Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
PGP keys from certificates
8 views
Skip to first unread message
Ian
Jun 2, 2017, 6:46:33 AM6/2/17
to
Hi All,
Normally to generate a new keypair I'd use
pgp --gen-key [other options]
pgp --export 0xNewlyCreatedKey -o wibble.ToBeSentToTheFarEnd
However, I've got a set of instructions, which say:
openssl req -newkey rsa:2048 -keyout wibble.key -out wibble.csr
Get the csr signed by a cert authority, they send back wibble.crt
openssl pkcs12 -export \
-in wibble.crt \
-inkey wibble.key \
-certfile root.crt \
-certfile intermediate.crt \
-out wibble.p12
pgp --import wibble.p12
pgp --export 0xNewlyImportedKeyID -o wibble.ToBeSentToTheFarEnd
What does all this messing about with certificates do for us, that just
generating a new keypair doesn't?
Thanks.
Normally to generate a new keypair I'd use
pgp --gen-key [other options]
pgp --export 0xNewlyCreatedKey -o wibble.ToBeSentToTheFarEnd
However, I've got a set of instructions, which say:
openssl req -newkey rsa:2048 -keyout wibble.key -out wibble.csr
Get the csr signed by a cert authority, they send back wibble.crt
openssl pkcs12 -export \
-in wibble.crt \
-inkey wibble.key \
-certfile root.crt \
-certfile intermediate.crt \
-out wibble.p12
pgp --import wibble.p12
pgp --export 0xNewlyImportedKeyID -o wibble.ToBeSentToTheFarEnd
What does all this messing about with certificates do for us, that just
generating a new keypair doesn't?
Thanks.
ima...@gmail.com
Sep 27, 2017, 10:39:04 PM9/27/17
to
On Friday, June 2, 2017 at 4:46:33 AM UTC-6, Ian wrote:
[...]
> openssl req -newkey rsa:2048 -keyout wibble.key -out wibble.csr
>
> Get the csr signed by a cert authority, they send back wibble.crt
>
> openssl pkcs12 -export \
> -in wibble.crt \
> -inkey wibble.key \
> -certfile root.crt \
> -certfile intermediate.crt \
> -out wibble.p12
>
> pgp --import wibble.p12
>
> pgp --export 0xNewlyImportedKeyID -o wibble.ToBeSentToTheFarEnd
Interestingly the difference is that you would I guess have the same key for SSL applications in addition to PGP. There is certainly no reason to do this extra work if they were not using the key later in OpenSSL as well as PGP which are different systems.
[...]
> pgp --gen-key [other options]
> pgp --export 0xNewlyCreatedKey -o wibble.ToBeSentToTheFarEnd
Results in having only keys in the PGP system which of course is not saying whether you rely on web of trust at all but that's what you should do with these keys...
> pgp --export 0xNewlyCreatedKey -o wibble.ToBeSentToTheFarEnd
> openssl req -newkey rsa:2048 -keyout wibble.key -out wibble.csr
>
> Get the csr signed by a cert authority, they send back wibble.crt
>
> openssl pkcs12 -export \
> -in wibble.crt \
> -inkey wibble.key \
> -certfile root.crt \
> -certfile intermediate.crt \
> -out wibble.p12
>
> pgp --import wibble.p12
>
> pgp --export 0xNewlyImportedKeyID -o wibble.ToBeSentToTheFarEnd
ima...@gmail.com
Sep 28, 2017, 3:02:29 PM9/28/17
to
On Wednesday, September 27, 2017 at 8:39:04 PM UTC-6, ima...@gmail.com wrote:
[...]
[...]
> > openssl pkcs12 -export \
> > -in wibble.crt \
> > -inkey wibble.key \
> > -certfile root.crt \
> > -certfile intermediate.crt \
> > -out wibble.p12
I should also have noted that this appears to add the CA signatures to the pkcs12 which is all imported to PGP. I didn't know they could take in signatures from authorities and put them in a system that was designed to use Web of Trust instead. Is this a new commercial PGP feature? I use GnuPG and I've never imported a .p12 file so don't know if I can.
> > -in wibble.crt \
> > -inkey wibble.key \
> > -certfile root.crt \
> > -certfile intermediate.crt \
> > -out wibble.p12
0 new messages