt
Your selection: 1
You selected: sign, encrypt
We want to sign and encrypt using this key. This is just a suggestion
and the CA may actually assign other key capabilities.
Now for some real data:
Name (DN)
> CN=kerckhoffs.g10code.com
This is the most important value for a server certificate. Enter here
the canonical name of your server machine. You may add other virtual
server names later.
E-Mail addresses (end with an empty line)
>
We don't need email addresses in a server certificate and CAcert would
anyway ignore such a request. Thus just hit enter.
If you want to create a client certificate for email encryption, this
would be the place to enter your mail address (e.g. joe@example.org).
You may enter as many addresses as you like, however the CA may not
accept them all or reject the entire request.
DNS Names (optional; end with an empty line)
> www.g10code.com
DNS Names (optional; end with an empty line)
> ftp.g10code.com
DNS Names (optional; end with an empty line)
>
Here I entered the names of the servers which actually run on the
machine given in the DN above. The browser will accept a certificate
for any of these names. As usual the CA must approve all of these
names.
URIs (optional; end with an empty line)
>
It is possible to insert arbitrary URIs into a certificate; for a
server certificate this does not make sense.
We have now entered all required information and gpgsm will display
what it has gathered and ask whether to create the certificate request:
Parameters for certificate request to create:
1 Key-Type: RSA
2 Key-Length: 1024
3 Key-Usage: sign, encrypt
4 Name-DN: CN=kerckhoffs.g10code.com
5 Name-DNS: www.g10code.com
6 Name-DNS: ftp.g10code.com
Really create such a CSR?
[1] yes
[2] no
Your selection: 1
You selected: yes
gpgsm will now start working on creating the request. As this includes
the creation of an RSA key, it may take a while. During this time you
will be asked 3 times for a passphrase to protect the created private
key on your system. A pop up window will appear to ask for it. The
first two prompts are for the new passphrase and to re-enter it; the
third one is required to actually create the certificate request.
When it is ready, you should see the final notice:
gpgsm: certificate request created
Now, you may look at the created request:
$ cat a.p10
-----BEGIN CERTIFICATE REQUEST-----
MIIBnzCCAQgCAQAwITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVyg
HtB7kr+YISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlS
wFTALLX78GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkm
Bj5cNy+YMbGVldECAwEAAaA+MDwGCSqGSIb3DQEJDjEvMC0wKwYDVR0RBCQwIoIP
d3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5jb20wDQYJKoZIhvcNAQEFBQAD
gYEAzBRIi8KTfKyebOlMtDN6oDYBOv+r9A4w3u/Z1ikjffaiN1Bmd2o9Ez9KXKHA
IezLeSEA/rGUPN5Ur5qIJnRNQ8xrS+iLftr8msWQSZppVnA/vnqMrtqBUpitqAr0
eYBmt1Uem2Y3UFABrKPglv2xzgGkrKX6AqmFoOnJWQ0QcTw=
-----END CERTIFICATE REQUEST-----
$
You may now proceed by logging into your account at the
CAcert website, choose "Server
Certificates - New", check "sign by class 3 root certificate", paste
the above request block into the text field and click on "Submit".
