OK... I found some very old posts about this... don't know how much still holds.
-- https://lists.gnupg.org/pipermail/gnupg-devel/2011-June/026126.html
This guide says:
1. Convert rootCA.pem to rootCA.der
2. Place rootCA.der in dirmngr\trusted-certs
3. Ensure rootCA.der has revocation URL (??can disable??)
4. Add rootCA.der fingerprint to trustlist.txt
5. Restart dirmngr service and gpg-agent
Don't know... you think that will work?
BTW.. Here's the versions of the previously mentioned utilities:
- OpenSSL 1.0.2a 19 Mar 2015
- gpg-protect-tool (GnuPG) 2.0.27 (Gpg4win 2.2.4)
- gpgsm (GnuPG) 2.1.3
On Mon, Apr 27, 2015 at 3:07 PM, Dan Bryant <dkbry...@gmail.com> wrote:
> TL;DR: gpgsm import fails with "no issuer found in certificate"
>
> I'm trying to generate a key-pair for GnuPG S/MINE strictly for
> instructional reasons. I'll concede that I'm using a weak CA, but I'm
> trying to image how the CA maintainers do this task as well. So, for my
> instruction, I'm trying to do the following:
>
> I started off just wanting to create a GnuPG S/MINE key-pair. I soon found
> out that gpgsm requires key-pars to be externally signed by a CA. So now
> I'm trying to do the whole process, make-key, sign-key, import-key
>
> 1. Create a CA with a new RSA key-pair (openSSL)
> 2. Generate a new GnuPG S/MINE key-pair (gpgsm)
> 3. Sign the GnuPG S/MINE key-pair with my fictitious CA above (openssl)
> 4. Import the now signed GnuPG S/MINE key-pair into my gpgsm key-ring.
>
> So I theory I thought this should work, but I've botched it somewhere along
> the way. Again... this is for INSTRUCTIONAL purposes. I realize a self
> signed CA is about as secure as a post-it on a monitor. Trying to learn...
>
> Here's what I tried (for those unfamiliar with Windows, the '^' is a line
> continuation).
>
> -- gpgsm
> openssl genrsa -out rootCA.key 2048
> openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
> gpgsm --gen-key > unsigned.pem
> gpg-protect-tool --p12-export ^
> %appdata%\gnupg\private-keys-v1.d\{keygrip_from_prev_gen_key_cmd}.key ^
> > kgfpgkc.p12
> openssl pkcs12 -in kgfpgkc.p12 -nocerts -out kgfpgkc.pem
> openssl x509 -x509toreq -signkey kgfpgkc.pem ^
> -in unsigned.pem -out unsigned.csr
> openssl x509 -req -CA rootCA.pem -CAkey rootCA.key -CAcreateserial ^
> -in unsigned.csr -out signed.pem -days 500
> gpgsm --import signed.pem
> --Output
> gpgsm: no issuer found in certificate
> gpgsm: basic certificate checks failed - not imported
> gpgsm: no issuer found in certificate
> gpgsm: basic certificate checks failed - not imported
> gpgsm: ksba_cert_hash failed: No value
> gpgsm: total number processed: 2
> gpgsm: not imported: 2
>
>
> So... Why did the issuer check fail? Do I need to import my fake CA (tried
> that). If so, how? Is there an option to provide a PEM to serve as the
> root CA (like Python)? Also tried coping rootCA.pem to com-certs.pem, but
> no luck
>
>
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
