2611
2629
message modification attack.
2613
2631
`--personal-cipher-preferences `string''
2614
Set the list of personal cipher preferences to `string', this list
2615
should be a string similar to the one printed by the command
2616
"pref" in the edit menu. This allows the user to factor in their
2617
own preferred algorithms when algorithms are chosen via recipient
2618
key preferences. The most highly ranked cipher in this list is
2619
also used for the `--symmetric' encryption command.
2632
Set the list of personal cipher preferences to `string'. Use
2633
`gpg2 --version' to get a list of available algorithms, and use
2634
`none' to set no preference at all. This allows the user to
2635
factor in their own preferred algorithms when algorithms are chosen
2636
via recipient key preferences. The most highly ranked cipher in
2637
this list is also used for the `--symmetric' encryption command.
2621
2639
`--personal-digest-preferences `string''
2622
Set the list of personal digest preferences to `string', this list
2623
should be a string similar to the one printed by the command
2624
"pref" in the edit menu. This allows the user to factor in their
2625
own preferred algorithms when algorithms are chosen via recipient
2626
key preferences. The most highly ranked digest algorithm in this
2627
list is algo used when signing without encryption (e.g.
2628
`--clearsign' or `--sign'). The default value is SHA-1.
2640
Set the list of personal digest preferences to `string'. Use
2641
`gpg2 --version' to get a list of available algorithms, and use
2642
`none' to set no preference at all. This allows the user to
2643
factor in their own preferred algorithms when algorithms are chosen
2644
via recipient key preferences. The most highly ranked digest
2645
algorithm in this list is algo used when signing without encryption
2646
(e.g. `--clearsign' or `--sign'). The default value is SHA-1.
2630
2648
`--personal-compress-preferences `string''
2631
Set the list of personal compression preferences to `string', this
2632
list should be a string similar to the one printed by the command
2633
"pref" in the edit menu. This allows the user to factor in their
2634
own preferred algorithms when algorithms are chosen via recipient
2635
key preferences. The most highly ranked algorithm in this list is
2636
also used when there are no recipient keys to consider (e.g.
2649
Set the list of personal compression preferences to `string'. Use
2650
`gpg2 --version' to get a list of available algorithms, and use
2651
`none' to set no preference at all. This allows the user to
2652
factor in their own preferred algorithms when algorithms are
2653
chosen via recipient key preferences. The most highly ranked
2654
compression algorithm in this list is algo used when there are no
2655
recipient keys to consider (e.g. `--symmetric').
2639
2657
`--s2k-cipher-algo `name''
2640
2658
Use `name' as the cipher algorithm used to protect secret keys.
5999
File: gnupg.info, Node: System Notes, Next: Debugging, Prev: Helper Tools, Up: Top
6001
8 Notes pertaining to certain OSes.
6047
File: gnupg.info, Node: Howtos, Next: System Notes, Prev: Helper Tools, Up: Top
6049
8 How to do certain things
6050
**************************
6052
This is a collection of small howto documents.
6056
* Howto Create a Server Cert:: Creating a TLS server certificate.
6059
File: gnupg.info, Node: Howto Create a Server Cert, Up: Howtos
6061
8.1 Creating a TLS server certificate
6062
=====================================
6064
Here is a brief run up on how to create a server certificate. It has
6065
actually been done this way to get a certificate from CAcert to be used
6066
on a real server. It has only been tested with this CA, but there
6067
shouldn't be any problem to run this against any other CA.
6069
Before you start, make sure that gpg-agent is running. As there is
6070
no need for a configuration file, you may simply enter:
6072
$ gpgsm-gencert.sh >a.p10
6076
[3] Direct from card
6080
I opted for creating a new RSA key. The other option is to use an
6081
already existing key, by selecting `2' and entering the so-called
6082
keygrip. Running the command `gpgsm --dump-secret-key USERID' shows
6083
you this keygrip. Using `3' offers another menu to create a
6084
certificate directly from a smart card based key.
6094
The script offers two common key sizes. With the current setup of
6095
CAcert, it does not make much sense to use a 2k key; their policies need
6096
to be revised anyway (a CA root key valid for 30 years is not really
6104
You selected: sign, encrypt
6106
We want to sign and encrypt using this key. This is just a suggestion
6107
and the CA may actually assign other key capabilities.