If everything works out fine, a certificate will be shown. Now run
$ gpgsm --import
and paste the certificate from the CAcert page into your terminal
followed by a
Ctrl-D
-----BEGIN CERTIFICATE-----
MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl
cnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQD
ExNDQWNlcnQgQ2xhc3MgMyBSb290MB4XDTA1MTAyODE2MjA1MVoXDTA3MTAyODE2
MjA1MVowITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVygHtB7kr+Y
ISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlSwFTALLX7
8GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkmBj5cNy+Y
MbGVldECAwEAAaOBtTCBsjAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUF
BwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIF
oDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy
dC5vcmcwKwYDVR0RBCQwIoIPd3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5j
b20wDQYJKoZIhvcNAQEEBQADggIBAAj5XAHCtzQR8PV6PkQBgZqUCbcfxGO/ZIp9
aIT6J2z0Jo1OZI6KmConbqnZG9WyDlV5P7msQXW/Z9nBfoj4KSmNR8G/wtb8ClJn
W8s75+K3ZLq1UgEyxBDrS7GjtbVaj7gsfZsuiQzxmk9lbl1gbkpJ3VEMjwVCTMlM
fpjp8etyPhUZqOZaoKVaq//KTOsjhPMwz7TcfOkHvXketPrWTcefJQU7NKLH16D3
mZAwnBxp3P51H6E6VG8AoJO8xCBuVwsbXKEf/FW+tmKG9pog6CaZQ9WibROTtnKj
NJjSBsrUk5C+JowO/EyZRGm6R1tlok8iFXj+2aimyeBqDcxozNmFgh9F3S5u0wK0
6cfYgkPVMHxgwV3f3Qh+tJkgLExN7KfO9hvpZqAh+CLQtxVmvpxEVEXKR6nwBI5U
BaseulvVy3wUfg2daPkG17kDDBzQlsWC0BRF8anH+FWSrvseC3nS0a9g3sXF1Ic3
gIqeAMhkant1Ac3RR6YCWtJKr2rcQNdDAxXK35/gUSQNCi9dclEzoOgjziuA1Mha
94jYcvGKcwThn0iITVS5hOsCfaySBLxTzfIruLbPxXlpWuCW/6I/7YyivppKgEZU
rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs
Rtct3tIX
-----END CERTIFICATE-----
gpgsm: issuer certificate (#/CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.) not found
gpgsm: certificate imported
gpgsm: total number processed: 1
gpgsm: imported: 1
gpgsm tells you that it has imported the certificate. It is now
associated with the key you used when creating the request. The root
certificate has not been found, so you may want to import it from the
CACert website.
To see the content of your certificate, you may now enter:
$ gpgsm -K kerckhoffs.g10code.com
/home/foo/.gnupg/pubring.kbx
---------------------------
Serial number: 4C
Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CAcert.org/O=CAcert Inc.
Subject: /CN=kerckhoffs.g10code.com
aka: (dns-name www.g10code.com)
aka: (dns-name ftp.g10code.com)
validity: 2005-10-28 16:20:51 through 2007-10-28 16:20:51
key type: 1024 bit RSA
key usage: digitalSignature keyEncipherment
ext key usage: clientAuth (suggested), serverAuth (suggested), serverGatedCrypto.ns (suggested), serverGatedCrypto.ms (suggested)
fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:19:D8:E9:65:B9:BD:4F:B1:98:CC:57
I used "-K" above because this will only list certificates for which a
private key is available. To see more details, you may use
"--dump-secret-keys" instead of "-K". The output has been created
using the current CVS version of GnuPG 1.9; older versions won't show
the dns-names.
To make actual use of the certificate you need to install it on your
server. Server software usally expects a PKCS#12 file with key and
certificate. To create such a file, run:
$ gpgsm --export-secret-key-p12 -a >kerckhoffs-cert.pem
You will be asked for the passphrase as well as for a new passphrase
to be used to protect the pkcs#12 file. The file now contains the
certificate as well as the private key:
$ cat kerckhoffs-cert.pem
Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CAcert.org/O=CAcert Inc.
Serial ...: 4C
Subject ..: /CN=kerckhoffs.g10code.com
aka ..: (dns-name www.g10code.com)
aka ..: (dns-name ftp.g10code.com)
-----BEGIN PKCS12-----
MIIHlwIBAzCCB5AGCSqGSIb3DQEHAaCCB4EEggd9MIIHeTCCBJ8GCSqGSIb3DQEH
[...many more lines...]
-----END PKCS12-----
$
Copy this file in a secure way to the server, install it there and
delete the file then. You may export the file again at any time as
long as its is available in GnuPG's private key database.
