Werner’s own blurbs

Creating server certificates with GnuPG

Tired of using OpenSSL and editing weird configuration files just to create a certificate?

Fortunately there is an easier way with the advantage of using an already used system: Since version 1.9.18, GnuPG is a able to create certificate requests for servers; due to a bug in the export command, it is however suggested to use version 1.9.19.

Here is a brief run up on how to create a server certificate. It has actually been done this way to get a certificate from CAcert to be used on a real server. It has only be tested with this CA, but there shouldn’t be any problem to run this against any other CA.

Before you start, make sure that gpg-agent is running; see the manual on how to do this (“info gnupg”). As there is no need for a configuration file, you may simply enter:

 $ gpgsm-gencert.sh >a.p10 Key type [1] RSA [2] existing key Your selection: 1 You selected: RSA 

I opted for creating a new RSA key. The other option is to use an already existing key, by selecting “2” and entering the so-called keygrip. Running "gpgsm --dump-secret-key USERID" will show you this keygrip.

Let’s continue:

 Key length [1] 1024 [2] 2048 Your selection: 1 You selected: 1024 

The script offers just two common key sizes. With the current setup of CAcert, it does not make much sense to use a 2k key; their policies need to be revised anyway (a CA root key valid for 30 years is not really serious).

 Key usage [1] sign, encrypt [2] sign [3] encrypt Your selection: 1 You selected: sign, encrypt 

We want to sign and encrypt using this key. This is just a suggestion and the CA may actually assign other key capabilities.

Now for some real data:

 Name (DN) > CN=kerckhoffs.g10code.com 

This is the most important value for a server certificate. Enter here the canonical name of your server machine. You may add other virtual server names later.

 E-Mail addresses (end with an empty line) > 

We don’t need email addresses in a server certificate and CAcert would anyway ignore such a request. Thus just hit enter.

If you want to create a client certificate for email encryption, this would be the place to enter your mail address (e.g. joe@example.org). You may enter as many addresses as you like, however the CA may not accept them all or reject the entire request.

 DNS Names (optional; end with an empty line) > www.g10code.com DNS Names (optional; end with an empty line) > ftp.g10code.com DNS Names (optional; end with an empty line) > 

Here I entered the names of the servers which actually run on the machine given in the DN above. The browser will accept a certificate for any of these names. As usual the CA must approve all of these names.

 URIs (optional; end with an empty line) > 

It is possible to insert arbitrary URIs into a certificate; for a server certificate this does not make sense.

We have now entered all required information and gpgsm will display what it has gathered and ask whether to create the certificate request:

 Parameters for certificate request to create: 1 Key-Type: RSA 2 Key-Length: 1024 3 Key-Usage: sign, encrypt 4 Name-DN: CN=kerckhoffs.g10code.com 5 Name-DNS: www.g10code.com 6 Name-DNS: ftp.g10code.com Really create such a CSR? [1] yes [2] no Your selection: 1 You selected: yes 

gpgsm will now start working on creating the request. As this includes the creation of an RSA key, it may take a while. During this time you will be asked 3 times for a passphrase to protect the created private key on your system. A pop up window will appear to ask for it. The first two prompts are for the new passphrase and to re-enter it; the third one is required to actually create the certificate request.

When it is ready, you should see the final notice:

 gpgsm: certificate request created 

Now, you may look at the created request:

 $ cat a.p10 -----BEGIN CERTIFICATE REQUEST----- MIIBnzCCAQgCAQAwITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVyg HtB7kr+YISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlS wFTALLX78GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkm Bj5cNy+YMbGVldECAwEAAaA+MDwGCSqGSIb3DQEJDjEvMC0wKwYDVR0RBCQwIoIP d3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5jb20wDQYJKoZIhvcNAQEFBQAD gYEAzBRIi8KTfKyebOlMtDN6oDYBOv+r9A4w3u/Z1ikjffaiN1Bmd2o9Ez9KXKHA IezLeSEA/rGUPN5Ur5qIJnRNQ8xrS+iLftr8msWQSZppVnA/vnqMrtqBUpitqAr0 eYBmt1Uem2Y3UFABrKPglv2xzgGkrKX6AqmFoOnJWQ0QcTw= -----END CERTIFICATE REQUEST----- $ 

You may now proceed by logging into your account at the CAcert website, choose “Server Certificates – New”, check “sign by class 3 root certificate”, paste the above request block into the text field and click on “Submit”.