6109
Now for some real data:
6112
> CN=kerckhoffs.g10code.com
6114
This is the most important value for a server certificate. Enter here
6115
the canonical name of your server machine. You may add other virtual
6118
E-Mail addresses (end with an empty line)
6121
We don't need email addresses in a server certificate and CAcert
6122
would anyway ignore such a request. Thus just hit enter.
6124
If you want to create a client certificate for email encryption, this
6125
would be the place to enter your mail address (e.g. <joe@example.org>).
6126
You may enter as many addresses as you like, however the CA may not
6127
accept them all or reject the entire request.
6129
DNS Names (optional; end with an empty line)
6131
DNS Names (optional; end with an empty line)
6133
DNS Names (optional; end with an empty line)
6136
Here I entered the names of the servers which actually run on the
6137
machine given in the DN above. The browser will accept a certificate for
6138
any of these names. As usual the CA must approve all of these names.
6140
URIs (optional; end with an empty line)
6143
It is possible to insert arbitrary URIs into a certificate; for a
6144
server certificate this does not make sense.
6146
We have now entered all required information and `gpgsm' will
6147
display what it has gathered and ask whether to create the certificate
6150
Parameters for certificate request to create:
6153
3 Key-Usage: sign, encrypt
6154
4 Name-DN: CN=kerckhoffs.g10code.com
6155
5 Name-DNS: www.g10code.com
6156
6 Name-DNS: ftp.g10code.com
6158
Really create such a CSR?
6164
`gpgsm' will now start working on creating the request. As this
6165
includes the creation of an RSA key it may take a while. During this
6166
time you will be asked 3 times for a passphrase to protect the created
6167
private key on your system. A pop up window will appear to ask for it.
6168
The first two prompts are for the new passphrase and for re-entering it;
6169
the third one is required to actually create the certificate signing
6172
When it is ready, you should see the final notice:
6174
gpgsm: certificate request created
6176
Now, you may look at the created request:
6179
-----BEGIN CERTIFICATE REQUEST-----
6180
MIIBnzCCAQgCAQAwITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCB
6181
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVyg
6182
HtB7kr+YISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlS
6183
wFTALLX78GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkm
6184
Bj5cNy+YMbGVldECAwEAAaA+MDwGCSqGSIb3DQEJDjEvMC0wKwYDVR0RBCQwIoIP
6185
d3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5jb20wDQYJKoZIhvcNAQEFBQAD
6186
gYEAzBRIi8KTfKyebOlMtDN6oDYBOv+r9A4w3u/Z1ikjffaiN1Bmd2o9Ez9KXKHA
6187
IezLeSEA/rGUPN5Ur5qIJnRNQ8xrS+iLftr8msWQSZppVnA/vnqMrtqBUpitqAr0
6188
eYBmt1Uem2Y3UFABrKPglv2xzgGkrKX6AqmFoOnJWQ0QcTw=
6189
-----END CERTIFICATE REQUEST-----
6192
You may now proceed by logging into your account at the CAcert
6193
website, choose `Server Certificates - New', check `sign by class 3 root
6194
certificate', paste the above request block into the text field and
6197
If everything works out fine, a certificate will be shown. Now run
6201
and paste the certificate from the CAcert page into your terminal
6202
followed by a Ctrl-D
6204
-----BEGIN CERTIFICATE-----
6205
MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl
6206
cnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQD
6207
ExNDQWNlcnQgQ2xhc3MgMyBSb290MB4XDTA1MTAyODE2MjA1MVoXDTA3MTAyODE2
6208
MjA1MVowITEfMB0GA1UEAxMWa2VyY2tob2Zmcy5nMTBjb2RlLmNvbTCBnzANBgkq
6209
hkiG9w0BAQEFAAOBjQAwgYkCgYEA5h+uKRenpvbe+BnMY6siPO50LVygHtB7kr+Y
6210
