Hello. Please can you tell where I can find the info about how to generate a certificate signing request (CSR, X509, for a certificate authority to get it signed into a certificate, or to self-sign using OpenSSL) based on existing AUTH RSA private key stored into a CryptoStick. Preferably using Windows 7. I saw some instructions for Linux and OpenSC, but they didn’t work out for me - got many "headers, libs not found’ errors. Not a Linux user at all. Is there any step-by-step instruction for Windows environment? Thanks a lot!
I did it with GnuPG 2.
You may try to use “gpgsm --gen-key > ~/mycsr.pem” and in the subsequent dialog select the existing key on the card. Send this CSR to your CA to get a certificate. Once you received the signed certificate back from your CA do a “gpgsm --import cert.pem”.
As a prerequisit, make sure your application knows the device: “gpgsm --learn-card”
You could find instructions in German here lists.gnupg.org/pipermail/gnupg- … 40662.html
Thank you, Jans. Have already figured it out. It was not so obvious to a newbie like me, though.
I’m glad that it worked out for you eventually. Would be great if you could post instructions for the next user generating a CSR. Thanks.
Well, it’s almost exactly as you posted above. I can only try to transform it into a simple step-by-step tutorial for a Windows environment.
- download and install the latest GPG4Win binaries gpg4win.org/download.html. Only the base component (GnuPG 2.0.x) is necessary;
- AUTH RSA-key stored into your smart-card (see CryptoStick Installation Guide crypto-stick.com/start | 2. Initialize the Crypto Stick).
- Plug-in your CryptoStick. Open command prompt and execute:
Please select what kind of key you want:
(2) Existing key
(3) Existing key from card
Serial number of the card: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
(1) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX OPENPGP.1
(2) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX OPENPGP.2
(3) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX OPENPGP.3
AUTH key is OPENPGP.3, so select 3 again.
Then enter a desired info about your certificate into the prompted fields (see gpgsm manual for more info):
Possible actions for a RSA key:
(1) sign, encrypt
Your selection? 1
Enter the X.509 subject name: CN=John Doe
Enter email addresses (end with an empty line):
Enter DNS names (optional; end with an empty line):
Enter URIs (optional; end with an empty line):
Parameters to be used for the certificate request:
Key-Usage: sign, encrypt
Name-DN: CN=John Doe
Really create request? (y/N) y[/code]
Enter your User PIN.
Now creating certificate request. This may take a while ...
gpgsm: about to sign CSR for key: &XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
gpgsm: certificate request created
Ready. You should now send this request to your CA.
Now you have your certificate signing request stored into [your_csr_filename].pem file.
You can send this file or copy-paste its contents to your CA to sign (e.g. CACert, StartSSL etc.) or self-sign it by using OpenSSL (there are plenty articles about how to do it on the Internet). As a result you’ll get your personal signed certificate in PEM format [your_personal_cert].pem or [your_personal_cert].crt.
Import your personal certificate into your smart-card. It can be done by using either GnuPG 2 or OpenSC.
ATTENTION: CryptoStick supports personal certificates in DER (binary) format only. You have to convert your PEM file first by using OpenSSL, online converters (e.g. sslshopper.com/ssl-converter.html), Mozilla Firefox plug-in (addons.mozilla.org/ru/firefox/addon/cert-viewer-plus/) or inquire your CA to deliver your certificate in DER format.
Using GnuPG 2: plug-in your CryptoStick, open command prompt and execute
In the prompt “gpg/card>” enter hidden command
writecert 3 < [your_cert_in_DER_format_filename].crt* there is also a hidden command “readcert 3 > mycert.crt” to export your personal X.509 certificate from a smart-card to a file.
Then type “quit” and press Enter.
Using OpenSC: download and install the latest OpenSC binaries, plug-in your CryptoStick, open command prompt and execute
Enter Admin PIN. The END.
Now you can use your existing AUTH RSA private key and personal X.509 certificate to sign/encrypt your e-mail, or to authenticate on respective web-sites, OpenVPN servers etc. using PKCS#11 and your CriptoStick only (or OpenPGP mini-driver for Microsoft IE, Google Chrome etc. – see crypto-stick.com/en/applications).
Would be great if you could post instructions for the next user generating a CSR. Thanks