Ĩesky | english
Creating a new X.509 certificate from your PGP key pair
This page complements http://wiki.cacert.org/ConvertingCertificateToPgp by describing the other way round.
The following tools are needed: GnuPG, openpgp2ssh from the monkeysphere project and openssl.
![/!\](/moin_static199/cacert/img/alert.png "/!\"){kind=small}
The steps described were performed on a virtual machine running Ubuntu.
- You already created a PGP key pair of RSA keys. Its secret key looks like this
sec 2048R/059B4809 2011-10-29 [valid to: 2013-12-31]
The PGP key ID is $KEYID (in this example 059B4809).
- openpgp2ssh works only if the secret key is not password-protected. So it might be necessary to remove the protection. The corresponding gpg command is:
gpg --edit-key $KEYID .
Then use the the passwd sub-command to remove the password.
- Now it's time to export the PGP key and hand it over to openpgp2ssh:
gpg --export-secret-key $KEYID | openpgp2ssh $KEYID > id_rsa
id_rsa's content should look like:-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA0s2wNIWuUzuBYU9U0cK/mGa4LMtsWTEZEFTQhHj2eg4ZHmdt[...] -----END RSA PRIVATE KEY-----
- Next a Certificate Signing Request (CSR) can be generated:
openssl req -new -key id_rsa -out id_rsa.csr
id_rsa.csr's content should look like:-----BEGIN CERTIFICATE REQUEST----- MIIC9jCCAd4CAQAwgZkxCzAJBgNVBAYTAkRFMRMwEQYDVQQIEwpTb21lLVN0YXRl[...] -----END CERTIFICATE REQUEST-----
Now you have a CSR. Login to the CAcert webpage -> "Client Certificates" -> "New" -> Choose the registered email address, mark "Show advanced options", copy the content from id_rsa.csr to the input field headed "Optional Client CSR, no information on the certificate will be used", push "Next".
- CAcert should notify you that the certificate can be retrieved.
Copy the content from the certificate and from the file id_rsa into one file email@address.pem. Its content should look like:
-----BEGIN CERTIFICATE----- MIIFRjCCAy6gAwIBAgIDCuP8MA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv[...] -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA0s2wNIWuUzuBYU9U0cK/mGa4LMtsWTEZEFTQhHj2eg4ZHmdt[...] -----END RSA PRIVATE KEY-----
- Finally create a PKCS#12 container:
openssl pkcs12 -export -in email@address.pem -out email@address.pem.p12
You may now import your key pair to your email client.