ISlPJ5JAFO12yQFz9Y0sBLHbjR+V+TOawwP1dZhGjlgnEBkMdWKuEBlSwFTALLX7
6211
8GAyvAYAmPqSPDEYXkMECyUXVX/bbGI1bY8Y2OGy4w4D+v7e+xD2NBkmBj5cNy+Y
6212
MbGVldECAwEAAaOBtTCBsjAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUF
6213
BwMCBggrBgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIF
6214
oDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy
6215
dC5vcmcwKwYDVR0RBCQwIoIPd3d3LmcxMGNvZGUuY29tgg9mdHAuZzEwY29kZS5j
6216
b20wDQYJKoZIhvcNAQEEBQADggIBAAj5XAHCtzQR8PV6PkQBgZqUCbcfxGO/ZIp9
6217
aIT6J2z0Jo1OZI6KmConbqnZG9WyDlV5P7msQXW/Z9nBfoj4KSmNR8G/wtb8ClJn
6218
W8s75+K3ZLq1UgEyxBDrS7GjtbVaj7gsfZsuiQzxmk9lbl1gbkpJ3VEMjwVCTMlM
6219
fpjp8etyPhUZqOZaoKVaq//KTOsjhPMwz7TcfOkHvXketPrWTcefJQU7NKLH16D3
6220
mZAwnBxp3P51H6E6VG8AoJO8xCBuVwsbXKEf/FW+tmKG9pog6CaZQ9WibROTtnKj
6221
NJjSBsrUk5C+JowO/EyZRGm6R1tlok8iFXj+2aimyeBqDcxozNmFgh9F3S5u0wK0
6222
6cfYgkPVMHxgwV3f3Qh+tJkgLExN7KfO9hvpZqAh+CLQtxVmvpxEVEXKR6nwBI5U
6223
BaseulvVy3wUfg2daPkG17kDDBzQlsWC0BRF8anH+FWSrvseC3nS0a9g3sXF1Ic3
6224
gIqeAMhkant1Ac3RR6YCWtJKr2rcQNdDAxXK35/gUSQNCi9dclEzoOgjziuA1Mha
6225
94jYcvGKcwThn0iITVS5hOsCfaySBLxTzfIruLbPxXlpWuCW/6I/7YyivppKgEZU
6226
rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs
6228
-----END CERTIFICATE-----
6229
gpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found
6230
gpgsm: certificate imported
6232
gpgsm: total number processed: 1
6235
gpgsm tells you that it has imported the certificate. It is now
6236
associated with the key you used when creating the request. The root
6237
certificate has not been found, so you may want to import it from the
6240
To see the content of your certificate, you may now enter:
6242
$ gpgsm -K kerckhoffs.g10code.com
6243
/home/foo/.gnupg/pubring.kbx
6244
---------------------------
6246
Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...]
6247
Subject: /CN=kerckhoffs.g10code.com
6248
aka: (dns-name www.g10code.com)
6249
aka: (dns-name ftp.g10code.com)
6250
validity: 2005-10-28 16:20:51 through 2007-10-28 16:20:51
6251
key type: 1024 bit RSA
6252
key usage: digitalSignature keyEncipherment
6253
ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
6254
fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:19:D8:E9:65:B9:BD:4F:B1:98:CC:57
6256
I used `-K' above because this will only list certificates for which
6257
a private key is available. To see more details, you may use
6258
`--dump-secret-keys' instead of `-K'.
6260
To make actual use of the certificate you need to install it on your
6261
server. Server software usally expects a PKCS\#12 file with key and
6262
certificate. To create such a file, run:
6264
$ gpgsm --export-secret-key-p12 -a >kerckhoffs-cert.pem
6266
You will be asked for the passphrase as well as for a new passphrase
6267
to be used to protect the PKCS\#12 file. The file now contains the
6268
certificate as well as the private key:
6270
$ cat kerckhoffs-cert.pem
6271
Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...]
6273
Subject ..: /CN=kerckhoffs.g10code.com
6274
aka ..: (dns-name www.g10code.com)
6275
aka ..: (dns-name ftp.g10code.com)
6277
-----BEGIN PKCS12-----
6278
MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu
6279
[...many more lines...]
6280
-----END PKCS12-----
6283
Copy this file in a secure way to the server, install it there and
6284
delete the file then. You may export the file again at any time as long
6285
as it is available in GnuPG's private key database.
6288
File: gnupg.info, Node: System Notes, Next: Debugging, Prev: Howtos, Up: Top
6290
9 Notes pertaining to certain OSes.
6002
6291
***********************************
6004
6293
GnuPG has been developed on GNU/Linux systems and is know to work on