Previous: , Up: Preparation   [Contents][Index]

2.3 Certificate Preparation

To use an OpenPGP card with Scute, it first has to be initialized by generating or loading a key on the card, see the OpenPGP Card How-To. Then a certificate has to be created and imported into GPGSM. This task involves three steps: First, a certificate signing request (CSR) has to be created that matches the key on the card. This certificate signing request then has to be submitted to a certificate authority (CA), which will create the certificate and send it back to you. At last, the certificate has to be imported into GPGSM. This section will explain all of these steps in detail.

Before you start, make sure that the GPG Agent is running, see Prerequisites. There is no need to configure GPGSM, so you can create a CSR with the command:

$ gpgsm --gen-key > floppy-head.csr
Please select what kind of key you want:
   (1) RSA
   (2) Existing key
   (3) Existing key from card
Your selection? 3

As we create a certificate for the OpenPGP Card, the option “[3] Direct from card” should be selected.

Serial number of the card: 355F9746499F0D4B4ECEE4928B007D16
Available keys:
   (1) D53137B94C38D9BF6A199706EA6D5253 OPENPGP.1
   (2) B0CD1A9DFC3539A1D6A8B851A11C8665 OPENPGP.2
   (3) 53DB41052CC590A40B403F3E6350E5DC OPENPGP.3
Your selection? 3
Possible actions for a RSA key:
   (1) sign, encrypt
   (2) sign
   (3) encrypt
Your selection? 2

The only operation currently supported is client authentication. For this, the authentication key has to be selected. This is the third key on the card, so the options “[3] OPENPGP.3” and “[2] sign” should be chosen. Note that the key usage is only advisory, and the CA may assign different capabilities.

Enter the X.509 subject name: CN=Floppy Head,OU="Webserver Team",O="Snake Oil, Ltd",L="Snake Town",ST="Snake Desert",C=XY
Enter email addresses (end with an empty line):
Enter DNS names (optional; end with an empty line):
Enter URIs (optional; end with an empty line):
Create self-signed certificate? (y/N) n

As a last step, the common name and e-mail address of the key owner need to be specified by you. The above are only an example for a fictious person working at a fictious company. DNS names are only meaningful for server certificates and thus should be left empty.

We have now entered all required information and gpgsm will display what it has gathered and ask whether to create the certificate request:

These parameters are used:
    Key-Type: card:OPENPGP.3
    Key-Length: 1024
    Key-Usage: sign
    Name-DN: CN=Floppy Head,OU="Webserver Team",O="Snake Oil, Ltd",L="Snake Town",ST="Snake Desert",C=XY

Proceed with creation? (y/N) y
Now creating certificate request.  This may take a while ...
gpgsm: about to sign the CSR for key: &53DB41052CC590A40B403F3E6350E5DC

GPGSM will now start working on creating the request. During this time you will be asked once for a passphrase to unprotect the authentication key on the card. A pop up window will appear to ask for it.

When it is ready, you should see the final notice:

gpgsm: certificate request created
Ready.  You should now send this request to your CA.

Now, you may look at the created request:

$ cat floppy-head.csr

The next step is to submit this certificate request to the CA, which can then create a certificate and send it back to you.

If, for example, you use the CA CAcert, then you can log into your account at the CAcert website, choose “Client Certificates -> New”, check “Show advanced options”, paste the above request block into the text field and click on “Submit”. If everything works correctly, a certificate will be shown, which you can cut and paste into a new file floppy-head.crt.

Alternatively if, for example, you set up your own CA with OpenSSL, then you can create your own certificate by issueing a command similar openssl ca -in floppy-head.csr -cert snakeoil-ca-rsa.crt -keyfile snakeoil-ca-rsa.key -out floppy-head.crt. Please see the OpenSSL documentation for more details on how to set up and administrate a certificate authority infrastructure.

In any way you should end up with a certificate file floppy-head.crt, which you then have to import into GPGSM. It is also recommended that you import the root certificate of the CA first in the same fashion.

$ gpgsm --import floppy-head.crt
gpgsm: certificate imported
gpgsm: total number processed: 1
gpgsm:               imported: 1

gpgsm tells you that it has imported the certificate. It is now associated with the key you used when creating the request. To see the content of your certificate, you may now enter:

$ gpgsm -K Floppy
Serial number: 10
       Issuer: /CN=Snake Oil CA/OU=Certificate Authority/O=Snake Oil, Ltd/L=Snake Town/ST=Snake Desert/C=XY/EMail=ca@snakeoil.dom
      Subject: /CN=Floppy Head/OU=Webserver Team/O=Snake Oil, Ltd/ST=Snake Desert/C=XY
     validity: 2006-11-11 14:09:12 through 2007-11-11 14:09:12
     key type: 1024 bit RSA
  fingerprint: EC:93:A2:55:C6:58:7F:C9:9E:96:DB:12:6E:64:99:54:BB:E1:94:68

The option “-K” is used above because this will only list certificates for which a private key is available. To see more details, you may use “--dump-secret-keys” instead of “-K”.

Previous: , Up: Preparation   [Contents][Index]