Mailing List Archive: PKCS#12

Hello,

it seems that I have a problem with a root certificate - according to
the error message the root certificate is not marked as "to be trusted"
can some one please tell me what I need to do to get the root cert.
trusted?

Here is the error message:
4 - 2006-08-04 23:43:46 gpg-agent[7421.0x8092ae8] DBG: <- ISTRUSTED
355E69678EB5D72B5DC882276847F27C0D3C4156
4 - 2006-08-04 23:43:46 gpg-agent[7421.0x8092ae8] DBG: -> ERR 304 not
trusted
6 - 2006-08-04 23:43:46 gpgsm[15127]: Das Wurzelzertifikat ist nicht
als vertrauensw?rdig markiert

And here is the full story:

I have imported my PKCS#12 Cert. public, priv. and the root certs via
the following method:

1. Export the Certificate from your browser into a file
"certbundle.p12".

Â 2. Use OpenSSL to extract the key from the bundle.
Â bash$ openssl pkcs12 -in certbundle.pem -export -out certkey.p12
-nocerts -nodes

Then, extract the key from the bundle and export it, again in PKCS#12
format:

bash$ gpgsm --call-protect-tool --p12-import --store certkey.p12

3. Import the Issuers certificate and your own certificate
bash$ gpgsm --import <file>

But when I now want to sign a Mail I get the following error:

4 - 2006-08-04 23:43:46 gpg-agent[7421.0x8092ae8] DBG: <- ISTRUSTED
355E69678EB5D72B5DC882276847F27C0D3C4156
Â 4 - 2006-08-04 23:43:46 gpg-agent[7421.0x8092ae8] DBG: -> ERR 304 not
trusted
Â 6 - 2006-08-04 23:43:46 gpgsm[15127]: Das Wurzelzertifikat ist nicht
als vertrauensw?rdig markiert

The last in German means: the root cert is not marked as to be truested.
I like to do this. How can I do this?

Thanks a lot
Michael

_______________________________________________
Gpa-dev mailing list
Gpa-dev@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gpa-dev

On Sun, 6 Aug 2006 22:12, Michael Hoeller said:

> 1. Export the Certificate from your browser into a file
> "certbundle.p12".

With the latest gnupg 1.9 you should be able to do just an

gpgsm --import certbundle.p12

tested with a current Mozilla.

> The last in German means: the root cert is not marked as to be truested.
> I like to do this. How can I do this?

See the info manual under agent configuration:

@item trustlist.txt

[ Default: ~/gnupg/trustlist.txt ]

This is the list of trusted keys. Comment lines, indicated by a leading
hash mark, as well as empty lines are ignored. To mark a key as trusted
you need to enter its fingerprint followed by a space and a capital
letter @code{S}. Colons may optionally be used to separate the bytes of
a fingerprint; this allows to cut and paste the fingerprint from a key
listing output.

Here is an example where two keys are marked as ultimately trusted:

@example
# CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
A6935DD34EF3087973C706FC311AA2CCF733765B S

# CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE
DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S
@end example

Before entering a key into this file, you need to ensure its
authenticity. How to do this depends on your organisation; your
administrator might have already entered those keys which are deemed
trustworthy enough into this file. Places where to look for the
fingerprint of a root certificate are letters received from the CA or
the website of the CA (after making 100% sure that this is indeed the
website of that CA). You may want to consider allowing interactive
updates of this file by using the @xref{option --allow-mark-trusted}.
This is however not as secure as maintaining this file manually. It is
even advisable to change the permissions to read-only so that this file
can't be changed inadvertently.

Salam-Shalom,

Werner

_______________________________________________
Gpa-dev mailing list
Gpa-dev@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gpa-dev