1. Forum
  2. Usenet
  3. COMP.SECURITY.PGP.DISCUSS

  • PGP keys from certificates

    From Ian@21:1/5 to All on Fri Jun 2 11:46:28 2017
    Hi All,

    Normally to generate a new keypair I'd use
    pgp --gen-key [other options]
    pgp --export 0xNewlyCreatedKey -o wibble.ToBeSentToTheFarEnd


    However, I've got a set of instructions, which say:

    openssl req -newkey rsa:2048 -keyout wibble.key -out wibble.csr

    Get the csr signed by a cert authority, they send back wibble.crt

    openssl pkcs12 -export \
    -in wibble.crt \
    -inkey wibble.key \
    -certfile root.crt \
    -certfile intermediate.crt \
    -out wibble.p12

    pgp --import wibble.p12

    pgp --export 0xNewlyImportedKeyID -o wibble.ToBeSentToTheFarEnd


    What does all this messing about with certificates do for us, that just generating a new keypair doesn't?


    Thanks.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From imajeff@gmail.com@21:1/5 to Ian on Wed Sep 27 19:39:03 2017
    On Friday, June 2, 2017 at 4:46:33 AM UTC-6, Ian wrote:
    [...]
    pgp --gen-key [other options]
    pgp --export 0xNewlyCreatedKey -o wibble.ToBeSentToTheFarEnd

    Results in having only keys in the PGP system which of course is not saying whether you rely on web of trust at all but that's what you should do with these keys...

    openssl req -newkey rsa:2048 -keyout wibble.key -out wibble.csr

    Get the csr signed by a cert authority, they send back wibble.crt

    openssl pkcs12 -export \
    -in wibble.crt \
    -inkey wibble.key \
    -certfile root.crt \
    -certfile intermediate.crt \
    -out wibble.p12

    pgp --import wibble.p12

    pgp --export 0xNewlyImportedKeyID -o wibble.ToBeSentToTheFarEnd

    Interestingly the difference is that you would I guess have the same key for SSL applications in addition to PGP. There is certainly no reason to do this extra work if they were not using the key later in OpenSSL as well as PGP which are different
    systems.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From imajeff@gmail.com@21:1/5 to ima...@gmail.com on Thu Sep 28 12:02:28 2017
    On Wednesday, September 27, 2017 at 8:39:04 PM UTC-6, ima...@gmail.com wrote: [...]
    openssl pkcs12 -export \
    -in wibble.crt \
    -inkey wibble.key \
    -certfile root.crt \
    -certfile intermediate.crt \
    -out wibble.p12

    I should also have noted that this appears to add the CA signatures to the pkcs12 which is all imported to PGP. I didn't know they could take in signatures from authorities and put them in a system that was designed to use Web of Trust instead. Is this a
    new commercial PGP feature? I use GnuPG and I've never imported a .p12 file so don't know if I can.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)