If everything works out fine, a certificate will be shown. Now run

 $ gpgsm --import 

and paste the certificate from the CAcert page into your terminal followed by a Ctrl-D

 -----BEGIN CERTIFICATE----- MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl cnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQD ExNDQWNlcnQgQ2xhc3MgMyBSb290MB4XDTA1MTAyODE2MjA1MVoXDTA3MTAyODE2 MjA1MVowITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVygHtB7kr+Y ISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlSwFTALLX7 8GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkmBj5cNy+Y MbGVldECAwEAAaOBtTCBsjAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUF BwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIF oDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy dC5vcmcwKwYDVR0RBCQwIoIPd3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5j b20wDQYJKoZIhvcNAQEEBQADggIBAAj5XAHCtzQR8PV6PkQBgZqUCbcfxGO/ZIp9 aIT6J2z0Jo1OZI6KmConbqnZG9WyDlV5P7msQXW/Z9nBfoj4KSmNR8G/wtb8ClJn W8s75+K3ZLq1UgEyxBDrS7GjtbVaj7gsfZsuiQzxmk9lbl1gbkpJ3VEMjwVCTMlM fpjp8etyPhUZqOZaoKVaq//KTOsjhPMwz7TcfOkHvXketPrWTcefJQU7NKLH16D3 mZAwnBxp3P51H6E6VG8AoJO8xCBuVwsbXKEf/FW+tmKG9pog6CaZQ9WibROTtnKj NJjSBsrUk5C+JowO/EyZRGm6R1tlok8iFXj+2aimyeBqDcxozNmFgh9F3S5u0wK0 6cfYgkPVMHxgwV3f3Qh+tJkgLExN7KfO9hvpZqAh+CLQtxVmvpxEVEXKR6nwBI5U BaseulvVy3wUfg2daPkG17kDDBzQlsWC0BRF8anH+FWSrvseC3nS0a9g3sXF1Ic3 gIqeAMhkant1Ac3RR6YCWtJKr2rcQNdDAxXK35/gUSQNCi9dclEzoOgjziuA1Mha 94jYcvGKcwThn0iITVS5hOsCfaySBLxTzfIruLbPxXlpWuCW/6I/7YyivppKgEZU rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs Rtct3tIX -----END CERTIFICATE----- gpgsm: issuer certificate (#/CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.) not found gpgsm: certificate imported gpgsm: total number processed: 1 gpgsm: imported: 1 

gpgsm tells you that it has imported the certificate. It is now associated with the key you used when creating the request. The root certificate has not been found, so you may want to import it from the CACert website.

To see the content of your certificate, you may now enter:

 $ gpgsm -K kerckhoffs.g10code.com /home/foo/.gnupg/pubring.kbx --------------------------- Serial number: 4C Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CAcert.org/O=CAcert Inc. Subject: /CN=kerckhoffs.g10code.com aka: (dns-name www.g10code.com) aka: (dns-name ftp.g10code.com) validity: 2005-10-28 16:20:51 through 2007-10-28 16:20:51 key type: 1024 bit RSA key usage: digitalSignature keyEncipherment ext key usage: clientAuth (suggested), serverAuth (suggested), serverGatedCrypto.ns (suggested), serverGatedCrypto.ms (suggested) fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:19:D8:E9:65:B9:BD:4F:B1:98:CC:57 

I used “-K” above because this will only list certificates for which a private key is available. To see more details, you may use “–dump-secret-keys” instead of “-K”. The output has been created using the current CVS version of GnuPG 1.9; older versions won’t show the dns-names.

To make actual use of the certificate you need to install it on your server. Server software usally expects a PKCS#12 file with key and certificate. To create such a file, run:

 $ gpgsm --export-secret-key-p12 -a >kerckhoffs-cert.pem 

You will be asked for the passphrase as well as for a new passphrase to be used to protect the pkcs#12 file. The file now contains the certificate as well as the private key:

 $ cat kerckhoffs-cert.pem Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CAcert.org/O=CAcert Inc. Serial ...: 4C Subject ..: /CN=kerckhoffs.g10code.com aka ..: (dns-name www.g10code.com) aka ..: (dns-name ftp.g10code.com) -----BEGIN PKCS12----- MIIHlwIBAzCCB5AGCSqGSIb3DQEHAaCCB4EEggd9MIIHeTCCBJ8GCSqGSIb3DQEH [...many more lines...] -----END PKCS12----- $ 

Copy this file in a secure way to the server, install it there and delete the file then. You may export the file again at any time as long as its is available in GnuPG’s private key database.